On 3/30/2015 11:49 AM, Kris Deugau wrote:
Seconded; this is exactly what we've been finding. Invaluement is a
great complement to Spamhaus for a fraction of the cost.
I wouldn't put it as a front-line reject DNSBL, because some of the
things that have been listed are not what I would class, for our
customers, as spam - but those entries are distinctly greyhat at best in
a lot of cases, and some IP range operators I've flagged as "list,
delist, and whitelist_from_rcvd as needed" due to the mix of legitimate
small senders and spammers.
Thanks Kris for the compliment. Also, when you say "mix of legitimate
small senders" ...just to clarify, I think that any further analysis
will show that (a) MOST of these are situations where very small senders
had massive spam-sending outbreaks due to compromised accounts, and (b)
the listing was most often very short lived (often mere hours).
This is a balancing act... and I think invaluement strikes a great
balance. And even in THIS particular area, I think our FP level is still
distinctly LESS than UCEProtect, Barracuda, and SORBS (for examples).
But if we brought that all the way to zero, MUCH spam that slips past
Zen wouldn't be listed on invaluement anymore. (the ham/spam ratios on
some of these compromised account situations is horrendous--they send
out their usual 400 hams that day, along with 200,000 spams... and the
cumulative sum total of those spams from ALL such compromised senders
that day, represents MUCH of the spam that gets past filters due to
piggybacking on the sender's normally good reputation)
Also, what I've found is that many medium-sized ISPs/hosters, with 10s
of thousand of mailboxes are very comfortable with outright blocking on
invaluement, but will only score on UCEProtect, Barracuda, and SORBS.
Much smaller hosters will often block on all of them, because they don't
notice those FPs as often. In fact, I see these SAME somewhat rare
compromised-sender FPs with Zen, too. It is all about each list's
strategies, and aggressiveness, and tolerance levels. As shown,
invaluement is in a very strategic spot here... having much of the
aggressiveness of these other lists, but with FP levels VERY close to
Zen's FP levels. (and then scoring on these other lists... even
aggressive, yet still under-threshold, scoring... will help block spams
missed by both invaluement and spamhaus)
Also, invaluement plays "close to the edge" with "CAN-spam" and
"snowshoe spammers". So invaluement is in a little more "dangerous
territory"...that it can do so and not have a lot more FPs, is not easy.
For example, this invaluement may occasionally list the kind of "pure
ads" that, upon further analysis, are arguably not technically spam, but
aren't exactly desired by the end users. But these situations tend to
sort themselves out over time.
The SAME thing happens with invaluement's ivmURI domain blacklist.
OFTEN, a normally legit web site has a CURRENT... LIVE spam infestation,
where spammers broke into that site and placed spammy content there.
This has become epidemic. Sure, it is frustrating for everyone, when
such a site that is being used to send phishing and porn spams... causes
some of that site's legitimate correspondence to get blocked... but this
a necessary "lesser of evils". The best part is that such a blacklisting
motivates the site owner to fix their site FASTER. In such a situation,
the blacklist provided the world a good service, and the resulting
collateral damage was well justified. The site owner should be
considered at fault for the collateral damage, not the DNSBL.
I hope this provides some clarity.
--
Rob McEwen
+1 478-475-9032
