Am 12.04.2014 21:19, schrieb Bill Cole: > On 11 Apr 2014, at 11:07, Robert Schetterer wrote: > >> Hi , anyone knows this rbl ? >> >> http://v4bl.org/about.html > > I've had reason to glance at them a few times in the past year but have > never seen justification to pay ongoing attention... > > http://v4bl.org/results.html was a bit startling when I first saw it. If > I had a spam-control tool that I wanted people to pay for, I would be > very reluctant to publish such unflattering metrics for a free subset. > Based on the source site for the data > (http://www.intra2net.com/en/support/antispam/index.php) that "Hit Rate" > appears to be unadjusted for overlap with other lists, but they also > have a page showing ~3/4 overlap with Spamhaus Zen. So if you are > already using Zen, the v4bl free list as an absolute rejection criteria > won't increase how much mail you properly reject by much more than ~3%. > On the other side, the persistent "False Positive" rate is usually well > over 0.1%, which I believe is the threshold between tools that are > "anti-spam" and those more accurately referred to as "career limiters" > by anyone running mail systems professionally. It is also unsettling > that the operator seems quite proud of the absolute scale of his "Full" > list (551M IPs) and of its robust growth (~250K/day). Those might be > interesting numbers in conjunction with less vague information on > listing & delisting criteria and evidence of acceptable accuracy, but in > isolation they imply an unhealthy fascination with size while devaluing > skill. > > More generally, when considering any absolute spam-blocking tactic it is > wise to find or measure for yourself something like the Intra2net > metrics. You can't expect to get a perfect match of what some other site > sees, but what matters is marginal gain relative to FPs. IMHO, anything > offering less than a consistent *3 orders of magnitude* between the gain > and the pain has to be relegated to a scoring scheme (such as dnsblog > and/or SpamAssassin) where it is not individually conclusive but may > help somewhat to classify borderline spam. > > >> A very extensive list of IPs; which include: >> » Well known spammer IPs >> » UBE/UCE abusive IPs >> » rfc-ignorant IPs > > There is so much said in RFCs and so little careful reading of them that > this criteria can only be deemed a sort of inside joke. > >> » IPs with mismatched DNS and RDNS (FCrDNS failure) > > That is going to catch a lot of non-spam, including some of the exit > points for Microsoft's Office365 (outlook.com) services. Back when I was > handling external mail for US subsidiaries of a major EU manufacturer > and later a major EU telecom/IT firm, such "failure" was almost as > common as "success" among the global pieces of those companies and their > major business partners. That probably has improved in the past 5 years > (it seems to have, based on the mail seen by smaller systems I run now) > but it surely has not disappeared. The root causes for DNS mismatch in > big companies vary, but the defensive accretion of excuses for not > cleaning it up is a shared feature. > >> » IPs with mismatched rDNS and EHLO/HELO (FCrDNS failure) > > Worse. It is worth noting that blocking based on a sender's EHLO/HELO > name fits the label "RFC-ignorant" quite well, which does not mean that > it can't be done in a useful & safe way. This is not that. > >> » IPs of SPAM friendly ESP/HSP/ISP > > That could include any or all of the IP space of any or all of the dozen > largest providers of email sending services, mailboxes, hosting, > colocation, & connectivity. Probably doesn't, but could. Might do so > tomorrow. > >> » Obfuscated intermediaries / Alias domains / Disposable domains / >> Email-only domains > > Unclear what those mean, especially in the context of a DNSBL, but I > might be includable in this nefarious group. I don't recall ever having > sent anything that could be called "spam" and surely have not from my > "email-only" domains... > >> » Intermediaries without easily accessible contact information >> » botnet IPs >> » and much, much, more... > > That's just another way of saying the list has no defined > listing/delisting criteria beyond whatever its automated components > happen to do in their current versions and whatever its owner feels like > listing or delisting at the moment. > > Having worked at MAPS in its early days I can state from experience: > THAT IS VERY "LAST CENTURY!" > >> sounds very strange to me, this might result in massive problems at some >> sites, in special checking EHLO/HELO missmatch > > That one is going to catch a huge number of mail servers that don't send > any spam or much mail at all but also don't have a lot of technical > clues nearby. I can't advocate their survival, but on a personal level > it is routinely painful to get involved in the wetwork of their extinction.
thx for your info, i was contacted from sombody who is in big trouble by results of this list using a corect but differnt helo then ptr , and warned getting banned from his ip/net by third party ignorants. I agree a RBL may created by whatever parameters , but if it is that strict it leads to too much false postives used at smtp income level, it maybe ok in some scoring system, in every case its results can not be the base for third party ban warnings. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
