ivmSIP
“sender’s ip blacklist”

NOTE: If you are blacklisted on TqmCube (TQM3), which is not our dnsbl, click here.

ALSO: ivmSIP, aka an RBL blacklist, is one of three invaluement DNSBLs. Please first read the discussion of goals and features shared by all 3 lists detailed on the invaluement Anti-Spam DNSBL page.

ivmSIP is the invaluement Sender’s IP DNSBL. Aka an “RBL”, this list includes those IPs which only send spam. ivmSIP is not intended to replace respected DNSBLs like zen.spamhaus.org or any of the other high-quality DNSBLs mentioned (later) on this page. They all have different strengths and are all very useful. But ivmSIP catches much spam that is missed by such other respected, effective, and low-FP DNSBLs.

Most mail systems administrators consider Zen to have low enough false positives to merit using it for outright blocking spam instead of merely scoring. So it is no small feat that our subscribers routinely report that ivmSIP has Zen-like extremely low FPs. (ivmSIP experienced much growing pains getting to this point! It wasn’t easy!)

Other high-quality DNSBLs include SPAMCOP, NJABL, PSBL, UCEPROTECT-1, SORBS, and HOSTKARMA. Amongst these, listings standards and quality vary considerably. Some of these are almost as good as Zen in the low false positive category. Others are not so close. Therefore, systems administrators who have extremely high concerns about false positives might score on most of these lists. Other admins who are not urgently concerned about false positives might choose to block spam based on most of these lists, and all various scenarios in between.

The problem here is that even though Zen is widely considered the highest quality DNSBL (and deservedly so!), many spammers’ IPs are missed by Zen, yet listed on one or more of these other lists. Other spammer’s IPs are missed by ALL of these several high-quality DNSBLs mentioned above, Zen and the rest! And, most importantly, many such missed IPs are not ever sources of legit mail, making them superb candidates for getting listed on an anti-spam blacklist.

As a result, there is definitely a “DNSBL-gap”, and ivmSIP goes a long way towards closing that gap. Some have mistakenly assumed that the practice of checking sending IPs against DNSBLs had achieved a “plateau” in the fight against spam ...a sort of maturity, or point of greatly diminished returns. Instead, ivmSIP proves that thinking wrong and is now writing a new chapter in this saga!

How does ivmSIP fit into this mix of high quality DNSBLs?

1. LOW FALSE POSITIVES: ivmSIP seeks to achieve the same level of low FPs as Zen. That is a difficult task, but much recent feedback from our subscribers has confirmed that ivmSIP’s FPs are extremely low.
2. SNOWSHOE SPAM: ivmSIP catches more “snowshoe spam” than all of the DNSBLs mentioned on this page... and catches much snow shoe spam first!
3. SCOTTY SPAM: ivmSIP is also particularly good at blocking spam where someone signed up on a web site that they didn’t know was run by spammers (or, sells info to spammers). Their full name and their contact information was added to the most sneaky of spammer’s databases. No address harvesting (via page scraping) was needed to generate such databases. Therefore, such series of spam evade honeypot spam traps and, therefore, often get missed by all these other DNSBLs. In contrast, many of these are listed by ivmSIP!
4. UNIQUES: Many spammers’ IPs are only caught by ivmSIP! Or, don’t show up on any other DNSBLs until long after they are first listed by ivmSIP. This is a very important measurement of the effectiveness of a DNSBL. For example, if a DNSBL has a high spam catch rate and low FPs, but that DNSBL’s listings are (NOT officially, but for all practical purposes) merely a subset of Zen, what good would it be? It would be worthless. It would not block a single spam that was not already blocked by Zen. In contrast, many IPs are only listed by ivmSIP and left untouched by all other low-FP DNSBLs.
   
   If only more DNSBL measuring web sites would recognize this fact and include “uniques” in their metrics. (But where uniques are only tracked amongst extreme-low-FP DNSBLs, since higher FP DNSBLs would unfairly botch that metric.) ...listening, A.I.?

Can ivmSIP replace
SpamHaus’s Zen list?

ivmSIP could definately NOT ever be considered a replacement for SpamHaus’s Zen list (and probably not so for SpamCop either).

1. ivmSIP doesn’t cast near large enough of a ‘net’ on the botnet front. If it did, ivmSIP’s file size would be over a hundred megabyes large whereas it is now only about 1-2 MBs. Instead of trying to replace Zen, we would prefer to keep this data footprint small in order to continue transmitted data to our subscribers quickly and frequently. But make no mistake, all that data in Zen is required to block massive amounts of spam which ivmSIP doesn’t even hardly attempt to catch.
2. In the ivmSIP engine, certain FP-prevention filters exclude many IPs from ivmSIP which are blacklisted on Zen and which really should to be blacklisted--but ivmSIP’S lack of a large-scale 'view' of world-wide spam data limits some ivmSIP’s abilities in areas where the Zen list, in contrast, thrives.
3. For these same reasons, potential subscribers testing the invaluement lists are often not impressed by ivmSIP’s catch rates against incoming spam, either as percentages or numbers of incoming spams blocked by ivmSIP. Those numbers look even more pathetic when compared to the volume of all incoming spam. However, ivmSIP does impress based on the amount of spam blocked by ivmSIP which are missed by all other low-FP DNSBLs, Zen included. And while these numbers are a tiny percent of incoming spam, they often represent a significant amount of the spam which is currently getting past many spam filters and into end users’ mailboxes.

Therefore, ivmSIP should not ever be considered a replacement for Zen. But it has great value as a supplement to Zen.

Dictionary Attack Spam
VS.
Spam Sent To Real Users

Click on the chart above to load a larger copy of it in a new window. Next, be sure you are viewing at 100% size to avoid distortion.

Note that this particular testing was unfairly tilted in ivmSIP’s favor. There was a “home field advantage”. So, mostly, avoid comparisons between the lists and focus on the relative proportions of listed IPs on each DNSBL, comparing instances of IPs sending spam to real users vs. instances of IPs sending spam to non-existent accounts.

Interestingly, different DNSBLs have different degrees of focus. Because listings for ivmSIP are only generated from spam sent to real users, it has a very high catch rate on spams sent to actual users, but a very low catch rate for dictionary attack spam sent to unknown users.

Apparently, there is a large number of spam bots which exclusively send dictionary attack spam to random aliases. Because ivmSIP, instead, targets spam sent to real users, ivmSIP skips listing these dictionary-attack bots and that is one reason for ivmSIP’s smaller memory footprint. This is also why such a small memory footprint does NOT translate to less spam caught. Consider that it is more valuable to block spam sent to real users since the spam sent to non-existing users is going to get nowhere anyways, regardless of whether or not the sending IP is on any DNSBL!

TESTING/USAGE IMPLICATIONS

For all the many reasons described on this page and on our invaluement Anti-Spam DNSBL page, ivmSIP is best for blocking spam sent to real users instead of spam sent to honeypot traps and/or dictionary attack spams. That means that, if you check sending IPs against DNSBLs before checking to see if the recipient exists, then you should probably put Zen first. But if you are blocking spam based on the recipient not existing before checking the sending IP against DNSBLs, then you should probably put ivmSIP first amongst the DNSBLs, along with all other local-rbldnsd-served DNSBLs you have available. Why? Because local-rbldnsd-served DNSBLs are much faster than over-the-network queries to third party DNS servers! And, again, spam sent to non-existent users is going to get blocked eventually, even if not on a single DNSBL. In contrast, ivmSIP is trying to catch the sneaky spams, not the easy spams!

EVALUATION IMPLICATIONS: For so many reasons detailed above, it should be obvious by now that all evaluations should also be conducted only on spam sent to real users. If there is a concern about not wanting to test the lists on real incoming messages, then simply use ivmSIP in a scoring mode and start off scoring it low. Next, find a way to collect and audit those message that ivmSIP (a) would have blocked, but made it past your non-ivmSIP-enhanced spam filters, and (b) might have been blocked by your spam filter without ivmSIP, but where ivmSIP was the only IP DNSBL to list the sending server IP! The first category means less spam to your users’ inboxes. The latter category means the spam could have been blocked without having to perform expensive content filtering, making your filtering more efficient and scalable. Both categories are beneficial. Additionally, when these instructions are followed, such testing will also reveal any FPs, if you can find one!

How to access the invaluement DNSBL?

Sign up here for an evaluation.

ivmSIP
“Sender’s IP DNSBL”