incoming spam. The XBL caught a lot more, but still less than 65% of the
spam. But this better performance cost nearly 30 false positives (each
of which could lead to a very irate customer for a business or
government organization).
30 out of how many? People I know who use the XBL and the CBL (the main
source for the XBL) tell me that the fp rate they see is very low. This
includes people at big companies who depend heavily on e-mail.
The numbers seem to indicate that IP-based blacklisting is essentially
useless without further content filtering. None even came close to
filtering 75% of spam, and some caused hundreds or thousands of false
positives.
I hope that doesn't come as a surprise to anyone. The advantage of DNSBLs
is that they are cheap to use and can reject mail very early in the SMTP
process. If you can knock out 2/3 of the spam with DNSBLs, you can avoid
2/3 of the expensive content based scoring filters.
I wonder if the same poor performance will be the output of
domain-name-based reputation systems after MARID's work is widely
deployed.
The only honest answer is that nobody knows. In the forseeable future,
MARID verification will only be useful to whitelist domains known to be
friendly.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.