DNSBL Safety Report 1/8/2011

UPDATE: See the latest DNSBL Safety Report for current recommendations. 

Here is a quick look at the safety and efficacy of a few DNSBL’s for SpamAssassin. Today’s report looks into Hostkarma, Spam Eating Monkey, MailSpike, NiX Spam and PSBL.
NEW: This week’s analysis looks closer at safety when taking into consideration overlaps with established rules. See last week’s analysis for more details about the masscheck process used to collect the weekly statistical data in RuleQA.


Usage Limits of Spamassassin Network Tests

UPDATED: 1/8/2011

This article describes free usage limits of network test providers used by Spamassassin, along with recommendations if they are worthwhile to pay for service for sites large enough where a data feed is necessary. Recommendations are based upon statistical data in Spamassassin’s weekly masscheck as collected at RuleQA.

It is important for Spamassassin sysadmins to know the limits and usage restrictions of the various network test providers. If those providers deem that you are abusing their service they might choose to silently block your IP address. This can cause significant problems like mail delivery slowdown as Spamassassin waits until DNS timeout during each mail scan, along with test failure which can cripple your spam filter.

Subscribe to announce-only newsletters targeted at Spamassassin Sysadmins.


Disable DNS_FROM_AHBL_RHSBL

Apparently AHBL_RHSBL has been performing very poorly, detecting 0.072% spam during the August 2009 rescore masscheck and 0.02% spam in recent masschecks. This is not worth a DNS query for every mail you scan. Well, this rule is not harmful, but you may want to disable it if you want a little more efficiency.  Insert this line below into your local.cf and restart your spamd daemon.

score DNS_FROM_AHBL_RHSBL 0


DNSBL Safety Report 1/2/2011

UPDATE: See the latest DNSBL Safety Report for current recommendations.

This blog will occasionally look at the weekly DNSBL masscheck statistics.  Our measures indicate that the performance and safety of the smaller DNSBL’s can vary wildly from month to month.  If you depend on DNSBL’s, you should pay attention to these safety reports in order to protect your users from the likelihood of false positives and losing mail to the spam folder.  This should help you as a SpamAssassin sysadmin to decide which add-on DNSBL’s to use, and what score to assign with the goal of maximizing spam filter safety.

Here is a quick look at the safety and efficacy of a few add-on and existing DNSBL’s for SpamAssassin.  Today’s report looks into Hostkarma, Spam Eating Monkey, Tiopan, MailSpike, NiX Spam and PSBL.


CACHEREDIR Rule: Prevent Google cache redirector abuse

UPDATE: 2/2/2011
Masscheck results indicate spammers have stopped abusing Google cache as a redirector about 3 weeks ago. It appears that previous redirects already in the cache still work, but perhaps Google changed their system to prevent future redirects from getting into their cache.  We’ll continue to keep an eye on this.

UPDATE: 1/6/2011 – now catches more variations

For the past month or more spammers have been abusing Google’s cache as a link redirector.  Normally if a spammer includes links in their message body, it is easy to identify that message as spam because the domain of that URI is listed in the numerous URIBL’s.  But by using Google cache as a redirector they often sneak past the URIBL’s with an overall low score.  Read more for the custom rule syntax and analysis.