On Fri, 9 Jan 2026, Joseph Tam wrote:
102/189 (54%) were listed by at least one of the RBLs, with the following stats
RBL hits rate rate (>0 hits) (col#1) bl.blocklist.de 93 49% 91% (col#2) auth.spamrats.com 52 28% 51% (col#3) xbl.spamhaus.org 19 10% 19%
You should try one of the other 2 RBLs: they specificaly list brute forcers. I use them as pre-emptive block-on-sight for SMTP auth, and I don't recall ever getting a false positive.
I am embarrassed to discover my RBL statistics have been presented incorrectly. I was intrigued by John Fawcett's statitics which skewed towards XBL, so I re-examined my output, and discovered my RBL columns were mis-ordered
col#1 => xbl.spamhaus.org
col#2 => bl.blocklist.de
col#3 => auth.spamrats.comI ran an analysis from last week's IMAP brutce forcers, which agrees with John's results
Total: 352 IPs
RBL hits rate
xbl.spamhaus.org 181 51%
bl.blocklist.de 82 23%
auth.spamrats.com 31 9%The takeaway is those wanting to use RBLs to combat IMAP brute forcers, Spamhaus XBL is very effective, catching about half of them, with BLDE amd Spamrats contributing some extras.
However, I also did false-positive testing: querying legitimate user IPs against these RBLs. Not blocking legitimate users is far more important than missing a brute forcer, so FP rates ought to be minimized, or its use hedged in some way:
Total: 2366 IPs
RBL hits FP rate
xbl.spamhaus.org 81 3.4%
bl.blocklist.de 0 0%
auth.spamrats.com 25 1.1%Most of the FPs come from, as one would expect, local residential ISPs.
One of the thread responsers posted an auth policy script: catching clients trying to authenticate to unknown or defunct users is another useful complement to RBLs.
Joseph Tam <jtam.home@gmail.com>