On Tue, Apr 23, 2013 at 11:41:42AM -0700, Steve Jenkins wrote: > On Tue, Apr 23, 2013 at 11:23 AM, /dev/rob0 <r...@gmx.co.uk> wrote: > > > Looks very similar to mine, http://rob0.nodns4.us/postscreen.html > > > > > postscreen_dnsbl_threshold = 3 [snip] > > I'm fine with blocking for Zen alone, thus I give it 3. Of course > > it's possible to continue using it as a reject_rbl_client smtpd > > restriction, also. (I do that too. For some recipient domains I > > also reject using BRBL.) > > I also do that. Any thoughts on these settings which I currently use? > > reject_rbl_client b.barracudacentral.org, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client bl.spamcop.net, > reject_rbl_client psbl.surriel.com,
With those restrictions, you could just as well raise the corresponding postscreen_dnsbl_sites scores to 3 for each. ISTM that you're missing the point of scoring. Yes, as I mentioned, Zen and (for most domains) BRBL listings are good enough for outright rejection, but I would not do that for Spamcop nor PSBL. Both of those are driven by automated processes which could result in "false positives". > reject_rhsbl_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > reject_rhsbl_helo dbl.spamhaus.org, Yes, absolutely. I should explain here that my smtpd restrictions are variable depending on the recipient address. A check_recipient_access lookup early in the process decides how aggressive the restrictions will be. More conservative domains (or even user addresses; I have the database schema in place to support per-user restrictions, but have not gotten around to providing users an interface to set their preference) will only use Zen as reject_rbl_client, and only then after checking all DNSWLs for all trust levels as permit_dnswl_client. More aggressive domains will also reject for more aggressive DNSBLs, such as BRBL, SEM, and even spamcop, and they skip the lower trust levels on DNSWL.org.[1] My restrictions are, to put it bluntly, a terrifying mess. :) Yes, they bewilder me, and I made them! It's easy enough to explain the basic principles, but it's awful to try to figure out the details. This isn't something I'd recommend to most sites. I spent way too many unpaid hours on developing those restrictions, and as you pointed out in your OP, things like this do require care and feeding from time to time. [1] I have even considered using DNSWL.org's 127.0.15.0 code, which is "Email marketers of trust level 'none'", as a blacklist, for the most aggressive filtering. That's a misuse of DNSWL.org's service, but for addresses which are not signing up for any marketing mail, I'm sure it would be very effective. The vast majority of the relatively little overlap I have seen in DNSWL and DNSBL listings have been these 127.0.15.0 clients. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: