Got a number of signs of interest in my metrics, so, I thought I'd spend
a little more time on them. Added a few of the more famous BLs we don't
use, and "fixed" our whitelist metrics so they're useful in determining
relative effectiveness in getting entries removed (which includes _our_
effectiveness in being able to request a retest).
We're not using the "not used" blacklists, and they're not included in
the "TOTAL BLOCKED". They're included for "relative performance" only.
I'll only annotate those that have changed.
Blacklist effectiveness spamtrap only:
BOPM 3907738 51.57
DYNABLOCK (not used) 77373 1.02 [1]
Flonetwork 283 0.00
IP, NOT BL 94011 1.24
MONKEYPROXY 4943111 65.24
NTblack 880901 11.63
NTmanual 362157 4.78
OBproxies 1556609 20.54
OBrelays 442915 5.85
OK 65 0.00 [2]
OK MONKEYPROXY 0 0.00 [3]
OK NTblack 0 0.00 ...
OK NTmanual 6 0.00
OK OBproxies 0 0.00
OK OBrelays 0 0.00
OK OSinputs 0 0.00
OK OSsocks 0 0.00
OK SBL 0 0.00
OSinputs 830086 10.95
OSproxy 109974 1.45
OSsocks 1923861 25.39
PERMBLOCK (not used) 5477053 72.28 [4]
SBL 578476 7.63
SPEWS (not used) 1521310 20.08 [5]
TOTAL 7577266 100.00
TOTAL BLOCK 6365664 84.01
[1] Wirehub DHCP pool (we were using this until recently, but due to
technical problems with the zone builder, we've had to back off)
[2] Emails corresponding to current whitelist entries.
[3] Emails actually _needing_ a whitelist, and which one
[4] Wirehub PERMBLOCK is a consolidation of several other blacklists,
including SPEWS and SBL. Not using it because of SPEWS.
[5] SPEWS level one. SPEWS' relative aggressiveness is because they've
escalated to whole class Bs (eg: Brazil proxy problems etc). Their
escalation/listing criteria are a little too unpredictable for our
taste. Worthy of note that SPEWS is vastly more famous than, say, BOPM,
despite being only 1/4 as "effective".
Blacklist effectiveness excluding spamtrap:
BOPM 99250 5.25
CONTENT 54312 2.87
DYNABLOCK (not used) 6088 0.32
Flonetwork 6054 0.32
IP, NOT BL 29551 1.56
MONKEYPROXY 139631 7.39
NTblack 38278 2.03
NTmanual 26689 1.41
OBproxies 47601 2.52
OBrelays 16545 0.88
OK 6139 0.32
OK MONKEYPROXY 53 0.00
OK NTblack 93 0.00
OK NTmanual 443 0.02
OK OBproxies 2221 0.12
OK OBrelays 67 0.00
OK OSinputs 296 0.02
OK OSsocks 15 0.00
OK SBL 37 0.00
OSinputs 32263 1.71
OSproxy 2032 0.11
OSsocks 54823 2.90
PERMBLOCK (not used) 245617 12.99
SBL 54785 2.90
SPEWS (not used) 80014 4.23
TOTAL 1890155 100.00
TOTAL BLOCK 314863 16.66
The extremely high number on "OK OBproxies" is because of a single
mailing list server whose "now closed" determination hasn't made it
through the processing cycle yet. Also, there has been some trouble
with retest request submission with OB*. Contrast that with BOPM -
removal is sufficiently quick and reliable that NONE of its whitelist
entries are required anymore. The open relay blacklists have longer
"retention" periods and higher FP rates as expected.
The OK versus sumof(OK *) entries indicates that we're tending to get
60% or so of blacklist entries cleared (as per volume of email). Once
the atypical OBproxies entry out of the way, it'd be closer to 95%.
The high numbers on NTmanual are due to the fact we block some whole
ranges with NTmanual (NTmanual is a local blacklist), but punch holes
for individual "good" sites. And secondly, because we can't actually
_do_ a removal on NTmanual yet.
Have to figure out what's happening with NTblack.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg