== Some basic data on the hit rate of the Spamhaus DBL here

After my [[previous SpamhausDBLDoesGetHits]] [[exploration
SpamhausDBLEstimatedHitRate]] of [[the Spamhaus DBL
https://www.spamhaus.org/dbl/]], I wound up adding it as another
DNS blocklist in [[our overall spam filtering setup CSLabSpamFilteringII]].
Because we don't have a mandate for it, none of our DNS blocklists
apply to all email, only to email for people who have opted in to
some amount of server side spam filtering. Because the DBL applies
on a per-recipient basis, the comparison I'm going to use here is
against the overall recipient count (not the overall message count).
I'm also going to use the past nine days, so I can sort of compare
this to [[my estimated hit rate SpamhausDBLEstimatedHitRate]].

So, over the past nine days, we have had:

* 106,837 accepted _MAIL FROM_s and 106,835 accepted _RCPT TO_s, 
  which means that almost all of our accepted messages have been
  delivered to a single destination address.

* 29,194 accepted _RCPT TO_s for IPs listed in one of the Spamhaus
  DNSBLs. Since these were accepted, these are recipients who have
  not opted into any amount of our server-side spam filtering.
* 7,685 accepted _RCPT TO_s for domains listed in the DBL. A quick
  check suggests that about 6,390 of these came from IP addresses
  that were in the Spamhaus DNSBLs.

* 13,020 _RCPT TO_s that were rejected because the sender IP was in
  one of the Spamhaus DNSBLs. This is checked before the DBL.
* Only 346 _RCPT TO_s that were rejected because the sender domain
  was in the DBL.

On the one hand, this doesn't look too great for the DBL; despite
[[my initial estimate SpamhausDBLEstimatedHitRate]], we aren't
getting many rejections from checking the DBL. On the other hand,
when I look at the source addresses of those rejections, something
jumps out right away: just over half of them come from one system.

Specifically, over half of them come from the mail server for
another (sub)domain on campus, one where a number of our users
have accounts and forward (all of) their email from that system
to us. What we've effectively done with the DBL is to add an
additional SMTP-time defense to reject forwarded spam. In fact
there are a number of 'forwarded from another campus mail system'
DBL rejections in the past nine days from other sources.

My personal view is that these rejections are valuable ones (partly
because I've observed our commercial anti-spam system not doing so
well with forwarded spam in the past). So on the whole I'm happy
with what the DBL is doing here, and also happy that now I have
better numbers on what it could be doing if more people opted in
to server-side spam filtering.

(Despite my bright words here, I'm also disappointed that adding
the DBL isn't rejecting more messages. I guess this is partly down
to how a lot of spam with DBL domains comes from IPs that are already
blocked on their own. Note that we're using the DBL in its most
basic and limited mode, where we check it against the _MAIL FROM_
domain; you're really supposed to use it to check domains mentioned
in the body of email messages.)