Showing posts with label CIDR. Show all posts
Showing posts with label CIDR. Show all posts
February 12, 2014
Whitelist included
Whilst checking the dataset of l2.APEWS.org (using the dnsbl editor), we found that there are now exclude records in the dataset, lots of them. When email servers use a dnsbl they send a lookup query but if the IP address exists as an exclude record, the lookup query will return "unlisted". It looks like thousands of IP addresses from whitelists have been included in this way so the chance of errors now is greatly reduced. Certainly we've had none to report for a while as you will have noticed. Checking some of those whitelisted IP addresses and they are those of trusted senders.
July 18, 2013
L2.APEWS.ORG False Positive #21
We're publishing this one for the record, the newsletter was found in the junk folder by the user but was in fact subscribed to. The IP address has already been de-listed so this is just for information;
Tue 2013-07-16 05:49:33: [6716:1620] Accepting SMTP connection from [63.121.28.41]
Tue 2013-07-16 05:49:33: [6716:1620] Looking up PTR record for 63.121.28.41 (41.28.121.63.IN-ADDR.ARPA)
Tue 2013-07-16 05:49:34: [6716:1620] D=41.28.121.63.IN-ADDR.ARPA TTL=(59) PTR=[unicamailman301-q1.sb.monster.com]
Tue 2013-07-16 05:49:34: [6716:1620] Gathering A-records for PTR hosts
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Tue, 16 Jul 2013 05:49:34 -0500
Tue 2013-07-16 05:49:34: [6716:1620] <-- HELO unicamailman301-q1.sb.monster.com
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on unicamailman301-q1.sb.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 250 xxx.xxx.xxx Hello unicamailman301-q1.sb.monster.com, pleased to meet you
Tue 2013-07-16 05:49:34: [6716:1620] <-- MAIL FROM:<smas.30-230433_448550_3@e0.monster.com>
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on e0.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=e0.monster.com TTL=(10) A=[63.112.169.1]
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.sb.monster.com] {63.121.30.235}
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.be.tmpw.net] {208.71.195.235}
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker A-record resolution of [41.28.121.63.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker D=41.28.121.63.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-07-16 05:49:35: [6716:1620] L2.APEWS.ORG LISTED
Tue 2013-07-16 05:49:35: [6716:1620] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <smas.30-230433_4 @ .monster.com>, Sender ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- RCPT TO:<xxx@xxx.xxx>
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <xxx@xxx.xxx>, Recipient ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- DATA
Tue 2013-07-16 05:49:35: [6716:1620] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-07-16 05:49:36: [6716:1620] --> 250 Ok, message saved <Message-ID: emsg.826.7140f20 @ unica7emsg201.be.monster.com>
Tue 2013-07-16 05:49:36: [6716:1620] <-- QUIT
Tue 2013-07-16 05:49:36: [6716:1620] --> 221 See ya in cyberspace
Tue 2013-07-16 05:49:36: [6716:1620] SMTP session successful, 13598 bytes transferred.
Tue 2013-07-16 05:49:36: [6716:1620] Shuffling message(s) into proper queue(s)
Tue 2013-07-16 05:49:36: [6716:1620] Message received from unicamailman301-q1.sb.monster.com [63.121.28.41] <smas.30-230433_448550_3 @ .monster.com> with SMTP for <xxx@xxx.xxx> [Size 0] {j:\localq\1150000318214.msg}
Tue 2013-07-16 05:49:33: [6716:1620] Accepting SMTP connection from [63.121.28.41]
Tue 2013-07-16 05:49:33: [6716:1620] Looking up PTR record for 63.121.28.41 (41.28.121.63.IN-ADDR.ARPA)
Tue 2013-07-16 05:49:34: [6716:1620] D=41.28.121.63.IN-ADDR.ARPA TTL=(59) PTR=[unicamailman301-q1.sb.monster.com]
Tue 2013-07-16 05:49:34: [6716:1620] Gathering A-records for PTR hosts
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Tue, 16 Jul 2013 05:49:34 -0500
Tue 2013-07-16 05:49:34: [6716:1620] <-- HELO unicamailman301-q1.sb.monster.com
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on unicamailman301-q1.sb.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 250 xxx.xxx.xxx Hello unicamailman301-q1.sb.monster.com, pleased to meet you
Tue 2013-07-16 05:49:34: [6716:1620] <-- MAIL FROM:<smas.30-230433_448550_3@e0.monster.com>
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on e0.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=e0.monster.com TTL=(10) A=[63.112.169.1]
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.sb.monster.com] {63.121.30.235}
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.be.tmpw.net] {208.71.195.235}
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker A-record resolution of [41.28.121.63.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker D=41.28.121.63.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-07-16 05:49:35: [6716:1620] L2.APEWS.ORG LISTED
Tue 2013-07-16 05:49:35: [6716:1620] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <smas.30-230433_4 @ .monster.com>, Sender ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- RCPT TO:<xxx@xxx.xxx>
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <xxx@xxx.xxx>, Recipient ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- DATA
Tue 2013-07-16 05:49:35: [6716:1620] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-07-16 05:49:36: [6716:1620] --> 250 Ok, message saved <Message-ID: emsg.826.7140f20 @ unica7emsg201.be.monster.com>
Tue 2013-07-16 05:49:36: [6716:1620] <-- QUIT
Tue 2013-07-16 05:49:36: [6716:1620] --> 221 See ya in cyberspace
Tue 2013-07-16 05:49:36: [6716:1620] SMTP session successful, 13598 bytes transferred.
Tue 2013-07-16 05:49:36: [6716:1620] Shuffling message(s) into proper queue(s)
Tue 2013-07-16 05:49:36: [6716:1620] Message received from unicamailman301-q1.sb.monster.com [63.121.28.41] <smas.30-230433_448550_3 @ .monster.com> with SMTP for <xxx@xxx.xxx> [Size 0] {j:\localq\1150000318214.msg}
June 14, 2012
Some analysis of Apews data
This has taken a while since there is a lot of it! By comparing our own records with listings that exist in the Apews dataset we have been able to conclude the following;
Single IP addresses that have made a direct connection to our servers in order to send spam email have also been found in C-1, C-2, C-12, C-35C-52, C-53, C-66, C-67, C-73 and C-630.
Mostly /24 listings can mostly be found in C-3, C-11, C-13, C-21, C-36, C-41, C-130, C-1375 and C-1402. These /24 generally include the above single IP addresses suggesting that they are maybe escalations.
Single IP addresses that have done port scanning, SSH probes, attempted PHP or SQL injection, password guessing, hosting landing pages that contain virus, trojan etc have only been found in C-16 and C-86.
CIDR that contain residential customers, typically have no reverse DNS and generic host names (as noted in some records by Apews) have been found in C-22, C-1010 and C-1403. These are often referred to as dynamic since they can be large DHCP pools too. These CIDR would not be RFC compliant for the sending of emails.
Other CIDR, usually larger than /24, can be found in C-14, C-15, C-17, C-18, C-20, C-79, C-258 and C-813.
Single IP addresses that have made a direct connection to our servers in order to send spam email have also been found in C-1, C-2, C-12, C-35C-52, C-53, C-66, C-67, C-73 and C-630.
Mostly /24 listings can mostly be found in C-3, C-11, C-13, C-21, C-36, C-41, C-130, C-1375 and C-1402. These /24 generally include the above single IP addresses suggesting that they are maybe escalations.
Single IP addresses that have done port scanning, SSH probes, attempted PHP or SQL injection, password guessing, hosting landing pages that contain virus, trojan etc have only been found in C-16 and C-86.
CIDR that contain residential customers, typically have no reverse DNS and generic host names (as noted in some records by Apews) have been found in C-22, C-1010 and C-1403. These are often referred to as dynamic since they can be large DHCP pools too. These CIDR would not be RFC compliant for the sending of emails.
Other CIDR, usually larger than /24, can be found in C-14, C-15, C-17, C-18, C-20, C-79, C-258 and C-813.
June 7, 2012
L2.APEWS.ORG False Positive #16
A /19 that was listed back in April caught this recently, definitely a user subscribed newsletter;
Wed 2012-06-06 08:55:21: [140:457] Accepting SMTP connection from [109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Looking up PTR record for 109.123.106.210 (210.106.123.109.IN-ADDR.ARPA)
Wed 2012-06-06 08:55:21: [140:457] D=210.106.123.109.IN-ADDR.ARPA TTL=(1439) PTR=[srv-eight.clevercherry.net]
Wed 2012-06-06 08:55:21: [140:457] Gathering A-records for PTR hosts
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 06 Jun 2012 08:55:21 -0100
Wed 2012-06-06 08:55:21: [140:457] <-- EHLO srv-eight.clevercherry.net
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on srv-eight.clevercherry.net (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 250-xxx.xxx.xxx Hello srv-eight.clevercherry.net, pleased to meet you
Wed 2012-06-06 08:55:21: [140:457] --> 250-ETRN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH=LOGIN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-06-06 08:55:21: [140:457] --> 250-8BITMIME
Wed 2012-06-06 08:55:21: [140:457] --> 250 SIZE 0
Wed 2012-06-06 08:55:21: [140:457] <-- MAIL FROM:<xxx @ xxx.xxx> SIZE=16289
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on xxx.clevercherry.com (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=xxx.clevercherry.com TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker A-record resolution of [210.106.123.109.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker D=210.106.123.109.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-06-06 08:55:21: [140:457] L2.APEWS.ORG LISTED
Wed 2012-06-06 08:55:21: [140:457] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Sender ok
Wed 2012-06-06 08:55:21: [140:457] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2012-06-06 08:55:21: [140:457] <-- DATA
Wed 2012-06-06 08:55:21: [140:457] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2012-06-06 08:55:21: [140:457] --> 250 Ok, message saved <Message-ID: E1ScCvc-0005YX-27@srv-eight.clevercherry.net>
Wed 2012-06-06 08:55:21: [140:457] <-- QUIT
Wed 2012-06-06 08:55:21: [140:457] --> 221 See ya in cyberspace
Wed 2012-06-06 08:55:21: [140:457] SMTP session successful, 15603 bytes transferred.
Wed 2012-06-06 08:55:21: [140:457] Shuffling message(s) into proper queue(s)
Wed 2012-06-06 08:55:21: [140:457] Message received from srv-eight.clevercherry.net [109.123.106.210] <xxx @ xxx.xxx> with SMTP for <xxx @ xxx.xxx> [Size 10502] {j:\localq\6443522.msg}
Wed 2012-06-06 08:55:21: [140:457] Accepting SMTP connection from [109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Looking up PTR record for 109.123.106.210 (210.106.123.109.IN-ADDR.ARPA)
Wed 2012-06-06 08:55:21: [140:457] D=210.106.123.109.IN-ADDR.ARPA TTL=(1439) PTR=[srv-eight.clevercherry.net]
Wed 2012-06-06 08:55:21: [140:457] Gathering A-records for PTR hosts
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 06 Jun 2012 08:55:21 -0100
Wed 2012-06-06 08:55:21: [140:457] <-- EHLO srv-eight.clevercherry.net
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on srv-eight.clevercherry.net (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 250-xxx.xxx.xxx Hello srv-eight.clevercherry.net, pleased to meet you
Wed 2012-06-06 08:55:21: [140:457] --> 250-ETRN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH=LOGIN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-06-06 08:55:21: [140:457] --> 250-8BITMIME
Wed 2012-06-06 08:55:21: [140:457] --> 250 SIZE 0
Wed 2012-06-06 08:55:21: [140:457] <-- MAIL FROM:<xxx @ xxx.xxx> SIZE=16289
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on xxx.clevercherry.com (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=xxx.clevercherry.com TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker A-record resolution of [210.106.123.109.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker D=210.106.123.109.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-06-06 08:55:21: [140:457] L2.APEWS.ORG LISTED
Wed 2012-06-06 08:55:21: [140:457] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Sender ok
Wed 2012-06-06 08:55:21: [140:457] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2012-06-06 08:55:21: [140:457] <-- DATA
Wed 2012-06-06 08:55:21: [140:457] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2012-06-06 08:55:21: [140:457] --> 250 Ok, message saved <Message-ID: E1ScCvc-0005YX-27@srv-eight.clevercherry.net>
Wed 2012-06-06 08:55:21: [140:457] <-- QUIT
Wed 2012-06-06 08:55:21: [140:457] --> 221 See ya in cyberspace
Wed 2012-06-06 08:55:21: [140:457] SMTP session successful, 15603 bytes transferred.
Wed 2012-06-06 08:55:21: [140:457] Shuffling message(s) into proper queue(s)
Wed 2012-06-06 08:55:21: [140:457] Message received from srv-eight.clevercherry.net [109.123.106.210] <xxx @ xxx.xxx> with SMTP for <xxx @ xxx.xxx> [Size 10502] {j:\localq\6443522.msg}
May 16, 2012
DNS Blacklist Editor
I came across a useful tool (freeware) at http://www.jhsoft.com/ which is for editing a DNS blacklist. By using RSYNC we got a copy of the APEWS dataset and opened it up using the above tool, great. For some people it might be easier to edit APEWS data for their own purposes in order to reduce false positives or blacklist more IPv4 than APEWS currently covers. There are reports of L2.APEWS.ORG dataset catching between 95% and 99% of all spam so that shouldn't take much editing to tailor it for any one system.
Some DNS blacklist databases separate the type of blacklisting by using a code number in the dns record of the listed IP address e.g. an email spam sender IP might get a DNSBL response of 127.0.0.3, a spam relay IP could show as 127.0.0.4 but a trojan hosting website IP come back with 127.0.0.5. Those different 127.0.0.* IP addresses can be used for filtering email or other traffic by e.g. using the "3" and "4" for an inbound email stream but the "5" for outbound HTTP traffic i.e. preventing users getting to the trojan host. However it looks like APEWS dataset returns just one reply to queries "L2.APEWS.ORG TTL=(35) A=[127.0.0.2]".
Looking through the listings and reviewing the comments that used to be written in the earlier records, we can see some groups of "Cases" that may be useful to some people if C number can be obtained. It should even be possible to extract the relevant data to build smaller datasets specific to a need. The groups of Cases and their text descriptors etc will be published shortly.
Some DNS blacklist databases separate the type of blacklisting by using a code number in the dns record of the listed IP address e.g. an email spam sender IP might get a DNSBL response of 127.0.0.3, a spam relay IP could show as 127.0.0.4 but a trojan hosting website IP come back with 127.0.0.5. Those different 127.0.0.* IP addresses can be used for filtering email or other traffic by e.g. using the "3" and "4" for an inbound email stream but the "5" for outbound HTTP traffic i.e. preventing users getting to the trojan host. However it looks like APEWS dataset returns just one reply to queries "L2.APEWS.ORG TTL=(35) A=[127.0.0.2]".
Looking through the listings and reviewing the comments that used to be written in the earlier records, we can see some groups of "Cases" that may be useful to some people if C number can be obtained. It should even be possible to extract the relevant data to build smaller datasets specific to a need. The groups of Cases and their text descriptors etc will be published shortly.
April 4, 2012
L2.APEWS.ORG False Positive #15
This one is a newsletter and although the listing was showing as /24, it has already been corrected at the time of writing. Posting the error here for archive purposes;
Wed 2012-04-03 07:50:58: [448:627] Accepting SMTP connection from [24.38.56.81]
Wed 2012-04-03 07:50:58: [448:627] Looking up PTR record for 24.38.56.81 (81.56.38.24.IN-ADDR.ARPA)
Wed 2012-04-03 07:50:59: [448:627] D=81.56.38.24.IN-ADDR.ARPA TTL=(1439) PTR=[mailb.info.humanevents.com]
Wed 2012-04-03 07:50:59: [448:627] Gathering A-records for PTR hosts
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 04 Apr 2012 08:50:59 -0500
Wed 2012-04-03 07:50:59: [448:627] <-- EHLO mailb.info.humanevents.com
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on mailb.info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 250-xxx.xxx.xxx Hello mailb.info.humanevents.com, pleased to meet you
Wed 2012-04-03 07:50:59: [448:627] --> 250-ETRN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH=LOGIN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-04-03 07:50:59: [448:627] --> 250-8BITMIME
Wed 2012-04-03 07:50:59: [448:627] --> 250 SIZE 0
Wed 2012-04-03 07:50:59: [448:627] <-- MAIL FROM: BODY=8BITMIME
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=info.humanevents.com TTL=(1440) A=[74.201.50.22]
Wed 2012-04-03 07:51:00: [448:627] P=030 D=info.humanevents.com TTL=(1439) MX=[mx2.info.humanevents.com] {74.201.50.6}
Wed 2012-04-03 07:51:00: [448:627] P=010 D=info.humanevents.com TTL=(1439) MX=[mx1.info.humanevents.com] {74.201.50.4}
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker A-record resolution of [81.56.38.24.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker D=81.56.38.24.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-04-03 07:51:00: [448:627] L2.APEWS.ORG LISTED
Wed 2012-04-03 07:51:00: [448:627] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-04-03 07:51:00: [448:627] --> 250, Sender ok
Wed 2012-04-03 07:51:00: [448:627] <-- RCPT TO:
Wed 2012-04-03 07:51:00: [448:627] --> 250, Recipient ok
Wed 2012-04-03 07:51:00: [448:627] <-- DATA
Wed 2012-04-03 07:51:00: [448:627] --> 354 Enter mail, end with.
Wed 2012-04-03 07:51:01: [448:627] --> 250 Ok, message saved
Wed 2012-04-03 07:51:01: [448:627] <-- QUIT
Wed 2012-04-03 07:51:01: [448:627] --> 221 See ya in cyberspace
Wed 2012-04-03 07:51:01: [448:627] SMTP session successful, 34147 bytes transferred.
Wed 2012-04-03 07:51:01: [448:627] Shuffling message(s) into proper queue(s)
Wed 2012-04-03 07:51:01: [448:627] Message received from mailb.info.humanevents.com [24.38.56.81] with SMTP for [Size 3412] {j:\localq\0000000.msg}
Wed 2012-04-03 07:51:01: ----------
The sending server itself was not listed but the small group listing affected it causing a false positive for us. Resolved already.
Wed 2012-04-03 07:50:58: [448:627] Accepting SMTP connection from [24.38.56.81]
Wed 2012-04-03 07:50:58: [448:627] Looking up PTR record for 24.38.56.81 (81.56.38.24.IN-ADDR.ARPA)
Wed 2012-04-03 07:50:59: [448:627] D=81.56.38.24.IN-ADDR.ARPA TTL=(1439) PTR=[mailb.info.humanevents.com]
Wed 2012-04-03 07:50:59: [448:627] Gathering A-records for PTR hosts
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 04 Apr 2012 08:50:59 -0500
Wed 2012-04-03 07:50:59: [448:627] <-- EHLO mailb.info.humanevents.com
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on mailb.info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 250-xxx.xxx.xxx Hello mailb.info.humanevents.com, pleased to meet you
Wed 2012-04-03 07:50:59: [448:627] --> 250-ETRN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH=LOGIN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-04-03 07:50:59: [448:627] --> 250-8BITMIME
Wed 2012-04-03 07:50:59: [448:627] --> 250 SIZE 0
Wed 2012-04-03 07:50:59: [448:627] <-- MAIL FROM:
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=info.humanevents.com TTL=(1440) A=[74.201.50.22]
Wed 2012-04-03 07:51:00: [448:627] P=030 D=info.humanevents.com TTL=(1439) MX=[mx2.info.humanevents.com] {74.201.50.6}
Wed 2012-04-03 07:51:00: [448:627] P=010 D=info.humanevents.com TTL=(1439) MX=[mx1.info.humanevents.com] {74.201.50.4}
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker A-record resolution of [81.56.38.24.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker D=81.56.38.24.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-04-03 07:51:00: [448:627] L2.APEWS.ORG LISTED
Wed 2012-04-03 07:51:00: [448:627] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-04-03 07:51:00: [448:627] --> 250
Wed 2012-04-03 07:51:00: [448:627] <-- RCPT TO:
Wed 2012-04-03 07:51:00: [448:627] --> 250
Wed 2012-04-03 07:51:00: [448:627] <-- DATA
Wed 2012-04-03 07:51:00: [448:627] --> 354 Enter mail, end with
Wed 2012-04-03 07:51:01: [448:627] --> 250 Ok, message saved
Wed 2012-04-03 07:51:01: [448:627] <-- QUIT
Wed 2012-04-03 07:51:01: [448:627] --> 221 See ya in cyberspace
Wed 2012-04-03 07:51:01: [448:627] SMTP session successful, 34147 bytes transferred.
Wed 2012-04-03 07:51:01: [448:627] Shuffling message(s) into proper queue(s)
Wed 2012-04-03 07:51:01: [448:627] Message received from mailb.info.humanevents.com [24.38.56.81]
Wed 2012-04-03 07:51:01: ----------
The sending server itself was not listed but the small group listing affected it causing a false positive for us. Resolved already.
April 2, 2012
L2.APEWS.ORG False Positive #14
This one came in over the weekend but has already been delisted by the APEWS Administrators. Just posting the email here for archive etc;
Sat 2012-03-31 12:30:29: [520:540] Accepting SMTP connection from [178.33.45.10]
Sat 2012-03-31 12:30:29: [520:540] Looking up PTR record for 178.33.45.10 (10.45.33.178.IN-ADDR.ARPA)
Sat 2012-03-31 12:30:30: [520:540] D=10.45.33.178.IN-ADDR.ARPA TTL=(1440) PTR=[18.mo5.mail-out.ovh.net]
Sat 2012-03-31 12:30:30: [520:540] Gathering A-records for PTR hosts
Sat 2012-03-31 12:30:30: [520:540] D=18.mo5.mail-out.ovh.net TTL=(1440) A=[178.33.45.10]
Sat 2012-03-31 12:30:30: [520:540] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 30 Mar 2012 22:30:30 -0500
Sat 2012-03-31 12:30:30: [520:540] <-- EHLO mo5.mail-out.ovh.net
Sat 2012-03-31 12:30:30: [520:540] Performing reverse lookup on mo5.mail-out.ovh.net (looking for 178.33.45.10)
Sat 2012-03-31 12:30:31: [520:540] D=mo5.mail-out.ovh.net TTL=(1440) A=[178.32.228.5]
Sat 2012-03-31 12:30:31: [520:540] --> 250-xxx.xxx.xxx Hello 18.mo5.mail-out.ovh.net (may be forged), pleased to meet you
Sat 2012-03-31 12:30:31: [520:540] --> 250-ETRN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH=LOGIN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-31 12:30:31: [520:540] --> 250-8BITMIME
Sat 2012-03-31 12:30:31: [520:540] --> 250 SIZE 0
Sat 2012-03-31 12:30:31: [520:540] <-- MAIL FROM: SIZE=6970
Sat 2012-03-31 12:30:31: [520:540] Performing reverse lookup on yyy.yyy (looking for 178.33.45.10)
Sat 2012-03-31 12:30:32: [520:540] D=yyy.yyy TTL=(1439) A=[213.186.33.5]
Sat 2012-03-31 12:30:32: [520:540] P=100 D=webster.fr TTL=(1440) MX=[mxb.ovh.net]
Sat 2012-03-31 12:30:32: [520:540] P=001 D=webster.fr TTL=(1440) MX=[mx0.ovh.net] {213.186.33.32}
Sat 2012-03-31 12:30:33: [520:540] D=mxb.ovh.net TTL=(1440) A=[213.186.39.173]
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker A-record resolution of [10.45.33.178.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker D=10.45.33.178.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-31 12:30:33: [520:540] L2.APEWS.ORG LISTED
Sat 2012-03-31 12:30:33: [520:540] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-31 12:30:33: [520:540] --> 250, Sender ok
Sat 2012-03-31 12:30:33: [520:540] <-- RCPT TO:
Sat 2012-03-31 12:30:33: [520:540] --> 250, Recipient ok
Sat 2012-03-31 12:30:33: [520:540] <-- DATA
Sat 2012-03-31 12:30:33: [520:540] --> 354 Enter mail, end with.
Sat 2012-03-31 12:30:33: [520:540] --> 250 Ok, message saved
Sat 2012-03-31 12:30:34: [520:540] <-- QUIT
Sat 2012-03-31 12:30:34: [520:540] --> 221 See ya in cyberspace
Sat 2012-03-31 12:30:34: [520:540] SMTP session successful, 7307 bytes transferred.
Sat 2012-03-31 12:30:34: [520:540] Shuffling message(s) into proper queue(s)
Sat 2012-03-31 12:30:34: [520:540] Message received from mo5.mail-out.ovh.net [178.33.45.10] with SMTP for [Size 796] {j:\localq\md00000000.msg}
OVH often have mail servers in the top 100 spam sources so no surprise that it was listed.
Sat 2012-03-31 12:30:29: [520:540] Accepting SMTP connection from [178.33.45.10]
Sat 2012-03-31 12:30:29: [520:540] Looking up PTR record for 178.33.45.10 (10.45.33.178.IN-ADDR.ARPA)
Sat 2012-03-31 12:30:30: [520:540] D=10.45.33.178.IN-ADDR.ARPA TTL=(1440) PTR=[18.mo5.mail-out.ovh.net]
Sat 2012-03-31 12:30:30: [520:540] Gathering A-records for PTR hosts
Sat 2012-03-31 12:30:30: [520:540] D=18.mo5.mail-out.ovh.net TTL=(1440) A=[178.33.45.10]
Sat 2012-03-31 12:30:30: [520:540] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 30 Mar 2012 22:30:30 -0500
Sat 2012-03-31 12:30:30: [520:540] <-- EHLO mo5.mail-out.ovh.net
Sat 2012-03-31 12:30:30: [520:540] Performing reverse lookup on mo5.mail-out.ovh.net (looking for 178.33.45.10)
Sat 2012-03-31 12:30:31: [520:540] D=mo5.mail-out.ovh.net TTL=(1440) A=[178.32.228.5]
Sat 2012-03-31 12:30:31: [520:540] --> 250-xxx.xxx.xxx Hello 18.mo5.mail-out.ovh.net (may be forged), pleased to meet you
Sat 2012-03-31 12:30:31: [520:540] --> 250-ETRN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH=LOGIN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-31 12:30:31: [520:540] --> 250-8BITMIME
Sat 2012-03-31 12:30:31: [520:540] --> 250 SIZE 0
Sat 2012-03-31 12:30:31: [520:540] <-- MAIL FROM:
Sat 2012-03-31 12:30:31: [520:540] Performing reverse lookup on yyy.yyy (looking for 178.33.45.10)
Sat 2012-03-31 12:30:32: [520:540] D=yyy.yyy TTL=(1439) A=[213.186.33.5]
Sat 2012-03-31 12:30:32: [520:540] P=100 D=webster.fr TTL=(1440) MX=[mxb.ovh.net]
Sat 2012-03-31 12:30:32: [520:540] P=001 D=webster.fr TTL=(1440) MX=[mx0.ovh.net] {213.186.33.32}
Sat 2012-03-31 12:30:33: [520:540] D=mxb.ovh.net TTL=(1440) A=[213.186.39.173]
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker A-record resolution of [10.45.33.178.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker D=10.45.33.178.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-31 12:30:33: [520:540] L2.APEWS.ORG LISTED
Sat 2012-03-31 12:30:33: [520:540] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-31 12:30:33: [520:540] --> 250
Sat 2012-03-31 12:30:33: [520:540] <-- RCPT TO:
Sat 2012-03-31 12:30:33: [520:540] --> 250
Sat 2012-03-31 12:30:33: [520:540] <-- DATA
Sat 2012-03-31 12:30:33: [520:540] --> 354 Enter mail, end with
Sat 2012-03-31 12:30:33: [520:540] --> 250 Ok, message saved
Sat 2012-03-31 12:30:34: [520:540] <-- QUIT
Sat 2012-03-31 12:30:34: [520:540] --> 221 See ya in cyberspace
Sat 2012-03-31 12:30:34: [520:540] SMTP session successful, 7307 bytes transferred.
Sat 2012-03-31 12:30:34: [520:540] Shuffling message(s) into proper queue(s)
Sat 2012-03-31 12:30:34: [520:540] Message received from mo5.mail-out.ovh.net [178.33.45.10]
OVH often have mail servers in the top 100 spam sources so no surprise that it was listed.
March 18, 2012
L2.APEWS.ORG False Positive #13
Typical eh, spoke too soon! Got a user claiming the following shouldn't have been in his junk folder and on further checking we find the IP address to be that of a website offering a newsletter. CIDR seems OK too, here is the email header;
Sat 2012-03-17 03:26:37: [7708:766] Accepting SMTP connection from [71.19.224.98]
Sat 2012-03-17 03:26:37: [7708:766] Looking up PTR record for 71.19.224.98 (98.224.19.71.IN-ADDR.ARPA)
Sat 2012-03-17 03:26:37: [7708:766] D=98.224.19.71.IN-ADDR.ARPA TTL=(59) PTR=[www3.tiltedpixel.com]
Sat 2012-03-17 03:26:37: [7708:766] Gathering A-records for PTR hosts
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 16 Mar 2012 13:06:38 -0500
Sat 2012-03-17 03:26:38: [7708:766] <-- EHLO www3.tiltedpixel.com
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 250-xxx.xxx.xxx Hello www3.tiltedpixel.com, pleased to meet you
Sat 2012-03-17 03:26:38: [7708:766] --> 250-ETRN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH=LOGIN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-17 03:26:38: [7708:766] --> 250-8BITMIME
Sat 2012-03-17 03:26:38: [7708:766] --> 250 SIZE 0
Sat 2012-03-17 03:26:38: [7708:766] <-- MAIL FROM: SIZE=1656
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(239) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker A-record resolution of [98.224.19.71.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker D=98.224.19.71.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-17 03:26:38: [7708:766] L2.APEWS.ORG LISTED
Sat 2012-03-17 03:26:38: [7708:766] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-17 03:26:38: [7708:766] --> 250, Sender ok
Sat 2012-03-17 03:26:38: [7708:766] <-- RCPT TO:
Sat 2012-03-17 03:26:38: [7708:766] --> 250, Recipient ok
Sat 2012-03-17 03:26:38: [7708:766] <-- DATA
Sat 2012-03-17 03:26:38: [7708:766] --> 354 Enter mail, end with.
Sat 2012-03-17 03:26:38: [7708:766] --> 250 Ok, message saved
Sat 2012-03-17 03:26:38: [7708:766] <-- QUIT
Sat 2012-03-17 03:26:38: [7708:766] --> 221 See ya in cyberspace
Sat 2012-03-17 03:26:38: [7708:766] SMTP session successful, 959 bytes transferred.
Sat 2012-03-17 03:26:38: [7708:766] Shuffling message(s) into proper queue(s)
Sat 2012-03-17 03:26:38: [7708:766] Message received from www3.tiltedpixel.com [71.19.224.98] with SMTP for [Size 948] {j:\localq\md000000.msg}
Hopefully this one will get resolved shortly too.
Sat 2012-03-17 03:26:37: [7708:766] Accepting SMTP connection from [71.19.224.98]
Sat 2012-03-17 03:26:37: [7708:766] Looking up PTR record for 71.19.224.98 (98.224.19.71.IN-ADDR.ARPA)
Sat 2012-03-17 03:26:37: [7708:766] D=98.224.19.71.IN-ADDR.ARPA TTL=(59) PTR=[www3.tiltedpixel.com]
Sat 2012-03-17 03:26:37: [7708:766] Gathering A-records for PTR hosts
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 16 Mar 2012 13:06:38 -0500
Sat 2012-03-17 03:26:38: [7708:766] <-- EHLO www3.tiltedpixel.com
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 250-xxx.xxx.xxx Hello www3.tiltedpixel.com, pleased to meet you
Sat 2012-03-17 03:26:38: [7708:766] --> 250-ETRN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH=LOGIN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-17 03:26:38: [7708:766] --> 250-8BITMIME
Sat 2012-03-17 03:26:38: [7708:766] --> 250 SIZE 0
Sat 2012-03-17 03:26:38: [7708:766] <-- MAIL FROM:
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(239) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker A-record resolution of [98.224.19.71.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker D=98.224.19.71.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-17 03:26:38: [7708:766] L2.APEWS.ORG LISTED
Sat 2012-03-17 03:26:38: [7708:766] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-17 03:26:38: [7708:766] --> 250
Sat 2012-03-17 03:26:38: [7708:766] <-- RCPT TO:
Sat 2012-03-17 03:26:38: [7708:766] --> 250
Sat 2012-03-17 03:26:38: [7708:766] <-- DATA
Sat 2012-03-17 03:26:38: [7708:766] --> 354 Enter mail, end with
Sat 2012-03-17 03:26:38: [7708:766] --> 250 Ok, message saved
Sat 2012-03-17 03:26:38: [7708:766] <-- QUIT
Sat 2012-03-17 03:26:38: [7708:766] --> 221 See ya in cyberspace
Sat 2012-03-17 03:26:38: [7708:766] SMTP session successful, 959 bytes transferred.
Sat 2012-03-17 03:26:38: [7708:766] Shuffling message(s) into proper queue(s)
Sat 2012-03-17 03:26:38: [7708:766] Message received from www3.tiltedpixel.com [71.19.224.98]
Hopefully this one will get resolved shortly too.
October 21, 2011
APEWS.ORG data usage
Due to the decline in use / effectiveness of Usenet for antispam, which formerly had newsgroups called news.admin.net-abuse.blocklisting and news.admin.net-abuse.sightings (both now inactive), here is a place where users of APEWS.ORG database can publish their experience and any problems or errors. On their website http://www.APEWS.ORG have asked for evidence of errors so that they can improve their data, and to my knowledge there is no one place that exists for the purpose.
In choosing an antispam solution for email servers, there are point scoring methods like SpamAssassin and there are Domain Name Server Block List (DNSBL). Operating my own business servers and not having the resources of perhaps larger corporations, I needed an approach that would seriously cut into the, at times, overwhelming number of inbound emails. I came across Apews.org shorly after SPEWS ceased to be updated and after finding other DNSBLs to be inadequate. However, Google for this DNSBL and the majority of information available suggests that the data represents an overly aggressive approach with too many false positives.
Rather than just believe what I found, especially since there was little evidence of the false positives, I decided to test the IP based L2.APEWS.ORG data which they recommend for scoring to be used in addition to other DNSBL services like Spamhaus, Spamcop, Sorbs etc via SpamAssassin or similar. Knowing your clients and having a good white list is essential these days and I doubt anyone would put an email server online without one. My own whitelist has come from more than 10 years of experience and accumulated knowledge thus testing inbound connections first against the whitelist, before the blacklist, produces almost zero errors.
In choosing an antispam solution for email servers, there are point scoring methods like SpamAssassin and there are Domain Name Server Block List (DNSBL). Operating my own business servers and not having the resources of perhaps larger corporations, I needed an approach that would seriously cut into the, at times, overwhelming number of inbound emails. I came across Apews.org shorly after SPEWS ceased to be updated and after finding other DNSBLs to be inadequate. However, Google for this DNSBL and the majority of information available suggests that the data represents an overly aggressive approach with too many false positives.
Rather than just believe what I found, especially since there was little evidence of the false positives, I decided to test the IP based L2.APEWS.ORG data which they recommend for scoring to be used in addition to other DNSBL services like Spamhaus, Spamcop, Sorbs etc via SpamAssassin or similar. Knowing your clients and having a good white list is essential these days and I doubt anyone would put an email server online without one. My own whitelist has come from more than 10 years of experience and accumulated knowledge thus testing inbound connections first against the whitelist, before the blacklist, produces almost zero errors.
During the last few years there have been very few statistics websites that compared True [TP] and False [FP] Positives from the use of a single DNSBL e.g. Spamhaus, Spamcop, UCEProtect or Sorbs etc. By 2008 it seemed that L2.APEWS.ORG had a very high [90%] spam catch rate [TP] together with a reducing level of false positives [FP] but the website operator didn't elaborate much on the FP, only referring to the mail stream as being USA based and including some marketing emails for products, services, and reviews of same. No other free DNSBL comes close from what I can see, http://www.UCEProtect.net have 3 databases and if all are used then their results appear to be about the same if not a little better, approx 1% to 1.5% higher TP currently.
I have configured my email servers to use the L2.APEWS.ORG DNSBL in realtime during the SMTP session, after first querying the whitelist. In the event that the IP address is unknown or untrusted and then found to be listed in L2.APEWS.ORG then the email servers don't reject the email, they just flag it as probable spam by the use of an X-Header which a script then uses to move the flagged emails to the user's spam / junk folder.
Note my criteria and requirements;- Email servers are used for both local and remote users
- Users to/from UK, West/Central Europe, USA, India, Australia, also roaming users including Far East
- approx 40% are received are via Yahoo, Gmail, AOL & Hotmail users
- approx 40% are received via contracted email services [negligible spam received] e.g. messagelabs, psmtp, frontbridge, bigfish, postini, mxlogic etc
- approx 15% are from client owned corporate servers [negligible spam received] and includes many international and regional banks, USA / EU government departments etc
- approx 5% are newsletters and social networking contact [negligible spam received] e.g. reuters, alertnet, foxnews, cnn, nytimes, dartmail, collab, cheetah, ezinedirector, sun microsystems, symantec, linkedin, facebook, myspace, flickr, digg, naymz.com [chnaged back after being visible.me], mbox, j2global, iht, osac.gov, oecd, imf.org, worldbank, natgeo, dhl, ups, fedex, deutscheposte, usps, dealertime, shopping.com, amazon.com, aa.com, continental air, virgin, travelocity, hotel.com, cheaptickets, lufthansa etc
- hard/soft-ware suppliers & manufacturers e.g. HP, Dell, Cisco, Microsoft, Apple, Macromedia, Adobe, sourceforge etc
- Very few emails are received via ISP smtp servers / smart hosts [negligible spam received] e.g. rogers, rogerstelcom, earthlink, mindspring, prodigy, comcast, sprint, sprintlink, btinternet, bt.com, demon, shaw, shawcable, qwest, adelphia, bellatlantic, bell, bellglobal, bellsouth, bellnexxia, swbell, bellhosting, att, ownmail, telstra, megacity, free2surf, charter, level3, optus, sonic, orange, vodafone, pipex, t-online, dtag, t-mobil, cox, coxinternet, verizon, cogentco, blueyonder, bigpond, roadrunner, twtelecom, nortel etc
- Almost zero emails are received via domain Registrars [negligible spam received] e.g. networksolutions, netsol, register, joker, gandi, godaddy, tucows etc
- Complaints by email relating to abuse from my servers can be received to role accounts here from major dnsbl operators for each domain name hosted e.g. spamhaus, spamcop, sorbs, abuseat, ahbl, uceprotect, robtex, njabl, mail-abuse, uceb, abuse-net, whitelisted trusted sender servers
- all the above are regarded as trusted senders and as such have been whitelisted here
- the only spam received into user inboxes comes almost entirely from free webmail user accounts or unlisted IP addresses, True Positive is better than 99% because of a good whitelist
- all emails in a user's spam/junk folder have been found to be spam i.e. correctly identified and after running email client spam filters on the mailboxes. The FP% is extremely low, less than 0.05%.
In conclusion, the use of L2.APEWS.ORG has, for us, removed the spam problem to the extent that the few spam we do receive are via Yahoo, Gmail, AOL and Hotmail servers that we need to give access. It has been said that of the world's total daily email volume, approx 97% is unsolicited bulk email and our experience accords with that statistic. The remaining 3% of the world's total daily email volume is solicited and the above figures represent an approximate analysis of the source and/or nature as it pertains to our business mail stream. These are our findings and no warranty either express or implied exists regarding these findings since each mail stream is unique to the particular business or network.
Subscribe to:
Posts (Atom)