Seriously if you want to stop most of the spam with only a very minimal risk of false positives you will have to use a combination of list, because there is really *NO BLOCKLIST* which always does 0 False Positives if measured against an mixed but real mailflow: See: http://stats.uceprotect.net What you see there is the the real mailflow of those UCEPROTECT-customers that have freely chosen to select "Transmit Statistics and nominate Spammers in their Appliances. Actually 45 Systems are running the upcoming Release V4.1 in Betatest and what you see there is their real traffic. What you can't see yet is the traffic from all other customers that are still running the latest official Release V4.07 This is how we are counting Spamtrap hits and also False positives: All Lists are queried at every connection after RCPT TO: Spamtrap hits (Displayed in green): Every mail send to a spamtrap is counted as hit for those blocklists that reports the IP / domain as listed. False positives (Displayed in red): Every mail send to an existing recipient is counted as false positive for those blocklists that report the IP / domain as listed and the sender is in the recipients automatic or manual whitelist. Counters for the nonexisting (virtual) zone: uceprotect.combined are counted ONE only according to the description above if any of the 4 real existing dnsbl-*.uceprotect.net zones would report listed. As you can see the most accurate and effective single blocklist in our comparison is cbl.abuseat.org but even it would have rejected 14 of 8475031 HAM's last week while catching 73.3% spam. That is excellent for a single blocklist, but you can get a better result if you are using following combination of lists: Delay any incoming connection which is listed at dnsbl-0.uceprotect.net aka UCEPROTECT Level 0 with a tempfail (450) after RCPT TO. This is important because Level 0 is a delaylist, not a blocklist. Listings there will expire as soon as an Operator has moved them to UCEPROTECT Level 1 otherwise latest after 3 hours. Block if at least 2 of the following 8 lists are indicating "listed": bl.spamcop.net, cbl.abuseat.org, dnsbl-1.uceprotect.net, dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net, dnsbl.sorbs.net, ix.dnsbl.manitu.net and psbl.surriel.com. If you follow my instruction, you will end up with a system that has as good as no false positives and will block most of all spams. As always YMMV. -- Claus von Wolfhausen Technical Director UCEPROTECT-Network http://www.uceprotect.net
participants (1)
-
Claus v. Wolfhausen