Saturday, January 8, 2011

DNSBL Safety Report 1/8/2011

UPDATE: See the latest DNSBL Safety Report for current recommendations. 

Here is a quick look at the safety and efficacy of a few DNSBL's for SpamAssassin.  Today's report looks into Hostkarma, Spam Eating Monkey, MailSpike, NiX Spam and PSBL.
NEW: This week's analysis looks closer at safety when taking into consideration overlaps with established rules.  See last week's analysis for more details about the masscheck process used to collect the weekly statistical data in RuleQA.

Hostkarma: RCVD_IN_HOSTKARMA_BL (IMPROVED)
This week when compared to last week's masscheck results show a slight improvement in spam detection 73% to 82.4% with a sharp improvement in ham safety from 1.47% ham to 0.638% ham.  Overlap is moderate high at 81% with XBL, but XBL is a low score of 0.375 so we can basically ignore it.  Overlaps are not a problem with HOSTKARMA_BL it seems.  If its safety rating were only consistently better it would become a firm recommendation.

Recommendation: We need to see consistent performance over a few months before recommending any increase of score.  Maybe 0.5 points for now.

SpamEatingMonkey RCVD_IN_SEMBLACK (DOWNGRADE)
Last week and this week's SEMBLACK has been an inconsistent performer for the past year.  Slightly worse performance and safety since last week.  This week I noticed a problem: 92% and 95% is a high overlap percentage with RCVD_IN_PBL.  Given that PBL is a very high score (~3.3 points) it is dangerous to assign a high score to another DNSBL that overlaps so closely.  Combine this high overlap with a high scored rule and continued weak safety ratings, it can be dangerous to assign a score to this rule.

Recommendation: Might not be worthwhile due to the high overlap with PBL.  I decided to use 0.2 points, mainly as tagging for informational purposes.

MailSpike: RCVD_IN_MSPIKE_BL (NO CHANGE)
Last week and this week's results show a slight improvement in spam detection to 73% during the past week.  The closest overlap with another DNSBL is PSBL at 70%, which is not bad.  This is further confirmation that this is a good DNSBL.

Recommendation: I recommend following their instructions to setup their rules.  You have the choice of the simple RCVD_IN_MSPIKE_BL which works just fine, or if you prefer MSPIKE_L3, L4, L5 and Z are the components that combine to BL where you can assign more fine-grained scores.  I personally recommend staying below 2.5 points for any DNSBL rule, and use a maximum of maybe 2.1 points for MSPIKE_BL for now.

Nix Spam: RCVD IN_NIX_SPAM (LOWER SCORE)
NiX Spam is a DNSBL operated by German media outlet Heise.de.  It is a bit unusual compared to other DNSBL's in that it only lists IP addresses for 12 hours.  For this reason we are having a difficult time measuring its performance using the traditional masscheck mechanisms.  Reportedly it works best for European mail.  Anecdotally I can report that it seems to catch merely ~20% of my spam, but for my American users its only consistent problem is disagreement with whitelist provider ISIPP.  Either NiX is wrong here, or this is pointing out real problems in IADB which has been controversial in essentially being a "commercial  pay for DNS whitelisting" service.  In any case the ham hits are such a low score, that NiX alone will not bring it anywhere near the 5 point spam threshold.

Recommendation: Maybe.  Last week I recommended 0.9 points, but I decided to be more cautious this week given that we have yet to measure it in masschecks.  If you decide to use this rule, I would use a cautious score like 0.3 points and use it mainly as informational tagging for now.

Passive Spam Block List: RCVD_IN_PSBL
spamassassin-3.3.0 added RCVD_IN_PSBL to the default ruleset.  Statistics are excellent for PSBL as one of the safest DNSBL's in existence. 

Recommendation: If you are using an older version of spamassassin like 3.2.5 then this is an excellent add-on rule for your server.

header   RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags   RCVD_IN_PSBL net
score    RCVD_IN_PSBL 2.3

No comments:

Post a Comment