Something I read while I was researching the RBL was that often if the address resolves that you should do a dns lookup of type text, for example.... ---------------------------------------------------------------------------- - > set type=all > 101.83.241.128.sbl.spamhaus.org Server: UnKnown Address: 10.0.0.1
Non-authoritative answer: 101.83.241.128.sbl.spamhaus.org internet address = 127.0.0.2 101.83.241.128.sbl.spamhaus.org text = "Listed on SBL - see http://spamhaus.org/SBL/sbl.lasso?query=SBX3120" ---------------------------------------------------------------------------- - This is the text you're supposed to send back with the reply, although the way James does it, it doesn't look up this information, rather I just sends back the notice posted in the <notify> tag. It might be valuable to collect this information when notifying the sender that they are blacklisted... This information will immediately lead them to why they are there, instead of just leaving some poor user, whose ISP has ended up on the blacklist, out in the cold. The ORDB and osirusoft are the good way to go. Also, another good option is sbl.spamhaus.org. ( http://www.spamhaus.org/SBL/ ) I've added this rbl filter for my server, and all I can say is they have an incredible spam kill rate. I've not seen a spam message come through my server since I added this one, where as ORDB and osirusoft do less of specific spam filtering types of things, and more of the open relay prevention. These guys trace down the individuals sending the spam and have some really interesting information about them. On another note, I really like the idea of getting James to trace back through the forwarding steps as an option and do rbl lookups on each one. Something I found extremely handy was to create a separate processor in my config.xml for blacklisted items so I could attempt to notify the sender in specific ways, send it to a different repository, or just bit-bucket it. This is when I got into trying to have the mailet notify sender from a bit-bucket address instead of postmaster, as most of the sender addresses were bogus, and then I end up receiving the spam through the postmaster account as a delivery notification failure. If anyone knows how to configure the send from address using the NotifySender mailet, please let me know. The current alternative I'm using is to bit-bucket emails from postmaster to postmaster. I'd be happy to incorporate my changes in a well documented config.xml and send them though should anyone be interested... Clint -----Original Message----- From: Noel J. Bergman [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 10:22 PM To: James Users List Subject: RE: SPAM origin Serge, Well, as it happens, I received some e-mail fitting the criteria just earlier today. A legit host carried it from an open relay. As for the DNS checks, I'm going to remove the mail-abuse checks, and pare down to just relays.osirusoft.com and relays.ordb.org. I'm thinking that it might be a good policy to tag possible SPAM with X-Spam-Warning or X-RBL-Warning headers. That would allow someone to pass the e-mail along, but make it easy to filter on the client. [More on this in a James-Dev thread] --- Noel -----Original Message----- From: Serge Knystautas [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 23:20 To: James Users List Cc: Russell Coker Subject: Re: SPAM origin It might be worth doing... the thing is, if there is an open relay, it's probably getting to you from that open relay (as opposed to going from one to another). Downside though is it makes mail processing a lot slower. If you comment out the DNS related checks in your spool processor, generally you'll see a huge increase in performance. So doubling or more the number of checks probably is overkill. But it certainly might be worth having as an option. -- Serge Knystautas Loki Technologies - Unstoppable Websites http://www.lokitech.com/ Noel J. Bergman wrote: > Right now InSpammerBlacklist checks the remote address of the proximate > relay to see if it is open. Is that sufficient? We are trusting that relay > to filter out e-mail from open relay sources. > > Should we be (at least optionally) checking the entire series, and rejecting > if we find any open server in the chain? > > --- Noel -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>