Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Notes/Domino 6 and 7 Forum

Notes/Domino 6 and 7 Forum

  


RE: RBL usage: Please share your experience
~Dana Kivelusteroni 27.Jan.03 11:56 PM a Web browser
Domino Administrator 6.0 All Platforms


My experience with RBLs predates R6 because I cribbed together a "before mail arrives" agent that performed RBL lookups and processing in R5. The agent, by the way, is based extensively on the code and example you will find at http://www.idgnews.net/SpamFilter/ , and I only take credit for tweaking it for our particular situation.

My comments:

>
> 1) For those using RBL, how often do 'false-positives' come up??
>

Not that often (maybe 1-5 a week) for our little company with 25 users. But, as a partial owner of this company, I can relate to management's opinion that such "collaterial damage" is very important to consider.

We've had some of our clients' email blocked with critical information in it -- the kind that can lose you contracts and $$$, which is really the purpose of the company. And we've had correspondence from ordinary individuals RBLd into the oblivion, which doesn't seem that important until I tell you that we're a staffing firm and these "ordinary individuals" are potential employees that could make us $$$ (there's that bottom line again).

The real issue is not the importance or any particular rejected message. The real issue is some executive looking like a fool because his company's email system rejected or auto-deleted a critical message. Then this executive has to go to his client and explain to another executive how their handy-dandy anti-SPAM system considered his message to be on the same level as p0rn. He/She is going to deflect the blame to you because they are doing sales and need to do whatever it takes to close the deal. However, even that ploy makes the company look a little incompetent to a client (regardless of the fact that their server really *was* an open relay, which is something they don't understand). Wait until a high-level muckety muck loses a deal because a string of emails from a potential client were deleted by the SPAM system and the client took their business elsewhere. Hope you have earplugs and a good relationship with management. And that's the real issue.

Depending on the RBL you use, the false positives can be persistent or fleeting. What do I mean? Well, SpamCop in particular blacklists sites and then whitelists them just hours later. Then possibly blacklists them again, then whitelists them again, over and over. I love SpamCop, but this characteristic is one of the primary reason I need whitelists, because I've had Yahoo, Hotmail, and AOL servers become blacklisted for a couple of hours. Again, we're a staffing company and LOTS of resumes and qualified employees use these services. One missed message can mean thousands of dollars lost.

The "persistent" RBLs tend to list something until a human who cares enough goes to the RBL site and follows the procedure for requesting removal from the list. This sometimes never happens, because the owners of lots of formerly-open relays don't even know they are listed. So these sorts of lists can have some out-of-date items that really are not harmful anymore nor have been for a long time.

AND, some of the lists have a policy of eventually blocking entire providers (like Earthlink or such) because some of that provider's customers are SPAMMERS and the list owner has felt their appeals are being ignored by the big provider. It's probably all true, nevertheless I can't handle that much collateral damage of blocking all of AT&T's or Cable & Wireless' IP space. Those lists I stopped using long ago.

>
> 2) which are the best blackhole lists?
>

Obviously, a subjective question. We use:

DSBL --> list.dsbl.org
SpamCop --> bl.spamcop.net
OSIRIS --> relays.osirusoft.com
ORDB --> relays.ordb.org

I've also used NJABL, but found too many very old listings that needed whitelisting. I suppose the blacklisted company was at one point an open relay, fixed it, and was just unaware that they were listed in NJABL because the quantity of rejected messages was too small.

And I've tried FORMMAIL (formmail.relays.monkeys.com), but it only caught a handfull that the others didn't catch.

OSIRIS has some false positives as well, but it is just too powerful to not include, IMHO. SpamCop's strength is response time. SpamCop blocks transient and single-use relays and spam sources much better than the others.

Spam does still slip through, but our RBL system catches >95% of it. The ones that slip through are usually on dialups or a single-use relay that we never see mail from again. Hard to list those, though there are dialup lists you can use.


>
> Specificly is MAPS worth the cost??
>

I don't know because we've never subscribed.

>
> 3) How can I 'whitelist' sites that are found in a RBL, but that I trust?
>

With R6 I don't know, especially after reading this very helpful thread. I was hoping to switch to the R6 RBL list and retire my custom system, but I think I'll wait for true whitelisting functionality. My custom system has 33 whitelisted items in it, and some of those are large blocks of email servers (such as AOL, Yahoo, etc.) that I never want blocked no matter what SPAM comes from them. They are just too critical to our business.

>
> 4) What other issues am I likely to encounter?
>

Needing to recover an auto-deleted message that was not SPAM. Our custom agent dumps SPAM into the users' trash folder and will be deleted when they exit Notes or hit F9. This has saved me several times because I can just pull it from the trash. I tried dumping the suspected SPAM into a unique folder, but users basically never checked it because they were not aware anything was in there. R6 should help us with that (we don't have it on the desktop yet) because of the "unread items" count next to folders.

Lastly, I initially hated the fact that my RBL solution still received the messages and didn't save bandwidth by rejecting the messages outright. But, I log the recipient, subject line, and IP address and rejecting them didn't offer that ability. Nor did it offer the ability of recovering wrongly marked items.

I scan the log daily and can pretty quickly spot collateral damage that needs whitelisting. The time spent doing it is only a few minutes a couple of times a day. It isn't time I planned on spending with the RBL system when I created it (I pictured myself sitting on the beach sipping pina coladas while the RBL system kept SPAM out), but it is still vastly less time than I spent previously blocking IP blocks at the router (for the major spammers) and dealing with irritated users getting 50 offensive SPAMS a day.




RBL usage: Please share your experi... (~Isaac Optoober... 7.Jan.03)
. . RE: RBL usage: Please share your ex... (~Sven Cistumiko... 8.Jan.03)
. . RE: RBL usage: Please share your ex... (~Lily Elgerotex... 8.Jan.03)
. . RBL usage: No experience yet, but w... (~Rebecca Cisfre... 18.Jan.03)
. . . . RE: RBL usage: No experience yet, b... (~Rebecca Dwovel... 8.Feb.03)
. . . . Been here? (WAS: RBL usage: No expe... (~Delores Dwonic... 18.Jan.03)
. . . . RE: RBL usage: No experience yet, b... (~Kelly Zekwebur... 20.Jan.03)
. . . . . . RBL usage: This is what I've seen s... (~Isaac Optoober... 20.Jan.03)
. . . . . . . . a partial workaround via the api (~Hal Prekroster... 22.Jan.03)
. . . . . . . . . . This will be great! (~Isaac Optoober... 23.Jan.03)
. . . . . . . . . . Nice job :-) (~Karl Eknuplopo... 22.Jan.03)
. . . . . . . . . . source code for intercept 1.4 (~Hal Prekroster... 22.Jan.03)
. . RE: RBL usage: Please share your ex... (~Dana Kiveluste... 27.Jan.03)
. . RBL usage: some shared experience (... (~Kelly Zekwebur... 8.Jan.03)
. . . . RE: RBL usage: some shared experien... (~Isaac Optoober... 8.Jan.03)
. . . . . . * ignore (~Tanita Eknizen... 8.Jan.03)
. . . . Yes you can "Whitelist" (~Yoshi Lopkiche... 8.Jan.03)
. . . . . . Forgive my frustation, but... (~Kelly Zekwebur... 8.Jan.03)
. . . . . . . . RE: Forgive my frustation, but... (~Yoshi Lopkiche... 8.Jan.03)
. . . . . . . . . . Interesting thought - I may just tr... (~Kelly Zekwebur... 9.Jan.03)
. . . . . . . . . . . . Back to the drawing board (~Kelly Zekwebur... 9.Jan.03)
. . . . . . . . . . . . . . RE: Back to the drawing board (~Naomi Deskrote... 9.Jan.03)
. . . . . . . . . . . . . . . . Thanks for your kind words (~Karl Eknuplopo... 10.Jan.03)
. . . . . . . . . . . . . . RE: Back to the drawing board (~Hal Prekroster... 15.Jan.03)
. . . . RE: RBL usage: some shared experien... (~Tanita Eknizen... 8.Jan.03)
. . . . . . Go ahead (~Karl Eknuplopo... 9.Jan.03)

Document Options






  Document options
Print this pagePrint this page

Search this forum

Forum views and search


  Forum views and search
Date (threaded)
Date (flat)
With excerpt
Category
Platform
Release
Advanced search

Member Tools


RSS Feeds

 RSS feedsRSS
All forum posts RSS
All main topics RSS