-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim MacLeod wrote:
On 3/31/06, *Douglas Otis* <dotis(_at_)mail-abuse(_dot_)org
<mailto:dotis(_at_)mail-abuse(_dot_)org>> wrote:
5% is about the right figure for the traditional RBL. There are
other lists that prove far more effective. As an RBL list is
effective at prohibiting a source, other sources are then uncovered.
A greater percentage will be found using the newer types of lists.
These newer lists look beyond just the RBL and approach the 80%
figure that Nick indicates. : )
What techniques are these "newer" lists using that increases their
effectiveness so much?
It's worth perhaps defining what "Traditional RBL" actually means ;-)
I take it to mean DNSBLs based on some combination of "open SMTP relays"
and "dedicated spam factory" as in the original MAPS RBL.
As open relays have largely fallen out of favour in spamming (estimates
in the 1-2% range), "traditional RBL" essentially means "time-consuming
subjective evaluations of static spammers". As in high latency, poor
timeliness, ineffective against open proxies and zombies.
DNSBLs based on that (essentially the original MAPS RBL, SBL, SPEWS to a
certain extent and others) are at best in the 8-10% range of effectiveness.
The next type are the "active probers" (testing for open SMTP relay,
open proxy, open socks, formmail etc). These used to be capable of
effectivenesses > 50%, however, "smtp relay" is obsolete, and proxy
probing has gotten vastly more complicated with "inserted proxies" on
odd ports. Eg: Monkeys (defunct), OPM, NJABLproxy/socks, several of the
SORBS lists, parts of DSBL, ORDB (open relay, irrelevant). These days
effectivenesses of these (taken singly) is at _best_ in the 25-30%
range. Open proxy lists usually have very low FPs, because the
compromised machines _rarely_ also host direct mail senders.
DULs: where the listings can either be those given to them by the ISPs
themselves, or inferred by rDNS/TTLs etc heuristics, or a combination.
Originally exclusively listing dialups (hence the term derives from
"dialup user list"), but later DHCP in any form, and now mostly tending
to mean "generic consumer space" - because that's where the bots are.
None of these lists are exclusively "ISP provided" - because not enough
ISPs are publishing lists to make the resulting BL particularly useful.
Given that they mostly use rDNS et. al. heuristics, they're horrendously
time-consuming to maintain. Effectiveness can range up to 70% or even
more. Moderate FPs.
"Emission signature" - the only one I'm familiar with is the CBL
(included in the Spamhaus XBL with OPM and NJABLproxy), tho I believe
that is a component of some of the SORBs lists. These look for specific
characteristics of the email being sent. The CBL in particular seems to
work well detecting both proxies and trojans/zombies - tho of course
effectiveness will depend highly upon the cross-sectional area of the
detectors. FPs very low. Effectiveness of the CBL/XBL is at least
equal to the DULs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQCVAwUBRC20Xp3FmCyJjHfhAQItRwP+I2EGur5OJUiQsZw6NK4ict5iLoLjfUDi
uKtzun4PZrzp3FqlKbUO9Nbm4AI399zH1WqbDAK8FcMn7uUDA7/WFXKJP7IBqy83
NF+0y/XJYwPTkSZCpc2aU7XhMupKt+PYo5qupIDsTyI89rCwnH8HzO7rZTQvO4q9
fOQpEDJ3jUA=
=p3L5
-----END PGP SIGNATURE-----
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg