Notorious downside of RBL's

A very effective tool, these Real Time Blacklists - RBL. The idea is that people, regular users, can report sources of spam, and the smtp server checks each incoming email to see if its source is on the blacklist. In theory, it looks pretty good. If a spammer sends us loads of spam, we report them, they are added to the RBL, and wallah, we'll accept no more email from that source. If the source cleans up it's act - perhaps an organization with viruses sending out spams, then they can request removal from the list.

Indeed hardly any domain you can think of is probably flagged on some RBL or another as a source of spam. Any place for use of an RBL list needs to be considered as part of an overall strategy - just one tool in the toolbox. An email source matching an RBL entry should not immediately tagged as spam. A better practice would be to add some amount of spam points to the overall spam score.

A tried and true spam filtering strategy starts skimming emails scoring 6 points and higher as spam, and anything scoring below 6 points is allowed through the delivery path as a ham. With the default SpamAssassin scores, in place, an RBL hit score of 4 points is a very effective value. An RBL hit score of 4 points is significant when measured against a threshold of 6 points. This means that an email that hits on an RBL must still contain some attributes of a spam to tip the threshold of 6 points - but not by much.

Most organizations have a little to zero tolerance for false positives. Some big business deal that's in the works could be blown, or legal liability could be left exposed. A false positive has only one chance of being caught - by an administrator or his assistant in charge of scanning spam pits for false positives. With hundreds or even thousands of spams to be reviewed for false positives, it is unlikely that a false positive will be identified by the tired human eye in charge of scanning thousands of spams.

Due to the level of false positives, any us RBL's needs to be treated as just one tool in the overall spam filtering toolbox. Blocking emails based solely on RBL feedback is bad policy. A much better implementation of RBL's is to add some spam score points to the overall spam score, and then evaluate the worthiness of an email after all the filtering and scoring mechanisms have been applied.