DNS Blacklists - ORF Forums

DNS Blacklists RSS Back to forum

1

Curious if anyone is using a blacklist other than the canned ones that Vamsoft puts out?

We are using Invaluement with great success so far. I will post our stats upson our ten day trial completion.

Is anyone else using a DNS blacklist they have had success with that is not part of the Vamsoft downloads?

by steve.mills more than 10 years ago
2

We also use Invaluement - have done so for over a year and have been happy with the results. We were constantly having DNS errors/timeouts with Spamhaus and looked for an alternative.

by ATL more than 10 years ago
3

@steve.mills: We are currently testing some additional DNSBLs in-house both in terms of catch rate and false positive rate using a tool we put together specifically for this purpose. It also examines the overlap of blacklist databases (i.e., if a DNSBL has an excellent catch rate and low false positive rate, but it overlaps with Spamhaus ZEN 100%, it makes little sense to waste another DNS query for that).

We will update the default definition set and our recommendations based on our test results once they have been evaluated.

by Krisztián Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

4

@ATL: Spamhaus DNS errors are usually caused by upstream public DNS servers (e.g., if you use Google DNS servers as forwarders, or your ISP's DNS server which uses Google DNS as a forwarder), see their related FAQ article:

http://www.spamhaus.org/faq/section/DNSBL%20Usage#261

Another possibility is that they banned your DNS server because one or more of their free usage terms have been violated (http://www.spamhaus.org/organization/dnsblusage/). In this case, subscribing to their commercial data feed solves the DNS error/timeout problem (according to our customers' feedback). They offer a free 30-day trial, so you can test whether the problem is caused by that without any risks.

by Krisztián Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

5

I tried their commercial trial and go \t the same results.

by ATL more than 10 years ago
6

@ATL: We signed up for SpamHaus Datafeed and do not use forwarders (ISP DNS servers) and we have not had any errors. Perhaps you could review your DNS, you may find a source for the errors.

As some of you know I am on a crusade to get snowshoe spam stopped and a good snowshoe-aware RBL would be perfect. So far I have not been able to find a good RBL that adequately handles snowshoe, at least not early enough to stop the initial bursts. SpamHaus Snowshoe CSS exists as part of ZEN but I have not seen help much (about once per day for our mail).

I spot-checked and spoke to Invaluement and it may work for some of you. For myself, I found that while he does list spam sources quickly, for us about 50% of the time the initial snowshoe bursts would still get thru so I am not settling.

Domain reputation for identifying new domains could be useful. For example, it is likely that a domain created today is a throw away domain for spam. If it exists for more than a few hours then the usual SURBL's pick it up. During the initial burst we are left exposed to it and a domain reputation service may help. As mentioned before in this forum, Farsight offers NOD for newly observed domains for a fee. Contact them for details. tcpiputils.com will also offer a domain reputation API due out next week but it will not run as an RBL but rather a REST query returning JSON so you'd need to code up an external agent for that. www.whoisxmlapi.com offers a similar service, again only providing JSON or XML.

I am currently crafting my own approach to snowshoe as an external agent since there do not seem to be any good options for ORF at the moment.

by Sam Russo more than 10 years ago
(in reply to this post)

7

@Sam Russo: One thing I am going to try and see if it helps...

There is a setting under greylisting to not greylist if they pass the PSF test. I am turning that off. Now even if they pass the SPF test it will delay the email.

I am noticing alot of snowshoe that gets thru is listed like 1 minute later by Invaluement and sometimes Spamhaus.

Maybe this will help ? The spammers will maybe get delayed a few extra minutes and hopefully by then they will be listed?

by steve.mills more than 10 years ago
(in reply to this post)

8

@steve.mills: I have noticed this as well and am going to try the same thing. Did it help you?

by mike.galbicka 9 years ago
(in reply to this post)

9

Steve,

Thanks for posting this thread. Based on your positive feedback my organization decided to also try out Invaluement's 10 day trial. We are seeing very positive results as well. We receive in the vicinity of 35K emails a day between our 500 users and Invaluement adds about an extra 1,000 emails to the block list. We utilize Greylisting and out of all our (8)DNSBL and (4)SURBL tests which blocked 3016 emails-- Invaluement's contribution to that was 31%. We still get the biggest spam block rates from our SPF Testing, Honeypots, and Manual Sender/Keyword blacklists-- but as far as subscription blacklists only SpamHaus which we also pay for a feed contributes more than Invaluement.

The cost for a yearly subscription is low so I think we are going to go ahead and sign up for the service. Adding it to ORF was as simple mimicing the pre-existing Spamhouse entries as a positive hit also returns 127.0.0.2.

I wouldn't have found Invaluement without this post-- so many thanks to you!

by felipe.garcia 9 years ago
10

I have been using Truncate and WPBL lately with some good results.

We registered with Barracuda, and it catches the most (16%), followed by CBL (5.5%) and UBL (5.1%). Truncate scored 2.7%.

by jeff.slauson 9 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2