Unix Trainer and Consultant

shantanukulkarni.org

• Home
• Writings
• Profile
• Contact Me

Analysis of Spam Blocking Techniques

A series of mails exchanged with Claus von Wolfhausen, Tech Director for UCEPROTECT-Network, on comparison of their RBL with other RBLs in terms of catching spam prompted me to write this page. What started as a comparison between RBLs made obvious some other details on spam handling.

Methodology

A CentOS server netqmail 1.05 patched with mainly validrcptto patch and with some home-grown patches, spamdyke and 3 RBLs namely,

• zen.spamhaus.org
• bl.spamcop.net
• dnsbl-1.uceprotect.net

The order of the RBLs were rotated periodically, each RBL was at first position for exactly 48 hours in which one was a working day and one weekend with around 15,000 SMTP connections done for that period of 48 hours. So in all, testing was done for 6 days with same number of users and domains for around 45,000 connections. Spams caught by one RBL were NOT passed to the others in the order for further checking. Testing was done during month of Febuary 2009. There were around 736 email accounts with 32 live domains. (One small domain had a single catch-all account). Other miscellaneous spam blocking techniques like stopping early talkers or connections from IPs having no reverse dns, greylisting and spamassassin were also employed.

Given below are results of 3 tests. Figures are expressed in percentage of "Total Connections".

Table 1	Total mails accepted	7.4
BLOCKED
	zen.spamhaus.org	34.3
	bl.spamcop.net	2.9
	dnsbl-1.uceprotect.net	5.0
	Reverse DNS not present	39.5
	Mailbox not present	6.6
	Miscellaneous	4.3

Table 2	Total mails accepted	10.3
BLOCKED
	dnsbl-1.uceprotect.net	18.4
	zen.spamhaus.org	21.2
	bl.spamcop.net	1.4
	Reverse DNS not present	37.9
	Mailbox not present	7.2
	Miscellaneous	3.6

Table 3	Total mails accepted	8.6
BLOCKED
	bl.spamcop.net	11.5
	dnsbl-1.uceprotect.net	9.2
	zen.spamhaus.org	15.0
	Reverse DNS not present	40.4
	Mailbox not present	10.0
	Miscellaneous	5.3

Observations

Around 40% spam was blocked by RBLs. There was a case of false positive (atleast that which was reported) was that connections from rediffmailpro.com were incorrectly detected by dnsbl-1.uceprotect.net as spam.

Around 40% spam originated from servers having no reverse dns entry.

Around 9% (or even less) of the total connections were those for legitimate mails

.

© 2009-2010 shantanukulkarni.org