You are in: Articles / Security / How do your Blacklist Stats Compare?

How do your Blacklist Stats Compare?

IP Reputation and Blacklists are one of the most effective and common forms of blocking Spam from ISP and Telco email servers, but which ones are effective and how do they compare.

Well, it depends of course on the type of ISP and the demographics of it's users, for instance ISP's with a large user base on one domain will suffer from different patterns than the ISP with hundreds of domains, but only 1000 accounts.

LinuxMagic MagicMail Servers have had a built in ability to monitor the performance of individual blacklists in use fro some time now, and it might be helpful to other administrators to look at example stats from live environments to compare how their choices in active blacklists or IP reputation blocking may stack up. Blocking by IP reputation can reduce the overhead, and bandwidth significantly, vs traditional filtering.

In the first example, an ISP of more than 100k users was examined, and compared with one of the leaders in the industry, Spamhaus which was still the single most effective list tested. The stats do show that a combination of lists is the most effective blocking app.

75% of all inbound connections. (Rate limiting prevents the worst offenders otherwise this number would be much higher) Spamhaus has several lists available, and at the time of writing, comparison was only made against the XBL List for the larger ISP. (It should be noted that ZEN will have a higher rate of blockage) XBL alone could block app. 50% of the traffic.

The second most effective list would be the UCE-PROTECT lists, at app. 30-50% depending on the use of UCE-1 or UCE-2. PSBL and SORBS-DUL came in around 27% and SPAMRATS came in around 12%. Many IP addresses on various lists overlap, with unique counts generally being less than 10%.

One noted exception is MIPSPACE, but this is not a blacklist per se but a listing of companies and networks allowing or engaging in commercial email marketing, vs the more traditional sources of Spam. Over the last year, this type of email is becoming the most agressive increase, reaching 10% of all inbound connections. Looking at a smaller ISP with many domains, eg hosting companies, we see a different trend. IP reputation is much more important. 88% of all inbound connections are blocked with IP reputation, and in this case we have numbers on SPAMHAUS Zen, which show this as the single most effective list, with 80% blockage rates. (Again, these numbers may have been higher without rate limiters in effect) UCE again is the second most effective, with app. 40-50% blockage rates, depending on the use of UCE, 1,2,3. PSBL shows a higher capture rate in this environment as well, with app. 40% blockage rates, as with SORBS-DUL at 38%.

SORBS also shows a slightly higher rate of uniques in this environment as well. SPAMRATS in this case also increase to 18%. There are many other reputation lists available, and it is up to individual administrators to weigh their effectiveness vs a risk of false positives, but it is still obvious that IP reputation checks in the email servers is still the single most productive tool at your disposal. Even the smallest list tested had over 1 million IP's that have been determined to have been used to launch either Spam attacks, or dictionary attacks.

Rating: 12345
Leave a comment

Note: all fields marked with (*) are required
Comments (0)
Close send to email window

Verification code

Already a member?
Blacklist monitoring alerts
sign up Signup for our real-time monitoring service and receive email notifications each time one of your IPs gets blacklisted.
Free Signup
Mail Server Operating System Poll

What OS do you use for your email server?
disabled next

How many mailboxes do you currently manage?
previous next

Would you like to comment upon the choosing of this particular OS?

DNS Tools
Get IP status, owner and location, obtain its corresponding hostname or check specific ports.
Ping Statistics
Reverse DNS Lookup
Whois Info (IP owner)
GeoIP Information
Check Port
Open Relay Test
Test if your mail server is an open relay for spammers.
Blacklist Checker
Check if your IP is listed in DNS based email blacklists (DNSBL)