On Tue, Apr 23, 2013 at 11:41:42AM -0700, Steve Jenkins wrote:
> On Tue, Apr 23, 2013 at 11:23 AM, /dev/rob0 <r...@gmx.co.uk> wrote:
>
> > Looks very similar to mine, http://rob0.nodns4.us/postscreen.html
> >
> > > postscreen_dnsbl_threshold = 3
[snip]
> > I'm fine with blocking for Zen alone, thus I give it 3. Of course
> > it's possible to continue using it as a reject_rbl_client smtpd
> > restriction, also. (I do that too. For some recipient domains I
> > also reject using BRBL.)
>
> I also do that. Any thoughts on these settings which I currently use?
>
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client psbl.surriel.com,
With those restrictions, you could just as well raise the
corresponding postscreen_dnsbl_sites scores to 3 for each. ISTM that
you're missing the point of scoring.
Yes, as I mentioned, Zen and (for most domains) BRBL listings are
good enough for outright rejection, but I would not do that for
Spamcop nor PSBL. Both of those are driven by automated processes
which could result in "false positives".
> reject_rhsbl_client dbl.spamhaus.org,
> reject_rhsbl_sender dbl.spamhaus.org,
> reject_rhsbl_helo dbl.spamhaus.org,
Yes, absolutely.
I should explain here that my smtpd restrictions are variable
depending on the recipient address. A check_recipient_access lookup
early in the process decides how aggressive the restrictions will be.
More conservative domains (or even user addresses; I have the
database schema in place to support per-user restrictions, but have
not gotten around to providing users an interface to set their
preference) will only use Zen as reject_rbl_client, and only then
after checking all DNSWLs for all trust levels as
permit_dnswl_client.
More aggressive domains will also reject for more aggressive DNSBLs,
such as BRBL, SEM, and even spamcop, and they skip the lower trust
levels on DNSWL.org.[1]
My restrictions are, to put it bluntly, a terrifying mess. :) Yes,
they bewilder me, and I made them! It's easy enough to explain the
basic principles, but it's awful to try to figure out the details.
This isn't something I'd recommend to most sites. I spent way too
many unpaid hours on developing those restrictions, and as you
pointed out in your OP, things like this do require care and feeding
from time to time.
[1] I have even considered using DNSWL.org's 127.0.15.0 code, which
is "Email marketers of trust level 'none'", as a blacklist, for
the most aggressive filtering. That's a misuse of DNSWL.org's
service, but for addresses which are not signing up for any
marketing mail, I'm sure it would be very effective. The vast
majority of the relatively little overlap I have seen in DNSWL
and DNSBL listings have been these 127.0.15.0 clients.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
