In choosing an antispam solution for email servers, there are point scoring methods like SpamAssassin and there are Domain Name Server Block List (DNSBL). Operating my own business servers and not having the resources of perhaps larger corporations, I needed an approach that would seriously cut into the, at times, overwhelming number of inbound emails. I came across Apews.org shorly after SPEWS ceased to be updated and after finding other DNSBLs to be inadequate. However, Google for this DNSBL and the majority of information available suggests that the data represents an overly aggressive approach with too many false positives.
Rather than just believe what I found, especially since there was little evidence of the false positives, I decided to test the IP based L2.APEWS.ORG data which they recommend for scoring to be used in addition to other DNSBL services like Spamhaus, Spamcop, Sorbs etc via SpamAssassin or similar. Knowing your clients and having a good white list is essential these days and I doubt anyone would put an email server online without one. My own whitelist has come from more than 10 years of experience and accumulated knowledge thus testing inbound connections first against the whitelist, before the blacklist, produces almost zero errors.
During the last few years there have been very few statistics websites that compared True [TP] and False [FP] Positives from the use of a single DNSBL e.g. Spamhaus, Spamcop, UCEProtect or Sorbs etc. By 2008 it seemed that L2.APEWS.ORG had a very high [90%] spam catch rate [TP] together with a reducing level of false positives [FP] but the website operator didn't elaborate much on the FP, only referring to the mail stream as being USA based and including some marketing emails for products, services, and reviews of same. No other free DNSBL comes close from what I can see, http://www.UCEProtect.net have 3 databases and if all are used then their results appear to be about the same if not a little better, approx 1% to 1.5% higher TP currently.
I have configured my email servers to use the L2.APEWS.ORG DNSBL in realtime during the SMTP session, after first querying the whitelist. In the event that the IP address is unknown or untrusted and then found to be listed in L2.APEWS.ORG then the email servers don't reject the email, they just flag it as probable spam by the use of an X-Header which a script then uses to move the flagged emails to the user's spam / junk folder.
Note my criteria and requirements;- Email servers are used for both local and remote users
- Users to/from UK, West/Central Europe, USA, India, Australia, also roaming users including Far East
- approx 40% are received are via Yahoo, Gmail, AOL & Hotmail users
- approx 40% are received via contracted email services [negligible spam received] e.g. messagelabs, psmtp, frontbridge, bigfish, postini, mxlogic etc
- approx 15% are from client owned corporate servers [negligible spam received] and includes many international and regional banks, USA / EU government departments etc
- approx 5% are newsletters and social networking contact [negligible spam received] e.g. reuters, alertnet, foxnews, cnn, nytimes, dartmail, collab, cheetah, ezinedirector, sun microsystems, symantec, linkedin, facebook, myspace, flickr, digg, naymz.com [chnaged back after being visible.me], mbox, j2global, iht, osac.gov, oecd, imf.org, worldbank, natgeo, dhl, ups, fedex, deutscheposte, usps, dealertime, shopping.com, amazon.com, aa.com, continental air, virgin, travelocity, hotel.com, cheaptickets, lufthansa etc
- hard/soft-ware suppliers & manufacturers e.g. HP, Dell, Cisco, Microsoft, Apple, Macromedia, Adobe, sourceforge etc
- Very few emails are received via ISP smtp servers / smart hosts [negligible spam received] e.g. rogers, rogerstelcom, earthlink, mindspring, prodigy, comcast, sprint, sprintlink, btinternet, bt.com, demon, shaw, shawcable, qwest, adelphia, bellatlantic, bell, bellglobal, bellsouth, bellnexxia, swbell, bellhosting, att, ownmail, telstra, megacity, free2surf, charter, level3, optus, sonic, orange, vodafone, pipex, t-online, dtag, t-mobil, cox, coxinternet, verizon, cogentco, blueyonder, bigpond, roadrunner, twtelecom, nortel etc
- Almost zero emails are received via domain Registrars [negligible spam received] e.g. networksolutions, netsol, register, joker, gandi, godaddy, tucows etc
- Complaints by email relating to abuse from my servers can be received to role accounts here from major dnsbl operators for each domain name hosted e.g. spamhaus, spamcop, sorbs, abuseat, ahbl, uceprotect, robtex, njabl, mail-abuse, uceb, abuse-net, whitelisted trusted sender servers
- all the above are regarded as trusted senders and as such have been whitelisted here
- the only spam received into user inboxes comes almost entirely from free webmail user accounts or unlisted IP addresses, True Positive is better than 99% because of a good whitelist
- all emails in a user's spam/junk folder have been found to be spam i.e. correctly identified and after running email client spam filters on the mailboxes. The FP% is extremely low, less than 0.05%.
In conclusion, the use of L2.APEWS.ORG has, for us, removed the spam problem to the extent that the few spam we do receive are via Yahoo, Gmail, AOL and Hotmail servers that we need to give access. It has been said that of the world's total daily email volume, approx 97% is unsolicited bulk email and our experience accords with that statistic. The remaining 3% of the world's total daily email volume is solicited and the above figures represent an approximate analysis of the source and/or nature as it pertains to our business mail stream. These are our findings and no warranty either express or implied exists regarding these findings since each mail stream is unique to the particular business or network.
It is worth mentioniong that after a few weeks of testing live commercial systems, we are very satisfied with the results. This costs us nothing to use even as a business whereas spam used to cost employee time so we're saving money.
ReplyDeleteThe numbers above have been amended today, the true positives were at 96%, now at 97% here using L2.Apews.org out-of-the-box in realtime with no whitelist or filtering. The false positives were < 1%, now extremely low at < 0.05% by volume of emails.
Under normal circumstances, and recommended for Administrators, we would use our inhouse whitelist followed by filters both server side and client side, and achieve 99.9% true positves. Only for the purposes of this blog have we put some servers aside for testing and reporting.
Our public IP 81.43.121.231 is in your database but we are not spammers. This public Ip recently that we have. We could eliminate? thank you very much
ReplyDeleteEntry matching your Query: E-325557
81.43.0.0/16
--------------------------------------------------------------------------------
CASE: C-1403
Dynamic IP space, generic DNS/rDNS, no PTR
Direct connections to MX not permitted, you
need to use your ISP servers or smarthost
--------------------------------------------------------------------------------
Special Reason:
Dynamic IP, generic DNS, missing rDNS/PTR not permitted for direct email connection. You must use correctly configured [with registered working abuse contact] static IP / ISP mail servers / smarthost service
--------------------------------------------------------------------------------
History:
Entry created 2008-02-26
Your public IP address of 81.43.121.231 is rented from RIMA in Madrid, Spain. They are a well known ISP with huge IP allocations but not the best of reputations for spam control. Using the SamSpade tool, see recent post, we can see from Whois that;
ReplyDelete81.43.0.0/16
descr: RIMA (Red IP Multi Acceso)
origin: AS3352
mnt-by: MAINT-AS3352
Now for a second opinion, try Senderbase.org http://www.senderbase.org/ and put your IP address in the box over on the right where it says network reputation lookup. Just above where the results list starts and in the center you can change the /31 by selecting /16 from the drop-down choice box. We choose /16 because that is what RIMA control as above. Click GO and we get a list of detected email senders, their volume and an indication of their reputation including how many blacklists have them listed and which blacklists they are. Note that Senderbase do not test Apews.org data for some reason but they will show listings in the following blacklists;
dnsbl.njabl.org
dnsbl.sorbs.net
bl.spamcop.net
cbl.abuseat.org
sbl.spamhaus.org
pbl.spamhaus.org
Looking at the results list we see that there are nearly 1000 email senders, almost none have a hostname or correct reverse DNS, many are shown in red as a poor reputation, and worse is that many are listed in blacklists for abuse. A CIDR the size of /16 which is designated multi-access and looks like this gives the appearance of non-commercial and untrustworthy IP space.
Looking at the Apews.org listing, their description actually seems correct. You have to take the point of view of the users and Administrators around the world, how trustworthy is the IP address connecting to their server. I doubt that the information available about that /16 is good enough for Apews to change their listing of Feb 2008.
Your own IP address looks like this to the outside world;
231.Red-81-43-121.staticIP.rima-tde.net
That looks like a DSL modem in a house and is typical of a home user that can have an infected personal computer.
Suggestions for your problem then;
1) Decide how important sending email is to you and then choose a service provider accordingly. RIMA is not a good choice as you can see but you can buy professional email services (smart host) from anywhere in the world and manage sending your emails from your RIMA internet connection.
2) If you insist on staying with RIMA then it would be a good idea to ask for a different IP address, one that is not listed in blacklists. The value of an unlisted IP address is much higher than one that is listed. Deliverability is about IP reputation these days.
3) You would be best with a domain name for your public IP address and then ask your ISP to create a forward (A host record) and reverse (PTR record) in their DNS. In this way your email server announces itself correctly to the world and it's identity can be verified scoring points in trust.
4) Try to comply with the requirements of the RFCs and consider being listed with whitelist services e.g. http://dnswl.org/ and http://whitelisted.org/ .
5) Ask your clients to whitelist your IP address on their servers so that your emails still get delivered to them.
Hi,
ReplyDeleteKindly remove our client's static IP 122.53.87.98 from your blacklist. This has been subdelegated and with reverse DNS. This is not listed in MXToolbox. IP is however listed in APEWS due to a 2008 listing. Please remove. Thank you. Please find below part of sample copy of bounced email.
To: luis.labos@philsinter.com.ph
From: "Mail Delivery System"
Subject: Delivery Status Notification (Failure)
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="hpH.4rx38b8Zf.1KL3dh.5o8xcXZ"
--hpH.4rx38b8Zf.1KL3dh.5o8xcXZ
content-type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The following message to was undeliverable.
The reason for the problem:
5.3.0 - Other mail system problem 550-'Denied by policy'
--hpH.4rx38b8Zf.1KL3dh.5o8xcXZ
content-type: message/delivery-status
Reporting-MTA: dns; ironport.philsinter.com.ph
Final-Recipient: rfc822;daniel.san-diego@ph.abb.com
Action: failed
Status: 5.0.0 (permanent failure)
Remote-MTA: dns; [210.24.147.42]
Diagnostic-Code: smtp; 5.3.0 - Other mail system problem 550-'Denied by policy' (delivery attempts: 0)
--hpH.4rx38b8Zf.1KL3dh.5o8xcXZ
content-type: message/rfc822
X-IronPort-Anti-Spam-Filtered: true
FreedomPop is the #1 ABSOLUTELY FREE mobile phone provider.
ReplyDeleteVoice, SMS & data plans priced at £0.00/month.
Your web site has huge delays and not working at all. Can you please remove our IP 85.25.79.149 ? Sorry to communicate from this blog but I don't have any other way to...
ReplyDeleteI'm using AVG security for a number of years now, and I would recommend this product to you all.
ReplyDelete