Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Block 99.4% of spam using only Spamhaus’s blocklists and SpamAssassin

2019-03-22 15:20:00 UTC   |   by Milly Fawcett   |   Category:  security
Recent News Articles

Spamhaus Botnet Threat Update: Q3-2019

Spamhaus DNSBL return codes: technical update

Enable badness and the stats will speak for themselves

MTA developers: allow use of domain DNSBLs at the SMTP level

Spamhaus Botnet Threat Update: Q2-2019

Spamhaus Botnet Threat Update: Q1-2019

Emotet adds a further layer of camouflage

Block 99.4% of spam using only Spamhaus’s blocklists and SpamAssassin


Older News Articles:
Spamhaus News INDEX

In Virus Bulletin’s recent VBSpam Test, Spamhaus’s data blocked 99.43% of spam with 0.02% false positives. That’s pretty impressive, but what’s changed between Dec 2018 and Mar 2019 to send Spamhaus’s block lists up the leader board?

Maximizing Performance

Formula 1 teams spend months fine-tuning their racing cars to maximize speed and handling capabilities. They understand the complexities and nuances of their individual cars and tune them accordingly.

While we are not likening the Spamhaus team to Ferrari (although the speed at which some of our team move when the word “beer” is mentioned, is pretty pacy) we are drawing a parallel: The Spamhaus team know their data-sets better than anyone, so who better to fine tune SpamAssassin rules to maximize the performance of Spamhaus's block lists within SpamAssassin?


We don’t want to teach you to suck eggs…

If you’re reading this, it’s highly likely that you understand what role SpamAssassin plays in the email delivery infrastructure, in which case we recommend you skip to “What’s changed?” However, for those of you reading this who are new to the world of blocking spam email here’s a quick introduction:


A basic lesson in blocking spam

There are 2 layers of defense when it comes to blocking spam email. The first is at the Simple Mail Transfer Protocol (SMTP) layer. Here, several checks can take place including the examination of the connecting Internet Protocol (IP) address and the connecting domain. The domain can be checked at three stages:
  • The HELO/EHLO parameter
  • The sender’s envelope address
  • The reverse Domain Name System (DNS) record of the connecting IP
As shown by the other "classic" VBSpam tests using our data, the percentage of spam caught at the SMTP stage is between 97% and 98%; however, neither the content of the email header or message body are inspected; in fact the SMTP transaction is normally terminated with an immediate rejection before the message is actually transmitted.

Inspection of content happens at the next step after message acceptance, and more often than not is undertaken by SpamAssassin. Supported by the Apache Foundation, SpamAssassin is a widely used, open-source (i.e.free), intelligent email filter used to identify spam. It is utilized in one of the following ways:
  • As a standalone application
  • As a subprogram of another application e.g. SA-Exim, MailScanner, Amavis, etc.
  • As a client (spamc) that communicates with a daemon (spamd)
Users of SpamAssassin can employ block lists from various sources, including Spamhaus. The data from the email header and contents is checked against the data in the block lists and scored to determine whether it should be considered as spam, or not.


What’s changed?

Until recently those using SpamAssassin and Spamhaus’s block lists had to rely on the programme’s default configuration, or, manually change SpamAssassin’s configuration based on what the user believed to be the best settings.

Now, users no longer have to rely on intuition or the defaults: we have created settings to maximize the effectiveness of our block lists. We’ve introduced new analysis for the headers and tweaked both the rules and weighted scoring.

With these simple changes, you can achieve very similar results to those obtained using an expensive mail filter product, all for the cost of a subscription to Spamhaus’s Block lists via the Data Query Service (DQS).


How do I get my hands on these recommended settings?

Firstly, it’s worth noting that this will only work for subscribers to the Spamhaus DQS. Additionally, you need access to all our block lists, i.e., Spamhaus’s Domain Policy Block List (DBL), Zero Reputation Domain (ZRD) and Spamhaus’s ZEN service, which includes the Spamhaus Block List (SBL), the Exploits Block List (XBL) and the Policy Block List (PBL).

With all the above in place just go to https://docs.spamhaustech.com/ and find ‘Data Query Service using SpamAssassin’ or click here, and download the instructions and Spamhaus's SpamAssassin add-on. Naturally, if you are using a subprogram with SpamAssassin you will need to amend accordingly.

Why wouldn’t you want to maximize the capabilities?


N.B. The VBSpam results refer to the test configuration where Spamhaus's data-sets were the only ones used: lookups to all other services supplying data were disabled. This was our choice, to keep under observation how far we can go "all alone". SpamAssassin users will get better results, particularly in the malware and phishing areas, by turning on services that deeply analyse mail contents such as the ClamAV open source anti-malware engine. The Spamhaus DQS in conjunction with an anti-malware engine would bring the overall scoring to the level of vastly more expensive mail filter products.

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Block 99.4% of spam using only Spamhaus’s blocklists and SpamAssassin
http://www.spamhaus.org/news/article/782/block-99.4-of-spam-using-only-spamhauss-blocklists-and-spamassassin

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2019 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy