[sclug] RBL recommendations

Will Dickson wrd at glaurung.demon.co.uk
Tue Feb 13 14:18:43 UTC 2007 

David Given wrote:
> My shiny new SMTP greylister proxy (<plug> http://spey.sf.net </plug>) now
> supports RBLs. I'm currently running it with spamhaus' Zen RBL, which is
> working really, really well --- in 36 hours it's blackholed 890 incoming
> connections.
> 
> In fact, it's working so well I'm slightly nervous that it's refusing access
> to legitimate mail servers. Zen is a combination of SBL (spammers), XBL (open
> proxies)

Quibble: XBL is for any kind of zombie box, not (just) open proxies. 
Spamming is business; as a botnet owner, you don't let your customers 
(ie. spammers) use your bots until they've paid you for the privilege. 
Open relays / open proxies are pretty rare now. (0wned 'doze boxes with 
ADSL, sadly not so rare.)

  and PBL (dynamic IP addresses who shouldn't be sending mail anyway).
> Is this too aggressive? What's spamhaus' reputation for zealotry? 

Minimal - IME they're pretty conservative, to the point where I use them 
as a base which I supplement with a couple of other lists which are 
harder-line. Certainly you have to try pretty hard to get into the SBL.

The new PBL does indeed seem to be devastatingly effective :-) My "fraud 
rate" (spam leaking through as ham) dropped from maybe 5-10 per acct per 
day to an average of about 3 or 4 per acct per *week*. "Insult rate" 
(ham accused of being spam) is zero for Zen so far - we've been using it 
for about 6 weeks now.

What RBLs
> are people using in commercial environments?
> 

We use:

zen.spamhaus.org
list.dsbl.org
dnsbl.sorbs.net
bl.spamcop.net

We use a "tag-and-release" scheme for spam: incoming messages which the 
MTA thinks are spam are marked as such by tagging the subject line, 
adding an extra header explaining why it was tagged, and delivered 
anyway; the client MUAs can use easily use the tags and headers to 
filter incoming spam into a spam folder. The user can then check the 
results for any insults and alert the postmaster (ie. muggins here).

We've had insult cases from SORBS. They operate a system whereby if you 
get onto their list, then in order to get out you have to ditch your 
spammer and also pay a "fine" in the form of a donation to charity, as a 
gesture of apology / penance. Some otherwise whitehat ISPs (eg. Demon) 
do the former but refuse to do the latter, so there's one Demon mail hub 
that's in SORBS and is probably going to stay there for all eternity, 
even though it hasn't spammed since 2003. If you want to use SORBS, 
tag-and-release for a while first; you'll probably have to do some 
whitelisting.

DSBL doesn't seem to do that much for my spam load. OTOH people's loads 
are generally not the same; YMMV.

No insults from spamcop so far, but even so, given its policy, I'd say 
it's probably better as part of a weighting or tag-and-release strategy 
than a black-or-white one.

More information about the Sclug mailing list