March 4, 2008
It seams that botnet operators are finding a way to bypass real time blacklists, which lists IP addresses that did send spam in the past â€“ which therefore are likely to still send spam. The Institute for Internet Security of the German University of Applied Sciences Gelsenkirchen did take a 24 hour sample with 17 million requests to the blacklist provided by iX. The analysis shows that one third of the queried IP addresses where only requested one time (about 459.000 of 1.351.000).
As the day, which was used for this sample, was a Saturday where a 95% spam ratio is normal, it is realistic to assume that most of this IP addresses were used for sending spam. This leads to the conclusion that a real time blacklist which lists IP addresses only for a short period can only reach a 66 percent hit rate. More is only possible with blacklists that block complete ranges permanently, like dynamic IP ranges lists.