In message <3E78C984(_dot_)1020505(_at_)americasm01(_dot_)nt(_dot_)com>,
"Chris Lewis" <clewis(_at_)nortelnetworks(_dot_)com> wrote:
Blacklist effectiveness on real email:
BOPM 100635 5.34
CONTENT 54802 2.91 (non-IP based filters, not used
on spamtrap)
Flonetwork 6096 0.32
IP, NOT BL 34946 1.85
MONKEYPROXY 135285 7.17
NTblack 38608 2.05
NTmanual 30370 1.61
OBproxies 46420 2.46
OBrelays 17419 0.92
OK 5330 0.28
OSinputs 31922 1.69
OSproxy 2121 0.11
OSsocks 54144 2.87
SBL 51825 2.75
TOTAL 1885655 100.00
TOTAL BLOCK 316567 16.79 (total blocked)
And the winner is.... <<drum roll>...
:-)
As you can see, relays are quite low. Notice how monkeyproxy and BOPM
both trap more than 50% of all inbound spam (to the spamtrap, which is
by definition 100% spam - bounces and viruses are already stripped out).
For those of you who don't already know, what Chris calls `monkeyproxy'
is more formally known as the Monkeys.Com Unsecured Proxies List (UPL).
You can read all about it here:
http://www.monkeys.com/upl/
We get less than 5 false positive reports on average per day.
I'll remember that you said that. (See below.)
Spot checks show that at least 95% of all whitelist/retests we've issued
have taken effect on the corresponding 3rd party blacklist. Except
monkeys[*]
I'll address that below.
1) machines that were open relays are more likely to have been intended
to send email than a simple open proxy or socks server, so, "legit"
users are more likely to hit a blacklist entry. Most open proxy or
socks hits are _not_ mail servers and were never intended to be. So
nobody notices. Nobody cares either (except the spammer, but they don't
notice).
Yes! What Chris said.
My tests indicate that over 75% of all IPs listed in the UPL are _not_
even mail servers.
[*] I have an issue with MONKEYSPROXY because the criteria for removal
isn't "just fix the open socks or proxy and ask for retest" - because
asking for the retest has other extraneous requirements.
The UPL re-testing/de-listing requirements are detailed here:
http://www.monkeys.com/upl/delisting-policy.html
They are reasonably trivial to satisfy... unless you are a complete
dumbshit and/or unless your ISP is totally worthless and totally
unresponsive, even to YOUR requests for assistance.
If either case applies, then I personally don't give a damn if you
_have_ fixed your proxy... I still don't want mail from you.
(I think the normative description for these cases is ``Too stupid
to live.'')
In a nutshell, to be re-tested and/or de-listed from the UPL... after
it has already been proven, beyond a shadow of a doubt, that you were
running a wide open proxy (and that thus, you qualified as being
``somewhere beyond utterly clueless'') you must (a) have functioning
reverse DNS attached to your IP address and (b) either the Postmaster@
or the abuse@ person for the ``master controlling domain'' of your
reverse DNS must approve your request to be re-tested/de-listed. (Note:
http://www.monkeys.com/upl/master-domain.html describes what I mean by
``master controlling domain''.)
I don't think that either of these things are too much to ask. Note
also that requirement (a)... must have reverse DNS... derives from
requirement (b) i.e. getting Postmaster/abuse of your reverse DNS domain
to ``approve'' your re-test/de-listing request.
Most blithering idiots can (and many blithering idiots already have)
satisfied both requirments, and have gotten their IPs re-tested and
de-listed. A few thousand in fact. So obviously it is possible to
satisfy these simple requirements, and as far as I can tell, only a
few Forrest Gump types have been unable to do so.
I have many reasons for these requirements, and I think they are good
ones. They are mostly documented here:
http://www.monkeys.com/upl/delisting-rationale.html
But just to give you the simple version, although the primary goal of
the UPL is to stop spam, an important secondary goal is get open proxies
closed. The current UPL re-testing/de-listing requirements assist in
achieving that goal by making various _ISPs_ more aware of the fact that
their own networks are often RIDDLED with very dangerous unsecured proxies.
Getting them into the loop is worth the minor additional hassle of the
UPL's special re-testing/de-listing requirements. (Most ISPs still don't
have the vaguest idea that they even have an open proxies problem on their
networks. Ignorance == spam.)
In effect, a
MONKEYSPROXY entry either means you have an open proxy/socks, OR, you
may simply not have been able to formulate a retest request that MONKEYS
would accept
NOT TRUE!
If a.b.c.d is listed on the UPL, then ANY IDIOT can ``formulate a re-test
request'' for that IP address via the appropriate web form on the Monkeys.Com
web site. But the request must be _approved_ by Postmaster@ or abuse@ of
the relevant domain. What's wrong with that?? Nothing... unless BOTH (a)
your domain is administered by morons who don't read the RFCs (e.g. 2821)
AND (b) your domain admins are so totally clue-impervious that they are
not able to catch a clue, even when YOU, one of their own local users,
tries to give them one.
We can't do third-party retest requests with MONKEYS, for example.
Again, that's just NOT TRUE.
You _can_ put in the re-test request, and then Postmaster@/abuse@ of the
domain that actually owns the IP of the (formerly?) open proxy must
simply approve the request. (They are given a magically coded URL via
e-mail, with a detailed message telling them what this is all about
and what they have to do, and then all they gotta do is visit that
magic URL to ``approve'' the re-test request.)
Simple, no?
This does not seem to cause _us_ much trouble in practise (since we
whitelist), but if you're high volume like us and not actively
whitelisting like us, it may make you think twice about using it,
despite how good it is. I'd rather it followed the BOPM or ORDB model
here. Still and all, I think we've gotten 5 false positive reports for
Monkeys in 3 months.
OK. Above you said that you get a total of about 5 whitelisting requests
at your site PER DAY. Now you say that you have only gotten about 5 due
to your use of the Monkeys.Com UPL list OVER A PERIOD OF THREE MONTHS.
Hummmm.... <<pulls out slide rule>>... So only about 1/90th of your
whitelist requests arise due to your use of the UPL, but the UPL is
stopping half, or more than half of your incoming spam.
Seems pretty admirable to me, even WITH the somewhat unusual de-listing
requirements.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg