NOTE: If you are blacklisted on TqmCube (TQM3), which is not our dnsbl, click here.
We've enjoyed working with Rob McEwen on SURBL and expect his new DNSBL to aid in the identification of unsolicited messages in new ways.
Jeff Chan, founder of SURBL
Branded the invaluement Anti-Spam DNSBL, this is actually three separate DNSBLs which are only available to paying subscribers via RSYNC.
Subscribers pay a single (quarterly or yearly) fee for RSYNC access to all three invaluement DNSBLs, with a choice of either rbldnsd-formatted or BIND-formatted zone files.
Get access here. Submit removal requests here
ivmURI has become another valuable spam detection layer which I highly recommend to my customers!
Mailadmin & SARE Ninja
The invaluement.com lists are a useful addition even if you already have effective spam filters in place.
Robert Tarrall, neighborhoodlink.com
ivmURI is the 3rd major URI dnsbl on the Internet, alongside SURBL and URIBL. ivmURIs FPs are at least as rare as those of URIBL and SURBL. While ivmURI is not a replacement for SURBL and URIBL, many spamvertized domains are ONLY caught by ivmURI, or caught first by ivmURI.
ivmSIP is the invaluement Senders IP DNSBL. Aka an RBL, this list includes those IPs which only send spam. While ivmSIP is not intended to replace such respected DNSBLs like Zen and SpamCop, ivmSIP blocks much spam that is missed by such other respected, effective, and low-FP DNSBLs, and has similarly extremely low FPs.
ivmSIP/24 is just like ivmSIP, except that it lists entire /24 blocks. As a result, often, the very first attempt to send spam from a particular IP is (preemptively!) blocked. Unlike most other /24 blacklists, ivmSIP/24 is designed to have just as low FP rates as ivmSIP. That is very unusual and makes ivmSIP/24 much more effective than most other /24 blacklists.
How is the invaluement DNSBL different than other DNSBLs?
invaluement has been very effective at preventing spammers from getting to our customers ...ivmSIP has meant a 30% reduction in the mail we accept, saving us enormous amounts of processing on our inbound mail servers.
Most DNSBLs (but NOT the invaluement.com lists!) use one or both of the following two tactics to catch spammers:
- HONEYPOTS: honeypot spam traps are e-mail addresses which are purposely hidden on a web page, outside of human sight. The spammers have bots which collect those addresses and they eventually send spam to those addresses. Because the e-mail address is not ever used for legitimate purposes, the spammer is then caught red-handed.
- USER REPORTS AND STATS: The second common tactic of DNSBLs is to wait for user-generated reports and then block based on a statistical analysis of that data, where a spammers IP or domain hits a critical mass. Another variation of this involves fully automated analysis of statistics from fully automated reports which then trigger a listing when particular amounts of spam within X amount of time are spotted.
These are both very effective methods and they continue to serve many DNSBLs very well. But the invaluement DNSBL does NOT use these two tactics.
While these tactics are effective against most spam, some spammers have discovered ways to circumvent these tactics and, therefore, stay off of those DNSBLs which do use these tactics.
How do spammers evade such other DNSBLs?
We use ivmSIP after greylisting, DNS checks, syntax checks, spamhaus and a few other RBLs. It consistently blocks about 40% of what is left, greatly reducing the load on our content scanners. Awesome!
Aaron Wolfe, kdtsolutions.com
ivmURI alone now accounts for 85% of all the spam we block, while maintaining an extremely low false positive rate.
How do such spammers evade honeypot-trap-driven DNSBLs?
Simple. They use extremely high-quality lists that are devoid of honeypots! A tell-tale sign is when they know the user's exact full name, showing that they purchased their list from a high quality source. Often, the recipient did sign up for one thing on a web site form several years ago, but didn't realize their information would be sold to the bad guys. They then receive many unsolicited offers from unrelated web sites for years to come! And many such series of spam are missed by those spam filters which do not use the invaluement.com DNSBL!
How do such spammers evade DNSBLs that rely upon statistics and client-reports?
The spammers do what is called snowshoe spamming. This means that they send their spam so extremely slowly so as to stay below the radar. By the time that statistics reach a critical mass, the spammer has conveniently moved onto sending from other IP addresses and using other domain names within the links in their spams.
How does invaluement catch these more sneaky spammers?
Rob McEwen has done a great job in this niche and complements the already available resources, with minimal admin requirements - setup & it works!
Mailadmin & SARE Ninja
Consider that, instead of trying to emulate any other DNS blacklist, the invaluement lists attempt to catch spam that the other DNSBLs are missing. Therefore, different tactics are called for!
Blocking spam NOT ever sent to honeypot traps:
Because the invaluement lists are ONLY fed by spam sent to real users, the invaluement lists, therefore, catch much spam that does NOT hit other DNSBLs honeypot spamtraps. Since invaluement does not depend on honeypot spam traps, much spam is blocked by the invaluement DNSBL which gets missed by these other honeypot-driven DNSBLs.
Blocking snowshoe spam missed by other DNSBLs:
Sending spam slowly does not help a spammer avoid the invaluement DNSBL because a single spam received and processed is ALL that is necessary to trigger a listing on invaluement.
Many will criticize these two tactics due to a common belief that these always lead to false positives. But the invaluement lists shatter this conventional wisdom...
With such aggressive tactics, how does invaluement avoid False Positives?
The FP rate is extremely low. In fact, its so low that we are perfectly comfortable rejecting all mail from listed hosts.
Aaron Wolfe, kdtsolutions.com
The invaluement.com lists are very effective with extremely low false-positive rates and minimal resource usage.
Robert Tarrall, neighborhoodlink.com
an extremely low false positive rate
First of all, our best defense against FPs is the very extensive Anti-False-Positive Filter used by invaluement which took years to develop!
In addition to our extensive and complex FP-Prevention filters, invaluement uses a custom developed world-class IP and URI whitelist which also prevents the sending IPs (MTAs), and domain names, of legitimate ISPs and legitimate organizations from getting blacklisted. For example, our tediously hand-crafted Senders IP whitelist consists of eight thousand entries, and many of these individual entries whitelist large IP ranges or blocks. Think of any household name ISP and we already have all of their sending IPs whitelisted. So there is no need to worry about a server from gmail, hotmail, yahoo, aol, juno, any baby bell, etc... getting blacklisted, even if some of those are mixed sources of ham and spam. (And that is just the tip of our whitelisting iceberg!) Of course, it takes much more than a great whitelist to make a great blacklist. Without these whitelists, the invaluement FP rates would still be low (again, due to our complex Anti-False-Positive Filters).
As a matter of fact, many other DNSBLs have large whitelists... dont have particularly effective FP-prevention filters... and even with massive whitelists such DNSBLs often have too many egregious FPs. And that is why the invaluement DNSBL does not depend on whitelists to prevent false positives. Nevertheless, having an industry-leading whitelist certainly does hedge our bet and makes it nearly impossible for invaluement to blacklist a prolific ISPs MTA!
The bottom line is that such listing tactics enable the invaluement DNSBL to NOT have to wait on recipient-generated reports and NOT require a critical mass in statistical reports before a listing happens. Therefore, as a direct result, many spammers IPs and domains are listed by the invaluement DNSBLs first... only to appear hours or days later in other leading DNSBLs.
And this doesnt count all the spam that is preemptively blocked by ivmSIP/24!
What are the listing standards of invaluement?
ivmURI and ivmSIP are good solid and professionally operated lists.
From CBL, the largest component of Spamhaus Zen & XBL lists -- see full quote on the cbl.abuseat.org web site!
The invaluement DNSBL has two goals:
List ONLY those items which will cause ONLY spam (defined as UBE, Unsolicited Bulk E-Mail, plus 419/phish scams and viruses) to get blocked.
DO NOT list URIs found in legitimate e-mails and DO NOT list mail-sending IPs which send any amount of legitimate e-mail.
There are some very rare exceptions. Such as the listing of a small third-world ISP (or small business) which is currently spewing out millions of phishing scams while sending relatively few legitimate messages. Or the temporary blacklisting of an otherwise legitimate domain name where their web site was cracked and is currently hosting a phishing page.
Additionally, it is NOT the job of the invaluement DNSBL to punish sloppy ESPs (e-mail service providers) which are sources of both ham and spam. However, ESPs which masquerade as a legitimate ESP, but which only send UBE (unsolicited bulk e-mail) are often blacklisted. The invaluement DNSBL is also very good at surgically targeting a sloppy ESPs spamming customers while leaving alone its legitimate customers.
How frequently does the invaluement data update?
The invaluement subscribers are invited to RSYNC every two minutes, and the data really does update every few minutes.
This allows subscribers to obtain extremely fresh data, helping to block new series of spam not yet blocked by other DNSBLs! This gives invaluement subscribers an edge over their competitors due to the increased effectiveness of their spam filtering.
In contrast, most DNSBLs ask to not be RSYNCed but a few times per hour, or even less frequently. Why? First, since there are tens of thousands of free clients attempting to access their lists, they must conserve scarce and overburdened resources. Additionally, many other DNSBLs simply do not update nearly as frequently as the invaluement lists.
These limitations do not apply to the invaluement DNSBL. Since the invaluement data files are smaller than most other DNSBLs, the invaluement subscriber-funded infrastructure can easily keep up with the increasing resource usage caused by adding more subscribers. And, since the invaluement data files update very frequently, invaluement subscribers spam filtering especially benefits.
Regarding the smaller data files: Dont be fooled. Bigger data files do not always translate to more spam caught. Recent head-to-head testing of the invaluement.com DNSBL demonstrated superior catch rates of spams in comparison to other DNSBLs with file sizes far larger than the size of the invaluement data files. Sure, these other DNSBLs had many more items listed than invaluement, but this did not translate to blocking more spam. The invaluement DNSBLs smaller file size also opens the door to a number of deployment scenarios which require a small memory footprint and are, thus, NOT feasible for other DNSBLs with much larger data files! Also, subscribers RSYNCs start and finish much faster than RSYNCs to these other DNSBLs, some of which have data file sizes into the hundreds of megabytes.
Can the invaluement DNSBL reduce costs?
Yes!... Why?... Several reasons:
- When ivmSIP causes more spam to get blocked at the perimeter, that means a much lower load on your content-based spam filters. This makes your system more efficient and scalable and, as a direct result, allows you to do more and better filtering with less hardware... thus eliminating the need for as many costly hardware upgrades in the future. Next, as your business then grows, your costs do NOT grow as fast as they would without these lists!
- Additionally, the previous point is even more true because, when DNSBLs are served locally via rbldnsd, that typically means <1 ms lookup times whereas over-the-network DNSBLs typically have 30-80 ms lookup times. When much of your spam is KOd in under a millisecond, your filtering is then much more efficient and much more scalable!
- If your existing spam filtering is not getting the job done, integrating the invaluement DNSBL into your existing filtering is MUCH less costly than any kind of major overhaul. Doing so often provides substantial improvements to your existing anti-spam solutions. Most anti-spam appliances and anti-spam software packages will allow integration of additional DNSBLs.
- Implementation of the invaluement DNSBL typically results in improvements to your spam filtering which then eliminates the need to add additional employees and/or pay additional contractors to fight the spam. Sit back and let the invaluement lists do more of this work for you. In fact, frequently, e-mail hosting administrators will post on various anti-spam message boards requesting help for blocking various series of spam that would have already been blocked had that ISP been using the invaluement lists. Often, the cost for quarterly access to the invaluement DNSBL is less than one hours worth of that employees paycheck. And that one spam the systems administrator discussed is likely a small sampling of all the spams that the invaluement DNSBL would have blocked had it been in use. Do very large ISPs who pay MUCH more for access find any equivalent cost saving? Yes. They save $$ from a reduced volume of spam complaints tying up their help desks! Sales also improve when your spam filtering is superior to your competitors. Additionally, the labor cost savings mentioned earlier only multiply when applied to larger organizations. Over time, the cost savings far exceed the subscription fees.
- The fees for accessing the invaluement blacklists are very reasonable and typically cost less than many other DNSBLs prices for rsync access.
Together, all of the points above demonstrate that subscribing to invaluement DNSBL typically results in a long-term net reduction in operating expenses!
How to access the invaluement DNSBL?
Sign up here for an evaluation.