IETF Logo Mail Archive

Re: How I deal with (false positive) IP-address blacklists...

Peter Dambier <peter@peter-dambier.de> Tue, 09 December 2008 20:12 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 56F8328C14C; Tue, 9 Dec 2008 12:12:45 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67AD83A6996 for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 12:12:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.226
X-Spam-Level:
X-Spam-Status: No, score=-1.226 tagged_above=-999 required=5 tests=[AWL=-0.519, BAYES_00=-2.599, J_CHICKENPOX_52=0.6, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id STBeg6PB0aBk for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 12:12:35 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 6CA4C3A6B5E for <ietf@ietf.org>; Tue, 9 Dec 2008 12:12:32 -0800 (PST)
Received: (qmail invoked by alias); 09 Dec 2008 20:12:24 -0000
Received: from p3EE3D985.dip.t-dialin.net (EHLO [7.19.30.41]) [62.227.217.133] by mail.gmx.net (mp022) with SMTP; 09 Dec 2008 21:12:24 +0100
X-Authenticated: #8956597
X-Provags-ID: V01U2FsdGVkX1+PBp8GJ2mPspHWYOuHlsndTW87LQ+q+o/bPdbKmA wxvGR9yZprpwAo
Message-ID: <493ED123.4010708@peter-dambier.de>
Date: Tue, 09 Dec 2008 21:12:19 +0100
From: Peter Dambier <peter@peter-dambier.de>
Organization: Cesidian Root
User-Agent: Thunderbird 2.0.0.18 (X11/20081125)
MIME-Version: 1.0
CC: ietf@ietf.org
Subject: Re: How I deal with (false positive) IP-address blacklists...
References: <20081209061829.GA13153@mit.edu> <493EC59E.1050002@dcrocker.net>
In-Reply-To: <493EC59E.1050002@dcrocker.net>
X-Enigmail-Version: 0.95.0
OpenPGP: id=EB5CCB28; url=http://peter-dambier.de/pgp/
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.61
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: peter@peter-dambier.de
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

There is one thing I could proof when counting the emails going
through the mailer I am responsible for.

When we started blocking emails from dynamic addresses we
reduced spam by 50%.

The gurus would not believe but I could show thenm, when we
blocked all but the dynamic addresses we could reduce spam
by 50% too.

The bad side, we could not show how many legitimate mails
did not come through in either case. They were lost.

Mailblockers maintained by humans are never perfect. spamhause
proofed that when they knowingly blocked atnic.at allthough
atnic.at had never sent spam.

There is little difference between a mailblocker maintained
by humans and a greylist maintained by your own computer
except you can correct problems yourself.

When I see mailblockers usually blocking all dynamic addresses
then I can conlude from my observations that they have at
least 50% false positives.

There is a minor annoyance with greylists - broken mailers
and people with 50 outgoing mailers.

Broken mailers are mostly spammers, more than 50%.

People with more than 50 outgoing mailers are mostly the
source of all that spam. So the greylist is no worse than
a mailblocker and it always gives you a second chance.
A mailblocker does not.

Looking into my exim4 log I can see more than 90% of spam
gets lost when some bot on a hitch-hiked machine tries to
imitate a mailer.

When you try TLS on an incoming mail they all get lost.

So why do they setup expensive machines in a colo to run
a mailblocker?

Money!

And you can put those few people with 50 outgoing mailers
on your whitelist.

Kind regards
Peter


Dave CROCKER wrote:
> 
> 
> Theodore Tso wrote:
>> This doesn't work for most people, but I had fun composing this
>> response, and coming just a few weeks after people claiming that
>> IP-based blacklists work well, and rarely result in false positives, I
>> felt I just had to share.   :-)
> 
> 
> Ted,
> 
> Evidently you believe that the anecdote you posted proves something, but
> I am not sure what.
> 
> Some others have suggested that it proves something which, I strongly
> suspect, is not what you had in mind.
> 
> Perhaps you can clarify the purpose of your note.  How should it be
> incorporated into the IETF's deliberations?
> 
> If you believe that it demonstrates that blacklists do not work well
> and/or do not rarely result in false positives, perhaps you can document
> the basis for that assessment.
> 
> I feel confident that you do not intend a single anecdote, about minor
> email service participants, to serve as the basis for such a global
> conclusion about a mechanism that is implemented and relied on by
> virtually every professionally-run email receiving service on the planet.
> 
> Thanks.
> 
> d/
> 

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@peter-dambier.de
http://www.peter-dambier.de/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
ULA= fd80:4ce1:c66a::/48
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email