[RndTbl] blocklists (was: Grey-listing in effect on MUUG server)

Gilles Detillieux grdetil at scrc.umanitoba.ca
Fri Nov 17 11:31:18 CST 2006 

On 11/17/2006 10:49 AM, John Lange wrote:
> On Fri, 2006-11-17 at 10:22 -0600, Tim Lavoie wrote:
...
>> So far, so good. No spam in the spambox this morning, at all. Most
>> were caught by the Spamhaus DNS blocklist I already use, but the
>> greylist whacked the remainder. 
> 
> Would it not make sense to do it in the other order? Greylisting being
> much less CPU intensive than other spam blocking methods.

I didn't think DNS blocklists were particularly CPU intensive.  It's 
when you get into things like content filtering and DCC that you want to 
pre-screen as much as possible.

> On a related note, personally I'm strongly opposed to block lists since:
> 
> a) they only work after spam has been sent

Sort of the same problem as signature based anti-virus, anti-spyware, 
and even many content-based SPAM filters, as well as DCC bulk mail 
filters.  They all still help a great deal against repeat offenders. 
Given the saturation bombing approach many spammers still use, 
blocklists still do help.  They don't do much against spam attacks 
distributed over wide botnets, but they still block a fair bit.

> b) they catch far to many innocent victims

Are there any credible stats on this?  I've never spotted anything that 
looks like it might be a false positive in my server logs when I've 
checked.  Of course, some of the claimed "innocent victims" are people 
like that spammer that sued Spamhaus in an Illinois court and got a 
summary judgment against them.

> c) when other methods are applied properly, blocklists only improve
> results by a very small amount.
> 
> "b" being the main reason I don't like them.
> 
> John

Has anyone ever compared the effectiveness and accuracy of the various 
DNS blocklists?  I currently use these 3:

list.dsbl.org
relays.ordb.org
sbl.spamhaus.org

Of these, dsbl.org shows up in my logwatch summaries most often, 
spamhaus.org occasionally, and ordb.org almost never.  I'm assuming 
sendmail runs the checks in the order you list them, which is why 
dsbl.org gets almost all of them, but I'm wondering if I put 
spamhaus.org first, would it get more than dsbl.org gets now?

On a slightly related note, I also virus-scan e-mail using clamav, but 
I've found that since the U of M installed its FortiGate firewall that 
also virus-scans e-mail, clamav doesn't seem to catch much other than 
some phising scams that they include signatures for.  It does seem to be 
a bit quicker on the draw for new outbreaks, though, than the commercial 
AV scanners like FortiGate and Trend, so I find it's still helpful as an 
additional line of defense.

Gilles

-- 
Gilles R. Detillieux              E-mail: <grdetil at scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/
Dept. Physiology, U. of Manitoba  Winnipeg, MB  R3E 3J7  (Canada)

More information about the Roundtable mailing list