Spamhaus and Spamcop are both good and safe (with regards to false positives) RBLs. I actually use a hierarchy of half a dozen RBLs with those two at the top with a high level of trust, and others that only mark subject lines with a message such as "(possible spam)" which can then be filtered further as needed.
I use the site listed below to check specific IPs if we're getting hammered by something to see what RBLs are catching it, and I've adjusted my RBL list many times over the years as necessary: http://multirbl.valli.org/lookup/23.104.53.131.html The Invalument RBL service out of Georgia is extremely good and very fast at responding and updating their list on the fly. But unlike the other RBLs listed here they are not free (I have no relationship with them). You can also RSYNC their list and run the queries locally if you have a subscription: http://www.invaluement.com/ I block .ru, .cz, etc as well. But only a small fraction of the spam from IPs in these countries has the country indicators on their ptr names. So these don't help much. What I've started blocking are many of the new top level domains (TLDs) released that are a godsend to spammers and used for 100% spam, so far as I can tell. I have the following filtered: *.accountant *.asia *.bid *.click *.club *.cricket *.date *.democrat *.download *.faith *.help *.invoice *.link *.loan *.lol *.mobi *.ninja *.party *.press *.racing *.review *.rocks *.science *.space *.top *.trade *.uno *.wang *.webcam *.website *.win *.work *.xyz Check your connection logs and you'll find a not insignificant percentage of your current spam has connections with pointer names using TLDs. As new ones come online, the spammers move to them up immediately. So I've had to expand the list slowly over time. These bozo TLDs are a scam, a horrible decision to implement. Legitimate corporations can no longer defend their name and these garbage domains will forever be havens for shady organizations, fraud and spammers. A topic for another time. -- Mark From: Jake Gardner <jgard...@ttcdas.com> To: "'ntsys...@lists.myitforum.com'" <ntsys...@lists.myitforum.com> Date: 12/18/2015 08:18 AM Subject: RE: [NTSysADM] Barracuda Spam fw appliance Sent by: listsadmin@lists.myitforum.com Thanks guys. I used to use them years ago and removed them for some reason. I don't remember the reason so I'll add them back. Thanks, Jake Gardner IT Administrator 267-352-2020 Ext. 246 www.ttcdas.com -----Original Message----- From: listsadmin@lists.myitforum.com [ mailto:listsadmin@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Friday, December 18, 2015 11:07 AM To: ntsysadm Subject: Re: [NTSysADM] Barracuda Spam fw appliance +10 - rbls help massively. Kurt On Fri, Dec 18, 2015 at 7:55 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > Take a look at adding some external RBL?s to augment Cuda?s. > > > > https://www.spamhaus.org/sbl/ and > https://www.spamcop.net/fom-serve/cache/290.html > > > > > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Jake Gardner > Sent: Friday, December 18, 2015 10:54 AM > To: 'ntsys...@lists.myitforum.com' > Subject: RE: [NTSysADM] Barracuda Spam fw appliance > > > > I guess my question was if anyone else is seeing this type of increase. > > > > Is there a list of common regex?s that I could use? > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > From: listsadmin@lists.myitforum.com > [mailto:listsadmin@lists.myitforum.com] > On Behalf Of Todd Lemmiksoo > Sent: Friday, December 18, 2015 10:14 AM > To: ntsys...@lists.myitforum.com > Subject: Re: [NTSysADM] Barracuda Spam fw appliance > > > > I have a physical 400 and a virtual 300 in a cluster config. I also > block .ru, .cn, .cz > > Ask your questions. > > > > On Fri, Dec 18, 2015 at 9:08 AM, Sean Martin <seanmarti...@gmail.com> wrote: > > We have a couple of 800s, but they're second tier behind ProofPoint, > so they don't see a lot of malicious traffic. What does slip through > ProofPoint does appear to get caught by the Barracuda's in most cases. > > > > - Sean > > > > On Fri, Dec 18, 2015 at 5:37 AM, Jake Gardner <jgard...@ttcdas.com> wrote: > > Does anyone here use one? We have a model 300 and lately we are > getting absolutely hammered with SPAM that the ?cuda just won?t catch. > > > > I have opened a few tickets with them about the issue and all they say > is that my firewall is blocking the ?cuda from checking websites. > I?ve checked my firewall and I don?t see any blocks and the ?cuda is > in a policy with no outbound restrictions. > > > > The only thing that seems to slow it down is rate control. I turned it down > to 20/30mins. In the last 9 hours it controlled 3700 and only outright > blocked 1450. We see about 17k messages a day on average. A couple > months again we were averaging 12k. > > > > > > Thanks, > > > > Jake Gardner > > IT Administrator > > 267-352-2020 Ext. 246 > > www.ttcdas.com > > > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > and may also be privileged. If you are not the addressee or authorized > by the addressee to receive this e-mail, you may not disclose, copy, > distribute, or use this e-mail. If you have received this e-mail in > error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > > > > > > > > > -- > > T. Todd Lemmiksoo > > > > ***Teletronics Technology Corporation*** This e-mail is confidential > and may also be privileged. If you are not the addressee or authorized > by the addressee to receive this e-mail, you may not disclose, copy, > distribute, or use this e-mail. If you have received this e-mail in > error, please notify the sender immediately by reply e-mail or by > telephone at 267-352-2020 and destroy this message and any copies. > > Thank you. > > ******************************************************************* > > Teletronics Technology Corporation This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you.