DevHeads.net

rbl clients.

Please see below my smtpd_recipient_restrictions. On my rbl client list I
have multiple entries, but not sure how many of them actually maintained. Is
there one single place where I can find such a list. Any help is greatly
appreciated.

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
reject_invalid_hostname, permit
smtpd_recipient_limit = 300
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_invalid_hostname, reject_unauth_pipelining,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client
cbl.abuseat.org, reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client dnsbl.njabl.org, reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org, permit

~LA

Comments

Re: rbl clients.

By Res at 03/18/2009 - 22:40

As others have mentioned, some of these have been dead for a long time,
and with others, you are doing twice the work, since some RBL's interact
with each other.

We find the following work great, some recommend using spamhaus first, on
my private mail server I use it last, to keep under their 'hits per day',
I don't use spamhaus on employers because of the 'hits per day', and I
cant justify the rates they want, I find even at home I only get one or
two hits in a blue moon from spamhaus because SORBS and spamcop end up
stopping pretty much all of it.

Privately I use:
reject_rbl_client dnsbl.njabl.org
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
reject_rbl_client b.barracudacentral.org (you need to register, but its free)
reject_rbl_client zen.spamhaus.org

commercially we use:
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
reject_rbl_client b.barracudacentral.org

and along with things like

reject_unknown_client_hostname
reject_unknown_helo_hostname
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient

we also use sendmails milter-regex with all these combined, its rare
spam gets through to MailScanner to deal with.

(milter regex rules used: <a href="http://kb.ausics.net/sendmail/milter-regex.conf" title="http://kb.ausics.net/sendmail/milter-regex.conf">http://kb.ausics.net/sendmail/milter-regex.conf</a>)

Re: rbl clients.

By Linux Addict at 03/18/2009 - 22:40

Thank you everyone!! Lot of information.

Re: rbl clients.

By Peter Blair at 03/18/2009 - 22:39

<a href="http://stats.dnsbl.com/" title="http://stats.dnsbl.com/">http://stats.dnsbl.com/</a>

As victor said, ZEN is usually enough for most people, but it's always
good to know why you're not using the rest.

Re: rbl clients.

By Victor Duchovni at 03/18/2009 - 22:39

Replace all of them with just:

reject_rbl_client zen.spamhaus.org

If this still leaves you with way too much junk to filter with a content
filter, and you can afford to be more aggressive, add just

reject_rbl_client bl.spamcop.net

avoid all the rest, especially the ones long dead.

Make sure your DNS cache is not using an ISP upstream forwarder.

If your traffic is high enough, buy a SpamHaus data feed.

Re: rbl clients.

By =?UTF-8?B?UGF3Z... at 03/18/2009 - 22:39

Victor Duchovni pisze:

On my server I get following results in logs (last 4 days):
$ ~/dnsblcount /var/log/mail.1
zen.spamhaus.org 3438
ips.backscatterer.org 98
hostkarma.junkemailfilter.com=127.0.0.2 28
bl.spamcannibal.org 17
cbl.abuseat.org 3
=================================================
Total DNSBL rejections: 3584

$ ~/dnsblcount /var/log/mail.2
zen.spamhaus.org 6938
ips.backscatterer.org 115
hostkarma.junkemailfilter.com=127.0.0.2 67
t1.dnsbl.net.au 33
bl.spamcannibal.org 13
dnsbl-1.uceprotect.net 3
bl.spamcop.net 2
=================================================
Total DNSBL rejections: 7171

$ ~/dnsblcount /var/log/mail.3
zen.spamhaus.org 10810
hostkarma.junkemailfilter.com=127.0.0.2 164
ips.backscatterer.org 80
bl.spamcannibal.org 24
dnsbl.njabl.org 7
dnsbl-1.uceprotect.net 4
cbl.abuseat.org 2
=================================================
Total DNSBL rejections: 11091

$ ~/dnsblcount /var/log/mail.4
zen.spamhaus.org 10875
hostkarma.junkemailfilter.com=127.0.0.2 98
bl.spamcannibal.org 25
ips.backscatterer.org 10
dnsbl.njabl.org 2
cbl.abuseat.org 1
=================================================
Total DNSBL rejections: 11011

As you can see cbl.abuseat.org which is included in zen.spamhaus.org
gives some more results than zen (actually it's simple - update takes
some time).
backscatterer and spamcannibal are used only for <> and postmaster senders.
dnsbl-1.uceprotect.net gave me only false positives so it's turned off now.
I'm also using t1.dnsbl.net.au and bl.spamcop.net (this one I've got
right after zen.spamhaus) - no results in last 4 days, but still testing.
I have a total of ~5-20k SMTP sessions per day which get to rbl tests.
So after testing zen.spamhaus.org it's about 1 to 10k tests left to be
done. And while I have local dns server it's even smaller number of DNS
checks with BLs). I think that most of people here will say that it's
(at least) stupid to have only ~0.1% more spams filtered with one more
rbl check (with that low SMTP traffic).

Anyways before rejecting mails with any BL (besides those really "well
known", like the two Victor gave), check if those won't give you too
many false positives.

I'd also recommend to lower smtpd_recipient_limit from 300 to some
reasonable amount, unless you really use that "large" bulk mailings.

Pawel

Re: rbl clients.

By Rik at 03/18/2009 - 22:39

Currently this is free too:

b.barracudacentral.org

It's used in the Barracuda Spam Firewalls as the default 'reputation'
filter. I find it kills more than zen myself, and they have a UK based
support operation that deals with false positives that you can *call* on
the phone and get a sensible answer from.

However, respect none the less to Spamhaus for what they have do.

Ironically the growth of the Barracuda List has largely come from
Spamhaus shooting themselves in the foot trying to charge Barracuda
owners for a feed. My guess, however, is Barracuda will eventually
charge too - but at this time it is completely free. They do ask for
registration but the truth is it works find without it.

Test it before deployment like this (from a recent spammer at
188.16.211.205);

dig 205.211.16.188.b.barracudacentral.org

Presence of the answer section in the typical 127.0.0.X indicates
positive - just like the other RBL's.

Re: rbl clients.

By mouss at 03/18/2009 - 22:39

Rik a écrit :

this hits legitimate sites. I use this in SA, but not in postfix except
for suspicious mail. They will have to learn that spam forwarded to a
consenting user should not result in banning the forwarder IP.
otherwise, they can start by listing all spam filtering services that
tag and forward...

note that you need to subscribe to use the zone name above. if you don't
want to subscribe, add a leading 'b':
bb.barracudacentral.org