Hi. This is Rob McEwen from invaluement.com ...someone here asked about getting Kerio to work with rsync as a means to access invaluement data. well... ACTUALLY... that isn't needed because there IS an option to do direct queries with invaluement.com and I'm very sorry about the confusion on our web site regarding that.

First, direct queries were not an option for invaluement until about 20 months ago (from the time I type this). But we didn't want to widely publicize that fact for two reasons (1) we wanted to continue to discourage DOS attacks from spammers, making them think that there is no DNS server to attack--and actually, for our protection, those direct queries are answered from a secret IP not advertised via DNS. (2) we wanted to discourage misunderstandings where a subscriber would accidentally publicly post our zone names and then other non-subscribers would mistakenly think that those zones would work if added to the DNSBLs for their spam filter. Even though such queries would be denied, this still could add up to lots of wasted resources over time. Therefore, it really is true that "direct queries don't work"--they just don't work for non-subscribers! But, again, we're trying to figure out how to re-word our website to avoid this confusion, yet without attracting the undesirable attention I described!

There is, however, one critical requirement for direct queries--the subscriber MUST have their own DNS resolver. Specifically, the DNS servers pointed to in the IPv4 TCP/IP settings of the NIC card for the computer running Kerio... must point to a locally hosted DNS caching server... and ONLY point to that server. (not to that org's ISP's or datacenter's or hoster's DNS server). Why? Because we delegate permissions for the queries on an IP by IP basis.

At the same time, Kerio has this very cool feature where you can tell it to use the DNSBL's DNS server directly for any DNSBL you add. That is a GREAT idea and theoretically takes care of the need to point to one's own DNS resolver. However, unfortunately that particular solution is not compatible with invaluement. Why? Because... (1) our queries are served by a DNS server that is NOT "advertised" via DNS, giving that particular server more protection, (2) this solution from Kerio only even tries to help with sender-IP blacklists and doesn't cover URI/domain blacklists such as our ivmURI list.

But the "local resolver" requirement isn't rocket science and about 1/2 of our potential subscribers are ALREADY doing this anyways! The other 1/2 usually find that setting up a local resolver is a great idea and is a request that isn't that difficult or time consuming. On occasion, the subscriber will find that for SOME strange reason their DNS resolver is overloading (not having anything to do with our lists) and they want to go back to using their ISP's resolver... but they can have the best of both by simply programming their resolver to go to their hoster's DNS servers for answers (instead of the root servers and authoritative servers). That setting is also a common situation. Again, nothing exotic or tricky here.

THEN... for testing/using invaluement, the potential subscriber simply adds a few "conditional forwarders" to their local DNS resolver telling it to go to a particular IP when resolving the invaluement queries. (i.e., for queries ending in particular host names). Next, the setup is finished by adding two DNSBL host names to Kerio's list of DNSBLs, and copying a rule file to a folder in Kerio, then restarting Kerio. That is it!

Ironically, as complicated as this all SOUNDS (at first glance)... for those who already have SOME caching DNS server running locally, the time it takes for the entire setup is usually FASTER than the time it took me to even type this post. I've talked people through the ENTIRE setup on the phone in less than 10 minutes!

At this point in time, invaluement is still relatively small and unknown. But we do have a top-5 US ISP as a subscriber, as well as two fortune 100 technology companies... not bad considering we've never spent a dime on advertising and this was all from "word of mouth" and/or people impressed by seeing what we caught that all the other lists missed, as they did lookups at MXToolbox, etc. So far, (at the time I type this), of all of our hundreds of customers, only a grand total of 5 Kerio users have EVER tried out our product. But the amazing news is that ALL 5 were very pleased with the results of the testing and decided to subscribe, and CONTINUE to be active subscribers as of my typing this sentence! (That is an amazing 100% tester-to-subscriber conversion rate--actually, our overall conversion rate is quite high). So there is a high percentage chance than anyone reading this would find the cost-benefit ratio of subscribing to our lists to be fantastic! (NOTE: we only started tracking our subscribers' software/hardware setup starting about 2 years ago.)

Finally, after filling out a questionnaire, we respond back with very specific step-by-step instructions for those who desire to implement our free 15-day trial.

Hope this helps. Thanks for the interest!

1 month after reconfiguring our spam filters:

- we're only kerio's builtin features

spam is down to nearly 10 messages per day, for 100 users. that means 1 message per 10 users.
one message ist filtered through several dns request, spam assassin and some custom rules, adding score by subject filters

the subject filters took about one week, by daily adjusting and manually checking already tagged mails

What was your spam count prior to the changes?

Thanks.

Cheers,
Jon