Back to Community Threads
32
Report for RBLs
Idea shared by kevind - 7/20/2023 at 8:25 AM
Declined
What we really need is a report on RBLs and how effective they are. It would be nice to know which RBLs are working well and which have no hits. Plus it would help with adjusting the scoring.

This would be similar to the Viruses Caught report where it shows how many messages were tagged by ClamAV, Cyren, Defender...

For example, I just found a couple RBLs that don't look like they're even working:
  • IBM DNS Blacklist (dnsbl.cobion.com)
  • UBL Lashback (ubl.unsubscore.com)
AFAIK, only way to figure this out is by manually searching the logs to find any RBL occurrences.

Please vote if you think this is a good idea. Thanks!

38 Replies

Reply to Thread
4
August bump. 9 votes already!
0
Tim Uzzanti Replied
8/8/2023 at 4:13 PM
Employee Post
RBL's are losing their value and in some cases causing more harm than good.  We are not spending much more time on RBL's moving forward.  It is very important for customers to understand the state of RBL's and our efforts moving forward.  If you're looking for a good free spam solution, Rspamd is the way to go and we have done allot to make that an extremely effective solution including training for Ham and Spam!

We are working with the new owners of Cyren to improve the overall effectiveness of their solution and the results are exciting. More information will be released shortly.

Getting good results from free solutions is becoming more and more difficult, as many of you already know.  
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
0
Tim Uzzanti Replied
8/8/2023 at 8:09 PM
Employee Post
Yea, some are. 
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
7
Tim, thanks for the reply. We're using RBLs and they are still quite effective.

I looked through the SMTP logs (since there are no reports :) and here are some stats from the last few days:
  • Total Messages: 150k
  • Messages Accepted: 119k
  • Messages Rejected:  31k
So that's over 20% of messages that are rejected due to Inbound SMTP Blocking. Nice!  And the remaining 80% were scored, so many end up in the Junk Email folder.

So maybe you could set this idea to Under Consideration and see if more people vote for it (12 Votes currently). Thanks!
5
BTW, you've done a really nice job in the way you implement RBLs. Assigning a unique spam weight to each RBL is better than other mail systems where it's all/nothing. It's very useful to give more weight to reliable RBLs and less weight to questionable ones.

And the (Apr 5, 2023) Build did a nice job of combining RBLs that use the same hostname and allow a unique weight per Required Lookup Value!
6
We also have great success with RBL filtering.  Our numbers (while overall smaller in general due to size of our footprint) are in matching proportion to kevind's.  The scoring implementation helps us as well, and with a little tuning puts us on the high-side of the spam-caught percentage by a couple points.

We will be implementing rspamd to manage the rest of the filtering - but we would be dealing with a real flood of spam without the RBLs.  MailEnable doesn't have the "scoring implementation" that SmarterMail uses, and since we've moved over, SM's implementation has proven to be much more robust.

Many people dislike RBL concept because it doesn't take much to land on one of those lists - but after almost 20 years in this game and only landing on a couple of them once before we locked things down, we've never had a problem since.
MailEnable survivor / convert --
7
Hello Tim,

RBL's are losing their value and in some cases causing more harm than good.  We are not spending much more time on RBL's moving forward.  It is very important for customers to understand the state of RBL's and our efforts moving forward.  If you're looking for a good free spam solution, Rspamd is the way to go and we have done allot to make that an extremely effective solution including training for Ham and Spam!
May I ask what makes you come to this conclusion. As far as I'm aware, RBLs / URIBLs are still the best first line of defense against SPAM.
Of course it's a pain that for most of them you have to subscribe to a commercial feed or you're getting blocked rather quickly if you have a lot of incoming mails.
But from experience, it's unfortunately still the most efficient way to block known sources of spam.
I love rspamd and we use it since a long time on incoming gateways. It has good result with its built-in rules and some additional you can add. But without the help of RBLs, a lot is getting through.
I mean the spammers know for sure, even more than we or legit mail senders do,  how to construct a mail so it won't trigger most of the rules.

SPF/DMARC is also one way to block crappy senders but now spammers mostly uses hacked accounts that have perfect legit SPF even signing as they use legit hacked accounts.
What is left then, except collaborative lists of known current source of spams, or compromised domains, etc. ?
I really would love to understand what brings you to your conclusion about RBLs.

Thanks a lot and kind regards.
Sébastien Riccio System & Network Admin https://swisscenter.com
8
1000000000% RBLs are worth it... At least with the filtering options SM has. I tested running just Cyren/Sniffer with zero RBLs (my personal domain only) in front to straight up shutdown SMTP connections from spammers and both solutions were beyond useless, I was getting 15+ spam emails a day that both solutions were saying "nope, let em thru boys, they are clean", checking the headers and running a multivali check on the IPs revealed that ~80% of the well-known RBLs would have immediately stopped these emails from even reaching the spool. (Should note that we did not test both solutions side-by-side, it was one-at-a-time).

The content filtering solutions that SM have just are not good enough on their own. VadeSecure on the other hand, with no RBLs running checks for 7 days (my personal domain only), I received a total of 3 spam emails. As they say though, "Nice things cost money, if you want them, be prepared to pay for them". Vade is significantly more expensive than Cyren and Sniffer combined. Though, having RBLs in front of Vade can help lessen the overall load put on the system by knocking down servers that are pumping out junk.
3
Bumping this thread with 14 votes and lots of comments. Looks like RBLs still play a significant role in spam identification.  A simple report that shows RBL hits would be great.

Here's another idea for gateway servers – populate the AntiSpam report. Currently it shows all zeros. It would be nice to see Inbound Spam passed on to the primary server. Maybe I'll create another thread for this.
6
Kind of surprised this idea with 15 votes was declined.  I've seen other ideas with <10 votes accepted and implemented.

What if we changed the request to populate the AntiSpam report on the gateway server? Instead of showing 100% of messages as not spam, show spam scoring. That would be useful. Would that request make it to Under Consideration?

Thanks!
2
Bump for October 3rd – National Techies Day! Thanks to all the programmers who transform complex code into user-friendly digital products.
4
Since his Majesty removed all reports in version 16 all requests for any kind of report have been declined. This was the reason I stayed with Version 15 and stopped paying yearly support/upgrades.
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
1
As a email administrator with 20 years of experience, I can safely say that having a report within SmarterMail is way outside the realm of reality.

At best, that would be something for log analysis.

I commonly use a website every quarter as well as my on long analysis to determine which RBLs are working for my circumstances. RBLs are indeed valuable when used in combination with other items. 

For full disclosure, I am a customer of SmarterMail and Mails Best Friend and have been involved with email filtering since about 2002. 
9
Just finished analyzing how effective a certain RBL was by manually going through daily log files to count the number of hits.  It would be really nice to have a report that shows which RBLs are tagging messages and which are not.

So I think this request still has merit. Evidently so do others with 18 votes. :)

Now here's a super-cool idea to measure RBL effectiveness. When a user marks a message as Spam, give all RBLs tagged in that message a star. Then at the end of the week we could assign more points to the RBLs that got a lot of stars!
5
And instead of blocking a sender, the option to block the domain should be added to the UX and then it should be forwarded to the admin console to be added to a centralised list of domains not allowed to connect.

That way spam would dissappear very quickly in all the users mailboxes.
2
To the last couple of responses: If the war on spam were that easy, it would be over by now.

It is completely outside of the scope of what an email server does and services it provides to ask it to also analyze logs and create reports. Log analysis is always an entirely different software/service regardless of what the server/service that is creating the logs is. 
4
John... SM already creates reports, SM also doesnt need to analyze the logs to generate said reports, SM tracks things like messages sent/received etc. with stat files, when you generate a report of mails sent etc. SM is not processing the log files to determine how many emails were sent, that would be insane. I'd assume their logic of using the stat files could also be used with RBLs as well in that a stat file is used to track how many emails were "acted on" per RBL, not really out of the realm of possibility. SM knows the RBL, it knows the action that is assigned to said RBL response code, there is no need to parse any logs.
5
@echoDreamz, thanks for the support.  Agree 100% – SM writes all the RBL hits to a log file, so just increment the counters in the stat file too. Easy. And has 18 votes!
6
April bump – 19 votes!!!  Please reconsider this idea as it would be very useful for everyone to fight spam.

We reject thousands of messages daily using RBLs and it would be nice to see which RBLs are most effective and which ones aren't doing anything.
6
+1 again
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
1
(I don’t think there are that many mail servers on the planet)
0
What is involved?   Is it more than counting lines in the log file?   Seems like one we should be able to write ourselves.
4
Ron,
The important thing is that yes, RBLs are still effective. I set mine up per Bruce's document years ago, and as far as I can tell, aside from a few that have died, they are much more effective at blocking spam than anything else in the SmarterMail spam blocking toolbox. When Bruce put out that document, ST had very little guidance on spam blocking. Bruce (RIP) was all over it. So now, for ST to say "RBL's are losing their value and in some cases causing more harm than good.", is hard for me to take seriously. 
4
RBLs are so worth it... it's not even fair to say they are worthless... Especially with Cyren and Sniffer, of which are not really that great on their own. Sniffer in our environment wasnt terrible, a good number of false positives, but Cyren... it was barely better than nothing at all. Tons of false negatives and also quite a bit of false positives too. I am sure everyone's milage has varied though.

I will agree with Tim on SM not focusing on RBLs, we moved all of our DNS-based checks to Rspamd, our SM server does zero anti-spam checks. Rspamd just does a much better job.
2
We have been using Barracuda and Spamhaus RBLs for years, with no concern about false positves.  UCEPROECT is not legit and causes harm.  I have not tested others

At the same time, Tim is half right.  Because RBLs are effective, spammers have invaded legitimate infrastructure.   A few years ago, they piled on Sendgrid.   Right now, they have embraced Gmail.  I get spam for new Gmail accounts every day.  I bl

This makes content ftering very important, in addition to, not instead of, RBLs.   Heuristics always have errors in both directions.  The solution is not finding an error-free product, the solution is having an exception mechanism that lets you allow wanted traffic without allowing unwanted traffic.   I could not find commercial products that could do that, so I built it with Declude filter scripts.
5
Can this idea with 22 votes be submitted as a Feature Request? Noticed this idea with just 1 vote got submitted and is now Under Consideration:

Here's a compromise if you don't want to mess with RBLs...
On an inbound gateway server, click Reports -> Inbound Spam and every message is marked as Not Spam (spam numbers are all zero which is not the case). Need to show the number of Low, Med, and High spam messages that the inbound gateway passes to the primary server. Thanks!
8
Might as well chime in on an old thread.  I still find RBLs massively useful, and also maintain my own internal RBL using Spamikaze along with several non-existent email addresses which started receiving spam, and numerous "trap" domains which only serve the purpose of capturing spam.

While I do tend to get false-positives every now and then (or real positives, depending upon how you want to consider Constant Contact and their ilk,*) it is much, MUCH easier to clean them up.  In my experience, customers expect to have issues every so often with spam filtering, so they have no problem contacting me when something happens.

* Like Salesforce, which I assert offers what we used to call "pink contracts," and then laughs at mail administrators who complain, calling spam "unwanted outreach." (Insert furious, destroying computer emoji here.)
2
Setting up a new SmarterMail server (to replace an old Windows OS) and it would be really nice to know which blacklists no longer work. We could drop the ones that don't have any hits.

Seems like the community agrees that blacklists are still highly effective in fighting spam (30 votes). Please reconsider this enhancement. Thanks!
1
Setting up a new SmarterMail server (to replace an old Windows OS) and it would be really nice to know which blacklists no longer work. We could drop the ones that don't have any hits.
4
RBL's are losing their value and in some cases causing more harm than good. 
For whom?  Professionals who had not yet abandoned them?  Or the paid-for services for which RBLs are still a viable alternative?

It is very important for customers to understand the state of RBL's and our efforts moving forward.
With all due respect, this sounds like commercial marketspeak and corporate technobabble.  I think it is important to vendors to understand the demands of customers.  We are telling vendors that RBLs are useful to us, in our experience, as admins out in the field.

If you're looking for a good free spam solution, Rspamd is the way to go and we have done allot to make that an extremely effective solution including training for Ham and Spam!
Cool.  It sounds interesting for those with the resources to run another daemon or service within their infrastructure.  Except for maybe Windows-only environments:

This guide outlines the primary procedures for obtaining and initiating work with Rspamd. Specifically, we will cover the following setup:

  • Ubuntu Jammy (or another OS with systemd)
  • Postfix MTA
  • Redis cache
  • Dovecot with Sieve plugin to sort mail and learn by moving messages to Junk folder
Rspamd also utilizes RBLs.

Getting good results from free solutions is becoming more and more difficult, as many of you already know. 
Yes, we know, but for those of us who are involved in the day-to-day operations of our systems, as any responsible email administrator must be, we are adaptable and can adjust to changing environments.  I have had to make changes to my RBL subscriptions numerous times over the years, but they still work to the point that I run my own to augment those out there.  As well, they are not all free, and even some of the free ones have a paid tier for larger providers.

Keep pushing the commercial providers to do better, to help make their services worthwhile to move away from RBLs, or compelling enough to use both together.  But do not ignore a still useful and valuable service simply because industry analysts and paid-for services say so.
3
@John -- interesting link, thanks for sending. Helps a little, but missing some RBLs and it's generic. Would be nice to know how my RBLs are working on my server for my users.

@AWRData -- good points!  Spam is still an issue and RBLs are still quite effective in mitigating these unwanted messages.

So just another bump to add this popular idea (32 votes) to the enhancement list. Thanks.
0
Who are you guys using for RBLs ?
RBL hits/matches appear to be in the delivery logs, yes ?
I just checked our delivery logs, and spameatingmonkey.com has not had a single hit in months. And from looking at their website the last update was 2017 ? Are they still in operation ? Time to RBL is often over 16 seconds. - Time (URIBL/RBLS): 2610ms
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
BarracudaCentral.com  - registration required, but its free.  
Spamhaus Zen
SpamCop

Never use UCEPROTECT.  It is a scam masquerading as an RBL.

I also run a Barracuda appliance, which is pretty cheap compared to cloud-based alternatives.  It is lousy at Sender Authentication, but so was everything else given what I wanted..   Currently, I do my own Sender Authentication using Declude custom filters that invoke Python and SQL.

The big win from my Barracuda appliance is the visibility to my mail log.   It has a continuous 90-day history of messages, and these can be searched with a simple web query interface.  From there, you can review message header, review message body, release from quarantine, report messages to them as spam or not spam, and export summaries to Excel.   For more advanced queries, I use SQL against the data that is captured by my custom scripts.   My SQL data does not include message body or message viewer, so Barracuda fills a real need.  Since SmarterMail and Declude lack anything comparable, I cannot imagine operating without it.
0
We are using:
  • Full Bogons
  • Barracuda Central
  • Spamhaus Zen
  • Spamhaus DBL (for domains)
  • Mailspike
  • SpamCop
Unfortunately, almost all of them have changed their queries to be postbacks so that our rejection notification can no longer provide a working link to the RBL's query of the sender IP.
0
Who are you guys using for RBLs ?
RBL hits/matches appear to be in the delivery logs, yes ?
I just checked our delivery logs, and spameatingmonkey.com has not had a single hit in months. And from looking at their website the last update was 2017 ? Are they still in operation ? Time to RBL is often over 16 seconds. - Time (URIBL/RBLS): 2610ms

Maybe try reading the other responses? Including the one in which I posted a link to a website that offers information about various RBLs. 
0
Where do you register for Barracuda's list and what settings are you using for it?  We were using them years ago but am not now, presumably because it stopped working (I don't remember, it's been that long).  It used to be a good RBL. Perhaps I just need to register to use it.
1
It looks like they no longer advertise its ability.   It used to be documented at barracudacentral.org.   The website is there but the information is not.
so for DECLUDE, the supplied rule is
BLOCK-BARRACUDA        IP4R    b.barracudacentral.org        127.0.0.2    15    0
0
Thanks! ’ve re-added it and will see how it goes. 

Dave
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Cannot Send Email MessagesSmarterMail > Troubleshooting
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Slow 250 response after Mail From command is issued during an SMTP session.SmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management