invaluement
dnsbl reviews
NOTE: Robert Tarrall reviewed the invaluement DNSBL several months ago. Between then and now, the invaluement lists have only improved. Our whitelists have grown, our sources of incoming data have greatly increased (providing a greater variety of spam to excavate), and our methods are further developed. Additionally, Robert Tarrell is an industry leader in finding and reporting new blocks of spammer IPs to various anti-spam groups. Likewise, he very aggressively blocks such IPs at his firewall. Given this fact, it is particularly impressive that the invaluement lists were/are still helpful for blocking spam on the network Tarrall manages.
Also, more reviews are forthcoming.
Robert Tarrall’s Review
Here are the results of my test of ivmSIP and ivmURI, for those who are interested.
EXECUTIVE SUMMARY:
Both currently seem to be very effective lists with extremely low false-positive rates and minimal resource usage; they should be a useful addition even if you already have effective filters in place.
TEST ENVIRONMENT:
ISP mailserver, roughly 6,000 mailboxes in a variety of domains. All of the customer base is within the US. 190,000 inbound connections per day, 50K messages delivered per day.
We block inbound email from IPs listed in four well-known DNS-based lists. We also test domains found in the message bodies against multi.surbl.org using a scoring system.
We also have a local access.db comprising about 25,000 domains, subnets and individual IPs, and some other home-grown filters.
This has been working well enough that I’m not willing to post more details publicly; most of our users get very, very little spam. I would however be happy to followup in private if anyone wants to know which lists we use or more details about the home-grown filters.
I wanted to know what, if anything, we’d gain from adding the invaluement lists to our existing package so I added ivmSIP after all of our other envelope-level filters and ivmURI after all message-body filters.
OVERLAP:
As a first test, I pulled the ivmSIP list on Friday afternoon and tested the contents against our current list offilters. Out of 15,829 IP addresses rejected by at least one of the above-mentioned DNS-based lists, 1,175 were also listed in ivmSIP.
Nice to see so little overlap. If the numbers had been reversed I’m not sure I would’ve bothered testing further; I don’t appreciate wasting memory and bandwidth storing multiple copies of the same data. Folks who use IP lists to feed score-based systems might feel differently.
FOOTPRINT:
The ivmSIP and ivmURI lists together comprise less than 120K records. Total memory use for an rbldnsd process serving both lists is under 4MB. This is a HUGE plus; some of the lists we’ve served locally in the past have used hundreds of MB. For some folks that’s not a big deal, but for others that’d mean a new server.
BANDWIDTH:
Using rsync every 2 minutes for both lists transferred a total of 11MB up, 13MB down over 3 days. Nice to see that even if you have a slower link or pay by the byte the impact of frequent downloads will be fairly low, at least as long as the list remains this compact.
RESULTS:
CONNECTION STATS (from the last few days):
450,000 inbound connections
350,000 rejected connections due to envelope-based filters
161,000 ... of those due to 3rd-party IP block lists
26,000 ... of those due to ivmSIP
10,000 messages blocked by body-based filters
5,400 ... of those were due to ivmURI
MESSAGE STATS:
107,000 messages delivered
2 complaints about blocked emails
0 ... of those due to invaluement.com lists
Remember that the invaluement lists were applied after all other lists. The first list we use blocked 126K messages, our local access list blocked 60K messages... 3 more lists combined caught another 7K. Our local filters are very, very aggressive and for the ivmSIP list to find another 26K messages to block without any false positives is REALLY impressive.
Another way to look at those stats: with the invaluement lists we had 107,000 messages delivered. Without, over the same time period, it’s fairly safe to say we would’ve done about 138,000 deliveries and all of those additional deliveries would’ve been spam.
FALSE POSITIVE RATES:
None so far, of any variety. This is particularly nice to see on the ivmURI list; I’ve had to use a scoring system with the SURBL contributors since none are devoid of false positives and I was expecting the same from this list.
OTHER COMMENTS:
The ivmSIP and ivmURI lists have both been particularly effective against the “snowshoe spammers” - these guys have been the biggest hassle to block over the past year so I’m really, really happy to find an effective filter list for these buggers.
By snowshoe spammers I mean the folks who get a netblock, fill it up with randomly-generated hostnames, and then spam “slowly” from all the IPs in block. When they’ve sufficiently dirtied the whole netblock, they move on to a new one.
They’re tough to block because they’re really good at listwashing spamtraps. Any spamtrap that feeds a filter will be removed from their list sooner or later, so you have to keep your spamtrap list current. Also, you end up spending a lot of time identifying/blocking their current IP ranges, then removing those ranges either when the spammer leaves or when the stale listing causes customer complaints.
The effectiveness of both lists is GREATLY enhanced by the very frequent updates. Spammers are rotating through IPs and domain names fairly quickly as the traditional lists add them; updating every 2 minutes makes a huge difference. The bandwidth used by such frequent updates is surprisingly small so you definitely want to do this if you use these lists.
-Robert Tarrall-
Unix System/Network Admin
E.Central/Neighborhood Link
How to access the invaluement DNSBL?
Sign up here for an evaluation.
invaluement
dnsbl reviews
