It has been a while since I last compiled our own ORF statistics using the Reporting Tool and what I am seeing is that SURBLs are taking over DNS Blacklists.
Is it just us, or are SURBLs really taking over? You can check your statistics in the Test / Summary section of any ORF report created with the ORF Reporting Tool.
UPDATE: Actually, there’s an explanation for this. Recently we switched to all-On Arrival filtering on our server and that means SURBLs are tested earlier than DNSBLs (see General Information / Test Order and Priority in the ORF Help), hence the more emphasized role for SURBLs.
That does not change the fact that SURBLs alone do a great job. ORF cleans up the the traffic step by step and 30% of what’s reaching SURBLs is cleaned up by them, leaving behind a much more legitimate traffic for DNSBLs, which cleans up another 8%.
posted on March 5th, 2010 @ 05:49 pm GMT+0000
I love the SURBLs and the amount of spam they catch that would otherwise slip through, but we’re not seeing them overtake the RBLs. Maybe it is where they are in our list, after arrival instead of the before arrival filter, but here is our breakdown strictly from a numbers perspective (most blocked to least blocked).
1. Recipient validation
2. HELO Blacklist
3. Reverse DNS
4. NDSBL
5. ClamAV (with Sanesecurity definitions)
6. And finally SURBL.
posted on March 5th, 2010 @ 06:57 pm GMT+0000
The vast majority of our filtering is hit before arrival, mostly HELO and recip validation, then DNSBL. After all of those layers the mail is filtered on arrival, including SURBLs. When we were only filtering on arrival (because of a mail rely config) we saw a tremendous contribution by SURBLs, and for those using that type of setup, this is likely the case. Again, depending on the configuration.
In our situation the SURBLs don’t contribute more than a percentage point or two, which is significant in terms of total spam detected, but cannot match the utility of DNSBLs filtering points.
Stats from report for yesterday:
TEST PERF CONT
——————————
HELO 98.95% 78.41%
Honeypot 12.08% 12.13%
Recip Val 8.71% 7.58%
DHA 1.43% 1.27%
RDNS 52.94% 0.29%
Sender BL 26.47% 0.22%
DNS 4.39% 0.04%
SPF 5.56% 0.03%
Keyword 13.33% 0.02%
SURBL 1.92% 0.01%
…
posted on March 5th, 2010 @ 07:34 pm GMT+0000
Aaron, Jeff: I will double-check our numbers, something does not seem quite right. Our 2009 stats showed only a minor (but still important) contribution for the SURBL test, then suddenly it’s taking over in 2010.
posted on March 5th, 2010 @ 07:34 pm GMT+0000
Also, thanks for sharing your statistics – the HELO blacklist performs very well for you it seems.
posted on March 5th, 2010 @ 10:04 pm GMT+0000
Past 30 days:
#1 HELO Blacklist 59.75% 60.67%
#2 SPF Test 14.87% 18.78%
#3 Reverse DNS 25.81% 10.44%
#4 DNS Blacklists 11.55% 6.22%
#5 External Agents 7.98% 2.28%
#6 Keyword Blacklist 8.14% 1.72%
Note I do not blacklist on SPF Neutral or SoftFail, only HardFail.
I’ve never done ASWL or any form of recipient validation.
I was a long-time user of multi SURBL.org and URIBL.com, but the hits were so low and the domains I occasionally requested URIBL move to another list color rather than Black were almost always “Rejected” so I haven’t used any SURBLs past year, with exception of recent trial of new Spamhaus-DBL for a few days but it averaged only 2 hits/day so I unchecked it. (And yes, I had a final ignored-by-bug 0.0.0.0 result entry).
posted on March 6th, 2010 @ 10:15 am GMT+0000
Thanks for everyone, I have updated the post with an explanation for our numbers.
@Frank: 2 hits a day could be 2% for 100 spam a day, so in any case I would suggest to use SURBLs even if most of the time they work with well cleaned up traffic.
posted on March 11th, 2010 @ 08:14 pm GMT+0000
After your reply, I re-enabled SPAMHAUS-DBL but disabled it again because I’ve only had two more hits and one’s a false-positive:
Time: 3/11/2010 9:59:53 AM
HELO/EHLO Domain: snd118084.britecast.com
Related IP: 64.88.180.84
Message ID:
Sender: ge.appliance@email.geconsumerandindustrial.com
Subject: save green with GE
Message: Blacklisted by the SPAMHAUS-DBL SURBL (domain: “00b.net”, DNS lookup result: 127.0.1.2).
posted on March 12th, 2010 @ 01:25 am GMT+0000
SORBS and SPAMCOP account for 400,000 blocked emails, while the SURBLs only account for LESS than 1,000 total in the same 8 day period (this is just my secondary MX).
Clearly, one needs to use the regular blacklists BEFORE receipt, to drop connection asap instead of tying up costly resources by waiting until AFTER receipt.
posted on March 18th, 2010 @ 05:32 pm GMT+0000
I’m wondering if there would be an agent or another way for surbl to evaluate digg.com url’s for their source. we seem to be getting more of these type spam, the url is a digg url.
posted on April 23rd, 2010 @ 09:46 am GMT+0000
Past 30 days:
#1 HELO Blacklist 59.75% 60.67%
#2 SPF Test 14.87% 18.78%
#3 Reverse DNS 25.81% 10.44%
#4 DNS Blacklists 11.55% 6.22%
#5 External Agents 7.98% 2.28%
#6 Keyword Blacklist 8.14% 1.72%
Note I do not blacklist on SPF Neutral or SoftFail, only HardFail.
I’ve never done ASWL or any form of recipient validation.
I was a long-time user of multi SURBL.org and URIBL.com, but the hits were so low and the domains I occasionally requested URIBL move to another list color rather than Black were almost always “Rejected” so I haven’t used any SURBLs past year, with exception of recent trial of new Spamhaus-DBL for a few days but it averaged only 2 hits/day so I unchecked it. (And yes, I had a final ignored-by-bug 0.0.0.0 result entry).