[sclug] RBL recommendations
Will Dickson
wrd at glaurung.demon.co.uk
Tue Feb 13 14:18:43 UTC 2007
David Given wrote:
> My shiny new SMTP greylister proxy (<plug> http://spey.sf.net </plug>) now
> supports RBLs. I'm currently running it with spamhaus' Zen RBL, which is
> working really, really well --- in 36 hours it's blackholed 890 incoming
> connections.
>
> In fact, it's working so well I'm slightly nervous that it's refusing access
> to legitimate mail servers. Zen is a combination of SBL (spammers), XBL (open
> proxies)
Quibble: XBL is for any kind of zombie box, not (just) open proxies.
Spamming is business; as a botnet owner, you don't let your customers
(ie. spammers) use your bots until they've paid you for the privilege.
Open relays / open proxies are pretty rare now. (0wned 'doze boxes with
ADSL, sadly not so rare.)
and PBL (dynamic IP addresses who shouldn't be sending mail anyway).
> Is this too aggressive? What's spamhaus' reputation for zealotry?
Minimal - IME they're pretty conservative, to the point where I use them
as a base which I supplement with a couple of other lists which are
harder-line. Certainly you have to try pretty hard to get into the SBL.
The new PBL does indeed seem to be devastatingly effective :-) My "fraud
rate" (spam leaking through as ham) dropped from maybe 5-10 per acct per
day to an average of about 3 or 4 per acct per *week*. "Insult rate"
(ham accused of being spam) is zero for Zen so far - we've been using it
for about 6 weeks now.
What RBLs
> are people using in commercial environments?
>
We use:
zen.spamhaus.org
list.dsbl.org
dnsbl.sorbs.net
bl.spamcop.net
We use a "tag-and-release" scheme for spam: incoming messages which the
MTA thinks are spam are marked as such by tagging the subject line,
adding an extra header explaining why it was tagged, and delivered
anyway; the client MUAs can use easily use the tags and headers to
filter incoming spam into a spam folder. The user can then check the
results for any insults and alert the postmaster (ie. muggins here).
We've had insult cases from SORBS. They operate a system whereby if you
get onto their list, then in order to get out you have to ditch your
spammer and also pay a "fine" in the form of a donation to charity, as a
gesture of apology / penance. Some otherwise whitehat ISPs (eg. Demon)
do the former but refuse to do the latter, so there's one Demon mail hub
that's in SORBS and is probably going to stay there for all eternity,
even though it hasn't spammed since 2003. If you want to use SORBS,
tag-and-release for a while first; you'll probably have to do some
whitelisting.
DSBL doesn't seem to do that much for my spam load. OTOH people's loads
are generally not the same; YMMV.
No insults from spamcop so far, but even so, given its policy, I'd say
it's probably better as part of a weighting or tag-and-release strategy
than a black-or-white one.
More information about the Sclug
mailing list