Tonight I did some analysis on the effectiveness of PTR blocking and the results are interesting. I exported the spam messages blocked in the past 24 hours by our Barracuda and did an analysis of the most effective PTR blocking regular expressions. I wrote about PTR filtering here and this is follow up to how effective it has been.
Okay, first the data and then some explanation.
- The data set contains 23,206 messages blocked by PTR filtering
- PTR filtering is done via regular expressions on the Barracuda
- These rules are designed to block PTR records of hosts on DSL/Cable home connections
| Count | Rule |
|---|---|
| 8224 | X-Barracuda-Connect:.*.*(dsl|cable|broadband).*.*\.([^u0-9][^s0-9]|[a-tv-z]s|u[a-rt-z])\[ |
| 7830 | X-Barracuda-Connect:.*\d+(\.|-|x)\d+(\.|-|x)\d+(\.|-|x)\d+.*.*\.([^u0-9][^s0-9]|[a-tv-z]s|u[a-rt-z])\[ |
| 1222 | X-Barracuda-Connect:.*.*res.rr.com |
| 890 | X-Barracuda-Connect: p\d+(-|\.).*.*\.jp\[ |
| 788 | X-Barracuda-Connect: s\d+.*.*shawcable.net... |
| 744 | X-Barracuda-Connect: c-.*hsd.*comcast\.net |
| 516 | X-Barracuda-Connect: pool- |
| 383 | X-Barracuda-Connect:.+-.+-.+-.+.*\.([^u0-9][^s0-9]|[a-tv-z]s|u[a-rt-z])\[ |
| 378 | X-Barracuda-Connect: \d+\.Red-\d+-\d+-\d+\. |
| 260 | X-Barracuda-Connect: [0-9]+-[0-9]+-[0-9]+-[0-9]+\.dhcp\.*.*\[ |
| 238 | X-Barracuda-Connect:.*.*\.dynamic(ip)?\. |
| 225 | X-Barracuda-Connect:.*.*(-|\.)ppp |
| 199 | X-Barracuda-Connect:.*.*dial[-upin]{0,3} |
| 193 | X-Barracuda-Connect: user-.*\.mindspring\.com\[ |
| 167 | X-Barracuda-Connect:.*.*ppp(\d+|(.)?)(-|\.) |
| 157 | X-Barracuda-Connect: *.*\.adsl-dhcp.tele.dk\[ |
| 133 | X-Barracuda-Connect: [a-z]+\d+-\d+-\d+-\d+-\d+-\d+\.fbx\.proxad\.net\[ |
| 129 | X-Barracuda-Connect: (host|pc|h-)\d+-\d+\..*\.pl\[ |
| 104 | X-Barracuda-Connect: chello\d+\.chello\.([^u0-9][^s0-9]|[a-tv-z]s|u[a-rt-z])\[ |
| 88 | X-Barracuda-Connect: (dsl|dial|host).*.*pool |
| 67 | X-Barracuda-Connect: (ip|c)[0-9a-f]{8}\.(speed|cable).*\.nl\[ |
| 60 | X-Barracuda-Connect: ([a-z]{2}\d+|\d+-\d+).*is\.net\.pl\[ |
| 42 | X-Barracuda-Connect:.*(dsl|ppp)-\d+-\d+-\d+-\d+.*(pacbell\.net|cox\.net)\[ |
| 38 | X-Barracuda-Connect: c\d+\.virtua\.com\.br\[ |
| 35 | X-Barracuda-Connect:.*\.opt2\.point\.ne\.jp |
| 29 | X-Barracuda-Connect: ip-\d+-\d+-\d+-\d+\.cust\.homechoice\.net\[ |
| 26 | X-Barracuda-Connect:.*.*ppp(oe|ool) |
| 15 | X-Barracuda-Connect:.*\d+(\.|-|x)\d+(\.|-|x)\d+(\.|-|x)\d+.*.*\.([^u0-9][^s0-9]|[a-tv-z]s|u[a-rt-z])\[) |
| 8 | X-Barracuda-Connect: dpc\d+\.direcpc |
| 7 | X-Barracuda-Connect: [0-9a-f]{8}\.cps.*\.br\[ |
| 5 | X-Barracuda-Connect: host\d+\..*\.ar\[ |
| 4 | X-Barracuda-Connect: \d+-\d+\.us\.ool\.fr\[ |
| 2 | X-Barracuda-Connect: m\d+\.c\d+\..*\.pl\ |
A couple of interesting observations:
- The top two rules do 69% of the work.
- The other 32 rules do the remaining 31% of the work.
- Any additional rules will only affect the last 30% or so.
While PTR only blocks an additional 5%, it is on the top end where it matters most. Why is it that they only noticed the last 5% or so? Well take a look at our spam stats for the last month or so:
That's from one of our spam filters so the stats only represent about half the data.
Since users never see any of the blocked messages (red), the only place we can make a noticeable impact is in the allowed (green) messages. Previously, allowed messages made up about 10% of the total messages. By filtering an additional 5% off the top, we've doubled our spam filtering effectiveness. Not bad for a few regular expressions. :)
Unfortunately, the ironic side effect of this is that users will get used to the lower rate of spam. When spammers figure out a way to increase the penetration rate again (green bars grow), we'll be getting complaints. For now, I'll just be enjoying the lower level of spam while it lasts.
[tags]barracuda, spam, email, ptr, dns[/tags]
Some day I’ll get a client who has enough money to afford a Barracuda…
I’m surprised that first rule doesn’t block a bunch of legitimate mail coming from smaller companies on DSL and cable modems?
Why not use a DNS Blacklist service? I’m not sure how to configure Barracuda to do so, but I always setup postfix to reject messages from known open relays, dynamic ip address ranges and a few other blacklists using reverse DNS lookup.
My current list includes: list.dsbl.org, sbl.spamhaus.org, cbl.abuseat.org, and dul.dnsbl.sorbs.net
Check http://www.sorbs.net, http://www.spamhaus.org or cbl.abuseat.org for more info.
@Casey:
That’s why I wrote the post on relaying email through your isp with FreeBSD. I was blocking messages coming from my own development server on Shaw. Ultimately, it is worth the trade off. The amount of legitimate email coming from these connections, I would guess, is less than one in 20,000 (if that). I rather be blocking all that spam and having company’s relay correctly through their ISP.
@Sebastian:
I do use RBLs. They actually block about 400,000 spam messages a day. However, the lists aren’t current enough to tackle all the spam zombies hitting our system daily. That’s where PTR blocking has picked up the slack. Spam still makes it through but it has dropped significantly.
These are the black lists I use:
combined.njabl.org
zen.spamhaus.org
list.dsbl.org
To give you an idea of how much these lists block, yesterday:
combined.njabl.org - ~210K spams
zen.spamhuas.org - ~160K spams
list.dsbl.org - ~20K spams.
I’m sure there are dupes between the lists so whichever one is checked first usually blocks more zombies.
How did you measure which PTR rules blocked the most SPAM? I’m trying to use the
rules you listed, but want to measure their effectiveness in our environment. I
don’t see anything under the Reporting tab on my Barracuda that will show me this
information. Any help will be appreciated.
I used the Message Log, Filter based on type of blocking (header), exported the results to CSV and then used Excel to measure them. It’s not great, but it worked for the test.