ietf-asrg
[Top] [All Lists]

Re: [Asrg] Comments on draft-church-dnsbl-harmful-01.txt

2006-03-31 16:08:32
On Fri, Mar 31, 2006 at 09:18:07PM +0200, Peter J. Holzer wrote

Most mails (42%) were rejected because they were addressed to
non-existent recipients. 22% were accepted (I don't know what
percentage of those was then filed into the Junk folder via MUA-side
filters). The single most effective anti-spam measure we have is to
filter the hostname given in HELO/EHLO against a few known bad strings
(localhost, friend, our own IP address, etc.) at 7%. Greylisting
used to be quite effective, but is now about comparable to RBLs
(but then far fewer of our users have greylisting enabled).

  I have my personal domain MX hosted at clss.net, which has qmail
hacked to enable end-user-configured smtp-stage blocking.  It issues the
big 550; it does *NOT* do bounces.  I use a combination of whitelists,
CIDRs, and various other rules.  I put DNSBLs at the very end of the
chain.  The first hit on a rule will cause email to be accepted
(whitelist) or rejected (whatever blocking rule).  The DNSBLs see very
little of my incoming email.  This is nice because...

  1) It reduces chances of a DNSBL false-positive
  2) It's "kinder and gentler" because it minimizes the load on DNSBLs.

  For the first 30+ days of March (7 hours remaining), my combined rules
have rejected a total of 5771 delivery attempts.  The first 4 rules in
the blocking chain are...

  - Badly forged HELO = 150 (HELO'ing from waltdnes.org or clss.net)

  - No hostname = 2535 (Look Ma, no rDNS!)

  - Dynamic IP by rDNS regex = 2442 ("[0-9]+-[0-9]+-[0-9]+" or
    "[0-9]+\.[0-9]+\.[0-9]+" or "adsl" or "dhcp" or "dynamic")

  - Country by rDNS = 355

  That accounts for 5482 out of 5771 delivery attempts blocked.  Being
at the very end of the blocking chain, the DNSBLs I use only blocked 100
delivery attempts so far this month.  I'm sure that DNSBLs would get
much higher numbers if I put them at the front of the chain, or used the
option to force an email to be inspected by all rules, even if it hits
one early in the chain.  But that would simply put more load on my ISP's
MTA and on the DNSBLs.

  One of the items I'll include in my comments about the Church draft is
his strawman approach of using statistics generated from *ONLY* using
DNSBLs.  A DNSBL is merely one weapon in the arsenal of the war against
spam.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg