On Thu, Jan 11, 2007, Ralf S. Engelschall wrote:
>FYI: Those of you who are using the Postfix MTA with UCE prevention
>configuration, please notice that e.g. the ORBL.org recently has closed
>its doors and that a few others are also no longer available. I've
>reinvestigated which RBLs are still available _AND_ provide a reasonable
>and reliable resource. The result of my currently resulting _PERSONAL_
>Postfix client restrictions are now:
>
>smtpd_client_restrictions =
> permit_mynetworks,
> check_client_access hash:/PREFIX/etc/postfix/access,
> reject_unknown_client,
> reject_unauth_destination,
> reject_rbl_client dnsbl.sorbs.net,
Slightly more selective is dul.dnsbl.sorbs.net which lists only
dynamic (dialup/residential DSL and cable).
> reject_rbl_client list.dsbl.org,
> reject_rbl_client bl.spamcop.net,
This is prone to false positives as spamcop is very quick on the
trigger to list reports by clueless users (who have a tendency to
send mailing list traffic). Even spamcop recommends against
using this as a hard reject DNSBL.
FWIW: Spamassassin can score on Received: headers that are in
various DNSRBLs including spamcop.
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client pbl.spamhaus.org,
> reject_rbl_client xbl.spamhaus.org,
I think PBL is a new, spamhaus list.
The others are in the combined sbl-xbl.spamhaus.org
Others we have found effective are:
korea.services.net
combined.njabl.org
ubl.unsubscore.com
We're using:
smtpd_recipient_restrictions =
check_recipient_access pcre:/PREFIX/etc/postfix/recipientchecks
permit_mynetworks
check_client_access hash:/PREFIX/etc/postfix/dialupchecks
check_client_access hash:/PREFIX/etc/postfix/whitehatlist
check_client_access whoson:whoson.celestial.com:9876
check_helo_access pcre:/PREFIX/etc/postfix/helochecks
check_client_access pcre:/PREFIX/etc/postfix/clientchecks
reject_rbl_client guardian.celestial.net
reject_rbl_client dul.dnsbl.sorbs.net
reject_rbl_client cbl.abuseat.org
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client korea.services.net
reject_rbl_client combined.njabl.org
reject_rbl_client ubl.unsubscore.com
reject_non_fqdn_recipient
reject_invalid_hostname
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_client
reject_unauth_pipelining
permit_mx_backup
reject_unauth_destination
The guardian.celestial.net DNSRBL is one that we maintain
consisting of sites that have either made cracking attempts
against sites we maintain or attempted to spam mailing lists.
The cbl.abuseat.org list is included in the spamhaus list, but
checking it first may give quicker results as there is a delay
between their updates and spamhaus's sync.
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
``Most people, sometime in their lives, stumble across truth. Most jump
up, brush themselves off, and hurry on about their business as if
nothing had happened.'' - Sir Winston Churchill
______________________________________________________________________
OpenPKG http://openpkg.org
User Communication List [email protected]
