Re: [Asrg] 7. Best Practices - DNSBLs - Article
"Chris Lewis" <clewis@nortelnetworks.com> Sat, 20 September 2003 01:38 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA01771 for <asrg-archive@odin.ietf.org>; Fri, 19 Sep 2003 21:38:20 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.12.8/8.12.8) with ESMTP id h8K1VhGb020140 for <asrg-archive@odin.ietf.org>; Fri, 19 Sep 2003 21:38:00 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h88ELc7B024715 for asrg-archive@odin.ietf.org; Mon, 8 Sep 2003 10:21:38 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19wMtV-0006QN-Tf for asrg-web-archive@optimus.ietf.org; Mon, 08 Sep 2003 10:21:29 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24605 for <asrg-web-archive@ietf.org>; Mon, 8 Sep 2003 10:21:21 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19wMtT-0002oQ-00 for asrg-web-archive@ietf.org; Mon, 08 Sep 2003 10:21:27 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19wMtS-0002oL-00 for asrg-web-archive@ietf.org; Mon, 08 Sep 2003 10:21:26 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19wMt4-0006If-DO; Mon, 08 Sep 2003 10:21:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19wMqo-00063k-9L for asrg@optimus.ietf.org; Mon, 08 Sep 2003 10:18:42 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24281 for <asrg@ietf.org>; Mon, 8 Sep 2003 10:18:33 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19wMql-0002ie-00 for asrg@ietf.org; Mon, 08 Sep 2003 10:18:39 -0400
Received: from h87s129a234n47.user.nortelnetworks.com ([47.234.129.87] helo=zcars0m9.nortelnetworks.com) by ietf-mx with esmtp (Exim 4.12) id 19wMql-0002dm-00 for asrg@ietf.org; Mon, 08 Sep 2003 10:18:39 -0400
Received: from zcard309.ca.nortel.com (zcard309.ca.nortel.com [47.129.242.69]) by zcars0m9.nortelnetworks.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id h88EI0R15633 for <asrg@ietf.org>; Mon, 8 Sep 2003 10:18:00 -0400 (EDT)
Received: from zcard031.ca.nortel.com ([47.129.242.121]) by zcard309.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id RY5AB2AY; Mon, 8 Sep 2003 10:18:01 -0400
Received: from americasm01.nt.com (clewis-2.ca.nortel.com [47.129.150.136]) by zcard031.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id R239160K; Mon, 8 Sep 2003 10:18:01 -0400
Message-ID: <3F5C905A.1090302@americasm01.nt.com>
X-Sybari-Space: 00000000 00000000 00000000 00000000
From: Chris Lewis <clewis@nortelnetworks.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
CC: asrg@ietf.org
Subject: Re: [Asrg] 7. Best Practices - DNSBLs - Article
References: <6.0.0.12.0.20030811151412.026f21e0@solidmatrix.com> <a06001207bb5dacfd9eb5@[10.0.1.2]> <3F3946A9.4040004@americasm01.nt.com> <a06001201bb5f23f67ff7@[10.0.1.4]> <3F5BD983.6080606@americasm01.nt.com> <a06001a0cbb81d63b5066@[10.0.1.2]>
In-Reply-To: <a06001a0cbb81d63b5066@[10.0.1.2]>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
Date: Mon, 08 Sep 2003 10:21:14 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Brad Knowles wrote: > At 9:21 PM -0400 2003/09/07, Chris Lewis wrote: > >> For example, I can tell you that 2.5% of the email that got through >> would have been caught except for latency delays in our BLs... ;-) > Do you know what the latency delays are? For example, if you > implemented greylisting and enforced a minimum 30 minute delay before > you allowed them to get through the greylist, for what percentage of > these messages would that 30 minute delay have been enough for them to > show up on the BLs? We're considering greylisting as an adjunct to our filters. However, since we have 8 inbound gateways, it could get rather messy. A simple-minded implementation with a half hour delay would have a four hour worst-case delay... Not acceptable. Due to how our DNSBL system works (we do our own zone downloads), and with a eye to not bashing the DNSBL originating servers too much, the latency (for 3rd party DNSBLs) averages around 12 hours. So, greylisting-delay-for-DNSBL-catchup isn't going to help (us). Most of the third party DNSBLs have an average latency on the order of an hour or two (or considerably longer) when querying them directly[1]. So, even by switching to real-time queries, it still wouldn't help greylisting (unless you were willing to deal with that much longer latencies). Only spamcop is any faster. And SpamCop we won't use, because its FP level is too high (for a organization like us). That being said - I don't think it's necessary to tune your greylisting timeout w.r.t. DNSBL latencies. The simple fact of the matter is that open proxy/socks code will _not_ queue - so they won't try a second time[2]. I would strongly suspect that if you made your greylisting timeout _zero_, and simply 400'd the first appearance of a given sender/IP/recipient tuple and accept the next appearance, no matter how quickly, you'd still be getting 90% of what greylisting with a very long timeout would give you. Of course, spamming tools will evolve, so then you consider increasing the timeouts. Too far, tho, and it's worse than where you started. And I don't think you'd ever get to where you'll be able to take into account DNSBL latency. > Have you incorporated tools like DCC or Razor into your > methodology? Do you know how greylisting with a minimum delay time > (e.g., 30 minutes) would effect DCC and/or Razor, in terms of their > efficiency? [1] Do also consider that our 2.58% number is based over a 14 _day_ interval. There's no way of telling the distribution of that DNSBL "catchup" over the 14 days. I don't think the DNSBL latencies on individual IPs is anywhere near close to the latency of update. Ie: there's no particular reason why a given IP hits the third party DNSBL detector at the same time it first hits you. It takes time (as much as hours) for decent/"polite" open relay/proxy testing. So, short of perhaps the CBL (and SpamCop of course) which doesn't do server testing, it's not possible to get latency down _that_ short even for direct query. [2] That's not _entirely_ true, I've seen some spammers that retry 550's after DATA several times very quickly (within minutes). Not sure whether that's proxy or relay behaviour. _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Alan Monaghan
- [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Markus Stumpf
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- RE: [Asrg] 7. Best Practices - DNSBLs - Article david nicol
- Re: [Asrg] 7. Best Practices - DNSBLs - Article david nicol
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Christopher Bird
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Tom Thomson
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Christopher Bird
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Markus Stumpf
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Jason Steiner
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Steven G. Willis
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Justin Mason
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Justin Mason
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Justin Mason
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Justin Mason
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Daniel Feenberg
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Paul Judge
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Paul Judge
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Justin Mason
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Jason Steiner
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Jason Steiner
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Walter Dnes
- RE: [Asrg] 7. Best Practices - DNSBLs - Article Tom Thomson
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Walter Dnes
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Justin Mason
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Justin Mason
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Scott Nelson
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Peter J. Holzer
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Brad Knowles
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article Chris Lewis