I've got about 2 1/2 days of SORBS stats done, checking all but
SORBS-BLOCK (because I don't believe the methodology relates to spam).
The results are very telling.SORBS First a discussion of the false positives. They collect addresses for their SPAM list from E-mail sent to spamtraps that they have, I don't know what exactly the consider spam, but no problems were detected from what I saw. They do though list the IP's of anything that sent them spam, and users on both Cox and Adelphia's broadband cable systems have done so recently. They apparently start off with a single IP, then a group of IP's and if it continues, they start doing whole netblocks (according to their page). Both of my false positives did blocks of /32. I did look for other senders from Cox and Adelphia that there tagged by SORBS-SPAM and found a bunch of proper failures for spam sent through Adelphia's network (I guess they have problems). Normally this wouldn't worry me very much, however in order to pull the original IP off of their list, they require a $50 donation presently, and that doesn't make sense in my book if you are trying to be accurate. They also claim to not have any sort of automatic expiration for their SPAM records. Because of this, I would keep this test scoring low, especially since SORBS is newer and admins are less likely to be aware of their blocks over another place like SPAMCOP. The SORBS tests returned a lot of matches that were useless to me, in other words, most of this stuff would have failed with a high enough score that it wouldn't matter. The ones that "made a difference", 34 to be exact, were instances where if you took out the SORBS tests, those E-mails either would have gotten through (26 of them), or still got through but scored higher because of SORBS (8 of them). Adding these 8 tests only gave me useful results on 0.8% of my total traffic. There's not a lot of bang for my buck over my current configuration, but your mileage may vary. I believe that their lists are probably still pretty small compared to where they might be in another year, so maybe they will achieve a higher utility over time. Five of the tests returned little or no results whatsoever. I'm not surprised that some of the obscure ones like SORBS-ZOMBIE didn't produce results, but SORBS-SMTP which tests for standard open relays appears empty for now. The concept behind these tests are valid in my opinion, so for now, I am going to turn 5 of them off and just use the other 5 for my server. Lastly, concerning the low false-positives...I did my testing over the weekend which reduces false-positives since most of my customers are businesses. I would certainly expect to see some SORBS-DUL false positives to appear as these lists are inaccurate (I've been suddenly picked up by an obscure one that is incorrect about my block), and definitely more SORBS-SPAM false positives since they are punishing networks for poor policing instead of just simply compromised servers. I suspect that based on their stated policies, they are less likely than others to reflect compliance in a rapid manner, or even at all unless notified manually, and this would get worse over time as the age of their lists grows older. Because of this, I am going to raise my scoring slightly for the open relay-type stuff and spam tests that score hits, figuring that the SORBS-SPAM marked servers should only be sending personal E-mail if not in fact a spam operation on an owned or borrowed address, and the personal stuff shouldn't fail any other major tests. I'll probably increase to scoring 5 on SORBS-SPAM, and 6 on the others that I am keeping, and a simple failure of HELOBOGUS or SPAMHEADERS will put any of this over the top. Hope this helps everyone. Matt Omar K. wrote: Im glad someone is doing the testing :) please let us know of the FP rate-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Friday, September 05, 2003 7:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Configuration Question - I just installed SORBS last night and am busy monitoring the results. I have found that they mostly tagg what others are tagging thus far, but what will take more time to figure out is if they are finding stuff that has been slipping through the others. I monitor things that fail with a score of between 10-14 in order to determine the validity of this test. I had pretty good results before SORBS and without Oriusoft, so just catching another 1% of all spam would mean a 20% reduction of what gets through. SORBS-BADCONF hasn't been tripped on the first 1,500 messages that it was checked for, but other SORBS tests are definitely producing positives...508 out of 1,500, and my server rejected 849 for being spam. Mostly it catches open relays of one sort or another. My SORBS config is as follows: SORBS-HTTP ip4r dnsbl.sorbs.net 127.0.0.2 5 0 SORBS-SOCKS ip4r dnsbl.sorbs.net 127.0.0.3 5 0 SORBS-MISC ip4r dnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SPAM ip4r dnsbl.sorbs.net 127.0.0.6 5 0 SORBS-WEB ip4r dnsbl.sorbs.net 127.0.0.7 5 0 SORBS-ZOMBIE ip4r dnsbl.sorbs.net 127.0.0.9 5 0 SORBS-DUL ip4r dnsbl.sorbs.net 127.0.0.10 5 0 SORBS-BADCONF ip4r dnsbl.sorbs.net 127.0.0.11 3 0 SORBS-NOMAIL ip4r dnsbl.sorbs.net 127.0.0.12 5 0 The scores are only a starting point, and I scored SORBS-BADCONF lower because I thought it might get tripped by the same data that HELOBOGUS does (this hasn't been confirmed because that SORBS filter has not been tripped). Matt Chuck Schick wrote: |
- [Declude.JunkMail] Configuration Question - Chuck Schick
- Re: [Declude.JunkMail] Configuration Question - Matthew Bramble
- RE: [Declude.JunkMail] Configuration Question - Omar K.
- RE: [Declude.JunkMail] Configuration Question... Matthew Bramble
- RE: [Declude.JunkMail] Configuration Question - Omar K.
