rbl clients.

[Linux Addict]

Please see below my smtpd_recipient_restrictions. On my rbl client list I
have multiple entries, but not sure how many of them actually maintained. Is
there one single place where I can find such a list. Any help is greatly
appreciated.


smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
  reject_invalid_hostname, permit
smtpd_recipient_limit = 300
smtpd_recipient_restrictions = permit_mynetworks,
 permit_sasl_authenticated,reject_unauth_destination,
 reject_invalid_hostname,reject_unauth_pipelining,
 reject_non_fqdn_sender,reject_unknown_sender_domain,
 reject_non_fqdn_recipient,reject_unknown_recipient_domain,
 reject_rbl_client blackholes.easynet.nl,reject_rbl_client
cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net,
 reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org,
 reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org,
 reject_rbl_client multihop.dsbl.org,permit


~LA

Re: rbl clients.

[Victor Duchovni]

On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:

> Please see below my smtpd_recipient_restrictions. On my rbl client list I
> have multiple entries, but not sure how many of them actually maintained. Is
> there one single place where I can find such a list. Any help is greatly
> appreciated.

Replace all of them with just:

reject_rbl_client zen.spamhaus.org

If this still leaves you with way too much junk to filter with a content
filter, and you can afford to be more aggressive, add just

reject_rbl_client bl.spamcop.net

avoid all the rest, especially the ones long dead.

Make sure your DNS cache is not using an ISP upstream forwarder.

If your traffic is high enough, buy a SpamHaus data feed.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: rbl clients.

[Peter Blair]

http://stats.dnsbl.com/

As victor said, ZEN is usually enough for most people, but it's always
good to know why you're not using the rest.

On Thu, Feb 12, 2009 at 2:02 PM, Linux Addict  wrote:
> Please see below my smtpd_recipient_restrictions. On my rbl client list I
> have multiple entries, but not sure how many of them actually maintained. Is
> there one single place where I can find such a list. Any help is greatly
> appreciated.
>
> smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
>   reject_invalid_hostname, permit
> smtpd_recipient_limit = 300
> smtpd_recipient_restrictions = permit_mynetworks,
>  permit_sasl_authenticated,reject_unauth_destination,
>  reject_invalid_hostname,reject_unauth_pipelining,
>  reject_non_fqdn_sender,reject_unknown_sender_domain,
>  reject_non_fqdn_recipient,reject_unknown_recipient_domain,
>  reject_rbl_client blackholes.easynet.nl,reject_rbl_client
> cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net,
>  reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org,
>  reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org,
>  reject_rbl_client multihop.dsbl.org,permit
>
> ~LA

Re: rbl clients.

[Rik]

On Thu, 2009-02-12 at 14:07 -0500, Victor Duchovni wrote:
> On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:
> 
> > Please see below my smtpd_recipient_restrictions. On my rbl client list I
> > have multiple entries, but not sure how many of them actually maintained. Is
> > there one single place where I can find such a list. Any help is greatly
> > appreciated.
> 
> Replace all of them with just:
> 
>   reject_rbl_client zen.spamhaus.org
> 
> If this still leaves you with way too much junk to filter with a content
> filter, and you can afford to be more aggressive, add just
> 
>   reject_rbl_client bl.spamcop.net
> 
> avoid all the rest, especially the ones long dead.
> 
> Make sure your DNS cache is not using an ISP upstream forwarder.
> 
> If your traffic is high enough, buy a SpamHaus data feed.
> 
Currently this is free too:

b.barracudacentral.org

It's used in the Barracuda Spam Firewalls as the default 'reputation'
filter. I find it kills more than zen myself, and they have a UK based
support operation that deals with false positives that you can *call* on
the phone and get a sensible answer from.

However, respect none the less to Spamhaus for what they have do.

Ironically the growth of the Barracuda List has largely come from
Spamhaus shooting themselves in the foot trying to charge Barracuda
owners for a feed. My guess, however, is Barracuda will eventually
charge too - but at this time it is completely free. They do ask for
registration but the truth is it works find without it.

Test it before deployment like this (from a recent spammer at
188.16.211.205);

dig 205.211.16.188.b.barracudacentral.org

Presence of the answer section in the typical 127.0.0.X indicates
positive - just like the other RBL's.

Re: rbl clients.

[mouss]

Rik a écrit :
> On Thu, 2009-02-12 at 14:07 -0500, Victor Duchovni wrote:
>> On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:
>>
>>> Please see below my smtpd_recipient_restrictions. On my rbl client list I
>>> have multiple entries, but not sure how many of them actually maintained. Is
>>> there one single place where I can find such a list. Any help is greatly
>>> appreciated.
>> Replace all of them with just:
>>
>>  reject_rbl_client zen.spamhaus.org
>>
>> If this still leaves you with way too much junk to filter with a content
>> filter, and you can afford to be more aggressive, add just
>>
>>  reject_rbl_client bl.spamcop.net
>>
>> avoid all the rest, especially the ones long dead.
>>
>> Make sure your DNS cache is not using an ISP upstream forwarder.
>>
>> If your traffic is high enough, buy a SpamHaus data feed.
>>
> Currently this is free too:
> 
> b.barracudacentral.org
> 

this hits legitimate sites. I use this in SA, but not in postfix except
for suspicious mail. They will have to learn that spam forwarded to a
consenting user should not result in banning the forwarder IP.
otherwise, they can start by listing all spam filtering services that
tag and forward...

note that you need to subscribe to use the zone name above. if you don't
want to subscribe, add a leading 'b':
bb.barracudacentral.org

> [snip]

Re: rbl clients.

[Paweł Leśniak]

Victor Duchovni pisze:

On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:

  

Please see below my smtpd_recipient_restrictions. On my rbl client list I
have multiple entries, but not sure how many of them actually maintained. Is
there one single place where I can find such a list. Any help is greatly
appreciated.



Replace all of them with just:

reject_rbl_client zen.spamhaus.org

If this still leaves you with way too much junk to filter with a content
filter, and you can afford to be more aggressive, add just

reject_rbl_client bl.spamcop.net

avoid all the rest, especially the ones long dead.

Make sure your DNS cache is not using an ISP upstream forwarder.

If your traffic is high enough, buy a SpamHaus data feed.
  

On my server I get following results in logs (last 4 days):
$ ~/dnsblcount /var/log/mail.1
zen.spamhaus.org3438
ips.backscatterer.org 98
hostkarma.junkemailfilter.com=127.0.0.2   28
bl.spamcannibal.org   17
cbl.abuseat.org3
=
Total DNSBL rejections:  3584

$ ~/dnsblcount /var/log/mail.2
zen.spamhaus.org6938
ips.backscatterer.org115
hostkarma.junkemailfilter.com=127.0.0.2   67
t1.dnsbl.net.au   33
bl.spamcannibal.org   13
dnsbl-1.uceprotect.net 3
bl.spamcop.net 2
=
Total DNSBL rejections:  7171

$ ~/dnsblcount /var/log/mail.3
zen.spamhaus.org   10810
hostkarma.junkemailfilter.com=127.0.0.2  164
ips.backscatterer.org 80
bl.spamcannibal.org   24
dnsbl.njabl.org7
dnsbl-1.uceprotect.net 4
cbl.abuseat.org2
=
Total DNSBL rejections: 11091


$ ~/dnsblcount /var/log/mail.4
zen.spamhaus.org   10875
hostkarma.junkemailfilter.com=127.0.0.2   98
bl.spamcannibal.org   25
ips.backscatterer.org 10
dnsbl.njabl.org2
cbl.abuseat.org1
=
Total DNSBL rejections: 11011


As you can see cbl.abuseat.org which is included in zen.spamhaus.org 
gives some more results than zen (actually it's simple - update takes 
some time).

backscatterer and spamcannibal are used only for <> and postmaster senders.
dnsbl-1.uceprotect.net gave me only false positives so it's turned off now.
I'm also using t1.dnsbl.net.au and bl.spamcop.net (this one I've got 
right after zen.spamhaus) - no results in last 4 days, but still testing.
I have a total of ~5-20k SMTP sessions per day which get to rbl tests. 
So after testing zen.spamhaus.org it's about 1 to 10k tests left to be 
done. And while I have local dns server it's even smaller number of DNS 
checks with BLs). I think that most of people here will say that it's 
(at least) stupid to have only ~0.1% more spams filtered with one more 
rbl check (with that low SMTP traffic).


Anyways before rejecting mails with any BL (besides those really "well 
known", like the two Victor gave), check if those won't give you too 
many false positives.


I'd also recommend to lower smtpd_recipient_limit from 300 to some 
reasonable amount, unless you really use that "large" bulk mailings.



Pawel

Re: rbl clients.

[Res]

On Thu, 12 Feb 2009, Linux Addict wrote:


reject_rbl_client blackholes.easynet.nl,reject_rbl_client
cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org,
reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,permit



As others have mentioned, some of these have been dead for a long time, 
and with others, you are doing twice the work, since some RBL's interact 
with each other.


We find the following work great, some recommend using spamhaus first, on 
my private mail server I use it last, to keep under their 'hits per day',
I don't use spamhaus on employers because of the 'hits per day', and I 
cant justify the rates they want, I find even at home I only get one or 
two hits in a blue moon from spamhaus because SORBS and spamcop end up 
stopping pretty much all of it.


Privately I use:
reject_rbl_client dnsbl.njabl.org
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
reject_rbl_client b.barracudacentral.org (you need to register, but its free)
reject_rbl_client zen.spamhaus.org

commercially we use:
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
reject_rbl_client b.barracudacentral.org

and along with things like

reject_unknown_client_hostname
reject_unknown_helo_hostname
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient

we also use sendmails milter-regex  with all these combined, its rare
spam gets through to MailScanner to deal with.

(milter regex rules used: http://kb.ausics.net/sendmail/milter-regex.conf)

--
Res

"All we need, is just a little patience"  -- William Bruce (Axl) Rose

Re: rbl clients.

[Linux Addict]

Thank you everyone!! Lot of information.
On Fri, Feb 13, 2009 at 4:44 PM, Res  wrote:

> On Thu, 12 Feb 2009, Linux Addict wrote:
>
>  reject_rbl_client blackholes.easynet.nl,reject_rbl_client
>> cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net,
>> reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org,
>> reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org,
>> reject_rbl_client multihop.dsbl.org,permit
>>
>>
> As others have mentioned, some of these have been dead for a long time, and
> with others, you are doing twice the work, since some RBL's interact with
> each other.
>
> We find the following work great, some recommend using spamhaus first, on
> my private mail server I use it last, to keep under their 'hits per day',
> I don't use spamhaus on employers because of the 'hits per day', and I cant
> justify the rates they want, I find even at home I only get one or two hits
> in a blue moon from spamhaus because SORBS and spamcop end up stopping
> pretty much all of it.
>
> Privately I use:
> reject_rbl_client dnsbl.njabl.org
> reject_rbl_client dnsbl.sorbs.net
> reject_rbl_client bl.spamcop.net
> reject_rbl_client b.barracudacentral.org (you need to register, but its
> free)
> reject_rbl_client zen.spamhaus.org
>
> commercially we use:
> reject_rbl_client dnsbl.sorbs.net
> reject_rbl_client bl.spamcop.net
> reject_rbl_client b.barracudacentral.org
>
> and along with things like
>
>reject_unknown_client_hostname
>reject_unknown_helo_hostname
>reject_invalid_helo_hostname
>reject_non_fqdn_helo_hostname
>reject_non_fqdn_sender
>reject_non_fqdn_recipient
>
> we also use sendmails milter-regex  with all these combined, its rare
> spam gets through to MailScanner to deal with.
>
> (milter regex rules used: http://kb.ausics.net/sendmail/milter-regex.conf)
>
> --
> Res
>
> "All we need, is just a little patience"  -- William Bruce (Axl) Rose
>