spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob McEwen <>
Subject Re: Uptick in spam
Date Mon, 30 Mar 2015 16:33:24 GMT
On 3/30/2015 11:49 AM, Kris Deugau wrote:
> Seconded;  this is exactly what we've been finding.  Invaluement is a
> great complement to Spamhaus for a fraction of the cost.
> I wouldn't put it as a front-line reject DNSBL, because some of the
> things that have been listed are not what I would class, for our
> customers, as spam - but those entries are distinctly greyhat at best in
> a lot of cases, and some IP range operators I've flagged as "list,
> delist, and whitelist_from_rcvd as needed" due to the mix of legitimate
> small senders and spammers.

Thanks Kris for the compliment. Also, when you say "mix of legitimate 
small senders" ...just to clarify, I think that any further analysis 
will show that (a) MOST of these are situations where very small senders 
had massive spam-sending outbreaks due to compromised accounts, and (b) 
the listing was most often very short lived (often mere hours).

This is a balancing act... and I think invaluement strikes a great 
balance. And even in THIS particular area, I think our FP level is still 
distinctly LESS than UCEProtect, Barracuda, and SORBS (for examples). 
But if we brought that all the way to zero, MUCH spam that slips past 
Zen wouldn't be listed on invaluement anymore. (the ham/spam ratios on 
some of these compromised account situations is horrendous--they send 
out their usual 400 hams that day, along with 200,000 spams... and the 
cumulative sum total of those spams from ALL such compromised senders 
that day, represents MUCH of the spam that gets past filters due to 
piggybacking on the sender's normally good reputation)

Also, what I've found is that many medium-sized ISPs/hosters, with 10s 
of thousand of mailboxes are very comfortable with outright blocking on 
invaluement, but will only score on UCEProtect, Barracuda, and SORBS. 
Much smaller hosters will often block on all of them, because they don't 
notice those FPs as often. In fact, I see these SAME somewhat rare 
compromised-sender FPs with Zen, too. It is all about each list's 
strategies, and aggressiveness, and tolerance levels. As shown, 
invaluement is in a very strategic spot here... having much of the 
aggressiveness of these other lists, but with FP levels VERY close to 
Zen's FP levels. (and then scoring on these other lists... even 
aggressive, yet still under-threshold, scoring... will help block spams 
missed by both invaluement and spamhaus)

Also, invaluement plays "close to the edge" with "CAN-spam" and 
"snowshoe spammers". So invaluement is in a little more "dangerous 
territory"...that it can do so and not have a lot more FPs, is not easy. 
For example, this invaluement may occasionally list the kind of "pure 
ads" that, upon further analysis, are arguably not technically spam, but 
aren't exactly desired by the end users. But these situations tend to 
sort themselves out over time.

The SAME thing happens with invaluement's ivmURI domain blacklist. 
OFTEN, a normally legit web site has a CURRENT... LIVE spam infestation, 
where spammers broke into that site and placed spammy content there. 
This has become epidemic. Sure, it is frustrating for everyone, when 
such a site that is being used to send phishing and porn spams... causes 
some of that site's legitimate correspondence to get blocked... but this 
a necessary "lesser of evils". The best part is that such a blacklisting 
motivates the site owner to fix their site FASTER. In such a situation, 
the blacklist provided the world a good service, and the resulting 
collateral damage was well justified. The site owner should be 
considered at fault for the collateral damage, not the DNSBL.

I hope this provides some clarity.

Rob McEwen
+1 478-475-9032

View raw message