Re: Hotmail on sorbs?!? (and eliminating false positives)
On Dienstag, 27. September 2005 07:51 email builder wrote: The above can probably be done in Postfix with one or two restriction classes. http://www.postfix.org/postconf.5.html#smtpd_restriction_classes http://www.postfix.org/RESTRICTION_CLASS_README.html I'd be curious to hear if anyone else is using this kind of strategy. I could also imagine this: http://www.postfix.org/SMTPD_POLICY_README.html But I'm missing something like smtpd_sender_restrictions = mark_rbl_client ... client_marked = greylist currently, we can only smtpd_sender_restrictions = reject_rbl_client ... But that reject we want to NOT do. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgp38dHvDW37U.pgp Description: PGP signature
Re: Hotmail on sorbs?!? (and eliminating false positives)
Hi !! I am new to postfix and spamassassin, but we are already using greylist, and I liked a lot what you said here. How can I greylist messages by means of RBL checking? How should I setup Postfix to do that? Regards, Carlos. 2005/9/24, Herb Martin [EMAIL PROTECTED]: From: Kai Schaetzl [mailto:[EMAIL PROTECTED] Not sure how you combine that. AFAIR, greylisting is tempfailing the first SMTP delivery attempt, correct? Do you check the IP with RBLs and then tempfail it? So, you don't tempfail *every* connection attempt like traditional greylisting does? Exactly -- with the addition that we do this on several other criteria than just RBLs. This avoids pratically all the complaints/negatives* against straight greylisting (i.e., traditional greylisting) and avoids practically all false positives from things like RBLs. * 1) Possible Delay of (new) legitimate email * 2) Broken legitimate servers which don't resend Note that these supposed problems with greylisting are largely handled even by straight greylisting through the use of whitelists for broken servers and small delays (a small delay stops almost as many spambots as will a long delay.) Also, if for those not familiar with greylisting the idea is you only TEMP_REJECT new mail, that is mail for which you don't have a fairly recent successful triplet: From-IP, From-Sender, To-Recipient Once greylisting determines that the sending server can meet the resend requirement there isn't much point to greylisting that server anyway (since it is going to meet the greylist requirements in all probability.) Greylisting lets 10% through, so it isn't the final solution but it lets you use a LOT OF AGGRESSIVE techniques that would normally be dangerous to good mail. For one, you can use RBLs that would otherwise be a terrible risk, or even (grey) block on things like host reverse name/helo name mismatch (which will LOSE a lot of email otherwise.) Pick any good criteria for rejecting email and turn it into a good but safe method by using greylisting. Also note that having our SMTP server check RBLs and then having SpamAssassin score them AGAIN if the mail gets through, costs VERY LITTLE: we run a local caching DNS server so those resolutions are only going on the net just once. -- Herb Martin
RE: Hotmail on sorbs?!? (and eliminating false positives)
--- Herb Martin [EMAIL PROTECTED] wrote: I am new to postfix and spamassassin, but we are already using greylist, and I liked a lot what you said here. How can I greylist messages by means of RBL checking? How should I setup Postfix to do that? Regards, Carlos. I am not a Postfix expert, and cannot really call myself an Exim expert either but the strategy goes something like this: During (various) SMTP ACL (Access Control Lists) run the checks for things like RBL etc (this is easy in Exim) and mark the results (in either an ACL variable or by adding a header.*) * Header had the disadvantage of requiring the Greylist check to wait until SMTP DATA time where the headers are available when all we really need is SenderIP-FromName-RCPT which are all available by RCPT ACL time. When you have made all of your checks, and before checking SpamAssassin, run the Greylist on any message that was flagged above -- if the greylist returns true this is where we tempfail (Defer in Exim) the message. The above can probably be done in Postfix with one or two restriction classes. http://www.postfix.org/postconf.5.html#smtpd_restriction_classes http://www.postfix.org/RESTRICTION_CLASS_README.html I'd be curious to hear if anyone else is using this kind of strategy. Thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Hotmail on sorbs?!?
On Samstag, 24. September 2005 06:14 email builder wrote: No. Please understand that there is a difference between using SORBS in the MTA (ala Postfix's smtpd_recipient_restrictions) where a listing equates to an immediate rejection and using SORBS in SA for scoring. You are referring to the latter. I have said many times that the thread was about the former. I don't think anyone disagrees with using SORBS in SA scoring. ACK. Sorry, didn't read the whole thread. We also use RBLs in postfix, but only secure ones that don't make false positives. Currently, we use these since January 2005 without any problems: sbl-xbl.spamhaus.org, dnsbl.njabl.org, bl.spamcop.net, dul.dnsbl.sorbs.net, zombie.dnsbl.sorbs.net, web.dnsbl.sorbs.net, smtp.dnsbl.sorbs.net, relays.ordb.org So we have 4 SORBS zones, none causing problems. Sometimes, there are customers of our customers who are in a dul (dial up link) network running their own mail server, and we just force them to use the mail server of their ISP to send mail to our server. Sometimes a bit of work, but we have a strict commitmend on that. If you are on a DUL network, you must use the mail server of your ISP, at least as a relay. No discussion about that. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpFaG9J6L63i.pgp Description: PGP signature
Re: Hotmail on sorbs?!?
Larry M. Rosenbaum wrote on Wed, 21 Sep 2005 16:41:18 -0400: 127.0.0.2 Open HTTP server 127.0.0.3 Open Socks server 127.0.0.4 Open Proxy server 127.0.0.5 Open SMTP relay 127.0.0.10 Dynamic address You can do it much simpler and with less traffic. There is a new aggregated list which is the same as dnsbl.sorbs.net, but without the spamtrap list: safe.dnsbl.sorbs.net Unfortunately, it's not advertised at the SORBS site. They put it into action some months ago upon my request. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
Re: Hotmail on sorbs?!?
Email builder wrote on Wed, 21 Sep 2005 17:12:05 -0700 (PDT): OK, well other people also seem to be saying that SORBS is just not acceptable for a front-line RBL. Really too bad. Really. We do already use a ton of other RBLs, but just hate to let any of them go. I doubt there is much use in using more than two or three RBLs. I did some research on that some years ago and found that any RBL after the second didn't add much more rejections. We use only three and the third is just there because I was too lazy to remove it yet. Assess what you actually get from your RBLs and remove those that add less than 5% to your rejections. If you want to be safe, then use rbl+xbl.Spamhaus only. It is safe *and* effective. If you add any other you risk getting false positives. That is in the nature of RBLs and there is no reason to complain about that fact or any of these RBLs. If you do that you don't understand the basic principle behind them. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
RE: Hotmail on sorbs?!? (and eliminating false positives)
From: Kai Schaetzl [mailto:[EMAIL PROTECTED] If you want to be safe, then use rbl+xbl.Spamhaus only. It is safe *and* effective. If you add any other you risk getting false positives. That is in the nature of RBLs and there is no reason to complain about that fact or any of these RBLs. You RISK getting false positives with ANY RBL -- while I generally agree about rbl-xbl, they are quite good for me, they both on rare occasions give me false positives. If you get enough email, virtually any RBL will give a false positive sooner or later. Of course if the context is scoring in SA they are among the best choices. If you use Greylisting which offers virtually zero false positives IN CONJUNCTION with quality RBLs like Spamhaus rbl+xbl then you can eliminate false positives and still benefit from blocking on such RBLs -- even less reliable RBLs will work for this. Roughly 90% of those items greylisted will never return. And you will lose nothing (*Note: nothing cannot be guaranteed even here, but in practice it is true.) We never reject on a single criteria except obvious things like using our server name or IP in the HELO, or a HELO that claims to be from a known ISP but is an obvious lie on reverse lookup, or things like bad recipients/attempts to relay. Most everything else is used to drive greylisting -- even SpamAssassin-likely-Spam-scores drive greylisting (if the mail has not been previously greylisted). We use several RBLs (in Exim) this way too -- to drive greylisting or in combination with other checks. Then we use RBLs with SpamAssassin to adjust the SA scores for mail that does get through. Result: Drastic reduction in mail needing review, no false positive drops (and practically none in spam catch folders), and practically all spam caught. Greylisting is cool. Combined with things like RBLs and other spammy suspicious checks it is nothing but a big win. -- Herb Martin
Re: Hotmail on sorbs?!? (and eliminating false positives)
Herb Martin wrote on Sat, 24 Sep 2005 07:17:06 -0500: You RISK getting false positives with ANY RBL Of course, yes. One better speaks of a cost-value ratio (with cost being false positives for your clients and value being the rejected spam and viruses). In this respect the combined Spamhaus list is probably the best. Only a few other RBLs can substantially add to that and still come close to the cost. It should also be clear that most of the false positives aren't FP's by the RBLs definition but by the effect they have on your mail/users. If you use Greylisting which offers virtually zero false positives IN CONJUNCTION with quality RBLs like Spamhaus rbl+xbl then you can eliminate false positives and still benefit from blocking on such RBLs -- even less reliable RBLs will work for this. Not sure how you combine that. AFAIR, greylisting is tempfailing the first SMTP delivery attempt, correct? Do you check the IP with RBLs and then tempfail it? So, you don't tempfail *every* connection attempt like traditional greylisting does? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
RE: Hotmail on sorbs?!? (and eliminating false positives)
From: Kai Schaetzl [mailto:[EMAIL PROTECTED] Not sure how you combine that. AFAIR, greylisting is tempfailing the first SMTP delivery attempt, correct? Do you check the IP with RBLs and then tempfail it? So, you don't tempfail *every* connection attempt like traditional greylisting does? Exactly -- with the addition that we do this on several other criteria than just RBLs. This avoids pratically all the complaints/negatives* against straight greylisting (i.e., traditional greylisting) and avoids practically all false positives from things like RBLs. * 1) Possible Delay of (new) legitimate email * 2) Broken legitimate servers which don't resend Note that these supposed problems with greylisting are largely handled even by straight greylisting through the use of whitelists for broken servers and small delays (a small delay stops almost as many spambots as will a long delay.) Also, if for those not familiar with greylisting the idea is you only TEMP_REJECT new mail, that is mail for which you don't have a fairly recent successful triplet: From-IP, From-Sender, To-Recipient Once greylisting determines that the sending server can meet the resend requirement there isn't much point to greylisting that server anyway (since it is going to meet the greylist requirements in all probability.) Greylisting lets 10% through, so it isn't the final solution but it lets you use a LOT OF AGGRESSIVE techniques that would normally be dangerous to good mail. For one, you can use RBLs that would otherwise be a terrible risk, or even (grey) block on things like host reverse name/helo name mismatch (which will LOSE a lot of email otherwise.) Pick any good criteria for rejecting email and turn it into a good but safe method by using greylisting. Also note that having our SMTP server check RBLs and then having SpamAssassin score them AGAIN if the mail gets through, costs VERY LITTLE: we run a local caching DNS server so those resolutions are only going on the net just once. -- Herb Martin
Re: Hotmail on sorbs?!?
On Samstag, 24. September 2005 12:31 Kai Schaetzl wrote: Assess what you actually get from your RBLs and remove those that add less than 5% to your rejections. Why? 5% rejections can be worth the lookup. I prefer some lookups over receiving SPAM. Or do I miss something? mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgp3J8NE6RD2s.pgp Description: PGP signature
Re: Hotmail on sorbs?!?
On Donnerstag, 22. September 2005 22:24 email builder wrote: How so? I can't believe you don't hear me when I say for the 100th time that services like ours that have a lot of users who expect to communicate with hotmail users cannot use an RBL in the MTA if it lists hotmail. Larry said it already: There are RCVD_IN_SORBS_* rules in 20_dnsbl_tests.cf for each of the various SORBS lists. The ones for RCVD_IN_SORBS_SPAM are commented out. We're also having lots of customers communicating with hotmail.com, didn't get a report of problems for months. Just pick the right rules. If the RCVD_IN_SORBS_SPAM doesn't fit you, don't activate it, it's disabled by default (I guess for a reason...). mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpfea6IcQShf.pgp Description: PGP signature
Re: Hotmail on sorbs?!?
On Donnerstag, 22. September 2005 22:24 email builder wrote: How so? I can't believe you don't hear me when I say for the 100th time that services like ours that have a lot of users who expect to communicate with hotmail users cannot use an RBL in the MTA if it lists hotmail. Larry said it already: There are RCVD_IN_SORBS_* rules in 20_dnsbl_tests.cf for each of the various SORBS lists. The ones for RCVD_IN_SORBS_SPAM are commented out. We're also having lots of customers communicating with hotmail.com, didn't get a report of problems for months. Just pick the right rules. If the RCVD_IN_SORBS_SPAM doesn't fit you, don't activate it, it's disabled by default (I guess for a reason...). No. Please understand that there is a difference between using SORBS in the MTA (ala Postfix's smtpd_recipient_restrictions) where a listing equates to an immediate rejection and using SORBS in SA for scoring. You are referring to the latter. I have said many times that the thread was about the former. I don't think anyone disagrees with using SORBS in SA scoring. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Hotmail on sorbs?!?
We removed sorbs. I don't think it's even open for debate at the current point. If places like hotmail mx's end up on the blacklist you *will* have upset customers. Yeah. It would be nice if there were a blacklist out there that took the best of all the others but refused to list things like hotmail for those of us who are in the situation of having users who expect connectivity to Hotmail and their ilk. Yes, it sucks, but this is what it is to have paying customers with friends who use MSN, etc, etc. So, then, where should they draw that line? Let in hotmail, yahoo, aol, verizon, and earthlink yes. i don't think any administrator with paying customers to please would be happy if any of these were blacklisted. I think you're wrong. I think it depends upon the customer base. Of course, that's why I've said over and over that for situations like ours where a large customer base expects to be able to correspond with Hotmail users, this situation is not tenable. If you are lucky enough to have a group of users who are all that savvy and none of them care about hotmail, then you're lucky, and I suspect, you are also rare. ... but who not to whitelist? the small guys. unfortunately, large ISPs like that have power in the number of users they have. in no way do I advocate defending that as a good thing, but the fact that this gives them an immense amount of power to do whatever they want regarding rfcs and whatnot remains a reality. smaller services are the only organizations who are going to actually be potentially moved to action by landing on one of these RBLs. when was the last time SORBS managed to change Hotmail's policies? Has SORBS ever really changed anyones policies? That's certainly not what I use RBL's for. I couldn't give a rats posterior about whether or not some spammer changes careers, or some mail server changes configurations, or some ISP changes their appropriate use policies. It's too bad you have such a self-centered attitude about it. I like the idea that people care enough to want to see the Internet change for the better. If SORBS is making life hard for spammers and those who host them, I want to support them as best I can. Until now, that meant taking the time to explain to our users what the SORBS bounces meant and to have them go bug the offending admins. And, what if half of your user/customer base does NOT want you to white list aol but c'mon, when was the last time someone's user base was emailing their support staff begging for aol to be blacklisted? beside, this is what per-user settings for something like SA are for. If you're in a situation where users can have per-user settings. For example, that doesn't work here. Or, if that's how you're using your RBLs. People DO use rbls as block lists, and people do use SORBS as a block list. It's hard to have per-user settings for that. That is rough. You might look into SQL-based SA per user settings. It's very handy. does want you to whitelist hotmail ... while the other half of your base is exactly the opposite? It isn't a solvable problem, IMO. Everyone will want to draw the line differently, so there wont be an easy solution of that nature. But BLOCKING all mails from somewhere like Hotmail *IS* a decision that someone has made which is not acceptable to we who support large user bases. But it's not their job to cater to YOUR user base decisions. That's _your_ job. So we have to make the opposite decision to only use those RBLs in SA scoring. The baseline here is that you cannot outright ban whole large services -- Actually, yes, I can. And I have, for some periods of time (only, in my case, it was yahoo). Sure, but who here in their right mind thinks that's a good idea? At least those of us with a userbase that actually corresponds with users on yahoo, aol, hotmail... since you apparently live in the world the rest of us fantasize about. And SORBS can. And, really, you can too, you just choose not to. But even if you remove that from the argument, the point is, it's not the RBL's job to cater to your policies. And if they were to try to cater to everyones policies, they would be so conflicting that it would be pointless. Which was my point for the above quoted sections. And, it's not just that I don't think the RBL can do it, I don't think that kind of thing is the job of the RBL. I think that kind of thing is your job (or, in my case, it's my job). What's our job? Banning all of Hotmail? No. Your job is to tailor the tools you use so that they fit your organization. SORBS job is to provide a list of sites that fit a particular behavior. If you want there to be exceptions to that list, then it is YOUR job to make those exceptions, not theirs. Of course. Didn't you read the part of
Re: Hotmail on sorbs?!?
On Sep 21, 2005, at 11:17 PM, email builder wrote: ... but who not to whitelist? the small guys. unfortunately, large ISPs like that have power in the number of users they have. in no way do I advocate defending that as a good thing, but the fact that this gives them an immense amount of power to do whatever they want regarding rfcs and whatnot remains a reality. smaller services are the only organizations who are going to actually be potentially moved to action by landing on one of these RBLs. when was the last time SORBS managed to change Hotmail's policies? Has SORBS ever really changed anyones policies? That's certainly not what I use RBL's for. I couldn't give a rats posterior about whether or not some spammer changes careers, or some mail server changes configurations, or some ISP changes their appropriate use policies. It's too bad you have such a self-centered attitude about it. Me!? You're the one who presented the when was the last time SORBS ... question as though it was some universal benchmark of RBL value. You're the one projecting their opinion onto other people here. I was merely pointing out that it's not a universally relevant question to determining the value of the RBL and who it chooses to block. And, what if half of your user/customer base does NOT want you to white list aol but c'mon, when was the last time someone's user base was emailing their support staff begging for aol to be blacklisted? beside, this is what per-user settings for something like SA are for. If you're in a situation where users can have per-user settings. For example, that doesn't work here. Or, if that's how you're using your RBLs. People DO use rbls as block lists, and people do use SORBS as a block list. It's hard to have per-user settings for that. That is rough. You might look into SQL-based SA per user settings. It's very handy. Seen it. Doesn't apply to our situation. So we have to make the opposite decision to only use those RBLs in SA scoring. The baseline here is that you cannot outright ban whole large services -- Actually, yes, I can. And I have, for some periods of time (only, in my case, it was yahoo). Sure, but who here in their right mind thinks that's a good idea? Any sysadmin who cares about their mail service and their institution's ability to do business. You shouldn't make generalizations when you have no idea about the situation in question. I blocked Yahoo when we got mail bombed by them (bouncing a huge volume of forged-sender messages that didn't actually come from us). It was the responsible thing to do, in order to keep mail flowing through our systems, so that we could keep doing business. When the volume died down, we unblocked them. And I'd do it again. And, it's not just that I don't think the RBL can do it, I don't think that kind of thing is the job of the RBL. I think that kind of thing is your job (or, in my case, it's my job). What's our job? Banning all of Hotmail? No. Your job is to tailor the tools you use so that they fit your organization. SORBS job is to provide a list of sites that fit a particular behavior. If you want there to be exceptions to that list, then it is YOUR job to make those exceptions, not theirs. Of course. Didn't you read the part of my post that started all this? Yes, I did. And I a) pointed out that such a service can't exist on anything approaching a large scale (large enough to be worth running) because there is no universal place to draw the cut-off for who to whitelist and who to not whitelist, b) that you can perform that service for yourself, by using their blacklist as a starting point and trimming out those addresses that match your whitelist, and then using that as your production list, and c) the combination of a and b makes it incredibly unlikely that anyone would humor such a service idea. Why are you so pissed off at ME for putting that out there? Who said anything about being pissed off? Though, you clearly don't get what I'm saying, so it does make the conversation rather pointless. that you quoted ... it is performed by a script. I do no such manual thing. I get an email every few hours that tells me what happened, I scan it for references to networks that I am responsible for, and it tells me yes, I removed all of those networks from our copy of the RBL zone. Then I put the zone into production on my own name servers, so that I never see those sites showing up as RBL'ed. My point was that generally pulling apart RBL functionality and placing part of the onus of managing it back on the admin's plate is not going to be something that goes over well, even if you have a nifty script that works with one RBL. Sorry you missed it. a) I'm not altering RBL functionality in any way; I am altering a data feed b) it works for all RBLs; it is not dependent upon the RBL, it is dependent upon the data feed
Re: Hotmail on sorbs?!?
* Nathanael Hoyle [EMAIL PROTECTED] [2005-09-21 22:48]: Look at other rbl's, consider some or all of: abuse.rfc-ignorant.org dsn.rfc-ignorant.org list.dsbl.org sbl-xbl.spamhaus.org opm.blitzed.org Please note that sbl-xbl.spamhaus.org includes opm.blitzed.org. According to http://www.spamhaus.org/xbl/index.lasso [quote] The XBL wholly incorporates data from three highly-trusted DNSBL sources: - the CBL (Composite Block List) from cbl.abuseat.org - the BOPM (Blitzed Open Proxy Monitor) from opm.blitzed.org - the NJABL open proxy IPs list from www.njabl.org. [/quote] Alex -- Alex Pleinerzeitform Internet Dienste mailto:[EMAIL PROTECTED] Fraunhoferstraße 5 PGP S/MIME: http://key.zeitform.de/ap 64283 Darmstadt, Germany Tel./Fax: +49 (0) 6151 155-635 / -634 http://www.zeitform.de Jabber: [EMAIL PROTECTED]
RE: Hotmail on sorbs?!?
From: email builder [mailto:[EMAIL PROTECTED] Can someone remind me if I am correct in my recollection that SORBS comes enabled by default for use in contributing to SA scores? Thanks a lot There are RCVD_IN_SORBS_* rules in 20_dnsbl_tests.cf for each of the various SORBS lists. The ones for RCVD_IN_SORBS_SPAM are commented out. Larry
Re: Hotmail on sorbs?!?
Alex Pleiner wrote: * Nathanael Hoyle [EMAIL PROTECTED] [2005-09-21 22:48]: Look at other rbl's, consider some or all of: abuse.rfc-ignorant.org dsn.rfc-ignorant.org list.dsbl.org sbl-xbl.spamhaus.org opm.blitzed.org Please note that sbl-xbl.spamhaus.org includes opm.blitzed.org. According to http://www.spamhaus.org/xbl/index.lasso [quote] The XBL wholly incorporates data from three highly-trusted DNSBL sources: - the CBL (Composite Block List) from cbl.abuseat.org - the BOPM (Blitzed Open Proxy Monitor) from opm.blitzed.org - the NJABL open proxy IPs list from www.njabl.org. [/quote] Alex Thanks Alex, you're right. My intent was to post a list the OP might select from, where they might choose opm.blitzed.org but not neccessarily the sbl-xbl.spamhaus.org filter and so it was worth listing independently. But for someone looking at adding all of them, you're correct in saying that blitzed is redundant to sbl-xbl. -Nathanael
Re: Hotmail on sorbs?!?
abuse.rfc-ignorant.org dsn.rfc-ignorant.org At least from my experience, while the rfc-ignorant.org lists are great in theory, they cause enough problems with end users that they're not worth it. The last ISP I worked at used them (the sys admin was the walking definition of a BOFH), and as the help desk manager, I got stuck trying to explain to people why they couldn't get mail from their friend on Prodigy when everyone else in the world could receive mail from them just fine. I still use the dsn list on my personal server, but it rarely hits since it's checked after Spamhaus's SBL/XBL list and dynablock.njabl.org.
Re: Hotmail on sorbs?!?
... but who not to whitelist? the small guys. unfortunately, large ISPs like that have power in the number of users they have. in no way do I advocate defending that as a good thing, but the fact that this gives them an immense amount of power to do whatever they want regarding rfcs and whatnot remains a reality. smaller services are the only organizations who are going to actually be potentially moved to action by landing on one of these RBLs. when was the last time SORBS managed to change Hotmail's policies? Has SORBS ever really changed anyones policies? That's certainly not what I use RBL's for. I couldn't give a rats posterior about whether or not some spammer changes careers, or some mail server changes configurations, or some ISP changes their appropriate use policies. It's too bad you have such a self-centered attitude about it. Me!? You're the one who presented the when was the last time SORBS ... question as though it was some universal benchmark of RBL value. Nope. The point that you entirely missed was that RBLs don't have much sway with services with huge numbers of users like Hotmail. Thus many of us cannot use RBLs on the front-line that block services like that. I never once said that SORBS et al. are useless, and did not reject their more lofty goals as irrelevant as you explicitly did. I, for one, enjoy the thought of people working together for goals outside of their own self-interest. You're the one projecting their opinion onto other people here. I was How so? I can't believe you don't hear me when I say for the 100th time that services like ours that have a lot of users who expect to communicate with hotmail users cannot use an RBL in the MTA if it lists hotmail. The only projecting I've done is to assume (reasonably surely) that there are a lot of other admins/servcies in the same boat. merely pointing out that it's not a universally relevant question to determining the value of the RBL and who it chooses to block. An RBL is most certainly of less value *to our company* as a tool to be used in the MTA if it lists hotmail. Of course that is relevant. I'm still not saying that means they should change their approach -- I am, however, musing about how nice it'd be to have another RBL that worked mostly the same sans the hotmail listings. And, it's not just that I don't think the RBL can do it, I don't think that kind of thing is the job of the RBL. I think that kind of thing is your job (or, in my case, it's my job). What's our job? Banning all of Hotmail? No. Your job is to tailor the tools you use so that they fit your organization. SORBS job is to provide a list of sites that fit a particular behavior. If you want there to be exceptions to that list, then it is YOUR job to make those exceptions, not theirs. Of course. Didn't you read the part of my post that started all this? Yes, I did. And I a) pointed out that such a service can't exist on anything approaching a large scale (large enough to be worth running) because there is no universal place to draw the cut-off for who to whitelist and who to not whitelist, Most RBLs consist of some amount of listings based on subjective decisions. There is no reason that someone else can't start a list with this goal in mind. Dunno if it'd be popular or even successful, but I was musing. Allow one to muse, why dontcha. b) that you can perform that service for yourself, by using their blacklist as a starting point and trimming out those addresses that match your whitelist, and then using that as your production list, And I said that I don't think it is desirable to place the onus of RBL maintenance onto all the sysadmins out there. Why are you so pissed off at ME for putting that out there? Who said anything about being pissed off? Your choice of words intone more than just arguing a point, the most obvious being asking if I know what a cron job is. Give me a break. Though, you clearly don't get what I'm saying, so it does make the conversation rather pointless. That's what I mean. Of course I understand your point, and I am explaining somewhat repetitively the parts I don't think you are addressing accurately. that you quoted ... it is performed by a script. I do no such manual thing. I get an email every few hours that tells me what happened, I scan it for references to networks that I am responsible for, and it tells me yes, I removed all of those networks from our copy of the RBL zone. Then I put the zone into production on my own name servers, so that I never see those sites showing up as RBL'ed. My point was that generally pulling apart RBL functionality and placing part of the onus of managing it back on the admin's plate is not going to be something that goes over well, even if you have a nifty script that works with one RBL. Sorry you
Re: Hotmail on sorbs?!?
goals as irrelevant as you explicitly did. I, for one, enjoy the thought of people working together for goals outside of their own self-interest. So we circle back to the start: you apparently have a utopian user community that does not have any need to correspond with hotmail users. For the rest of us, SORBS can't be used in the MTA if it blocks Hotmail. Too bad - really too bad. OTOH, after reading stuff like this, it makes me wish everyone decided to block hotmail, which might finally get their attention: http://chris-linfoot.net/d6plinks/CWLT-6FYBJY http://chris-linfoot.net/d6plinks/CWLT-64QC9K Wondering how long we can fend off our unhappy users before we start to loose business due to the Hotmail block (which still seems to be going strong in our logs) __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Hotmail on sorbs?!?
Complaint from a user led me to find this in our logfile: Sep 21 09:07:07 gaia postfix/smtpd[6392]: NOQUEUE: reject: RCPT from bay101-f11.bay101.hotmail.com[64.4.56.21]: 554 Service unavailable; Client host [64.4.56.21] blocked using dnsbl.sorbs.net; Spam Received See: http://www.sorbs.net/lookup.shtml?64.4.56.21; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=hotmail.com We are a semi-high volume site with plenty of people who expect to receive hotmail mail, so this is REALLY BAD. I cringe at the thought of making a MTA top-level whitelist entry for all the hotmail IPs that I can find, or of removing sorbs from our list of postfix RBLs. I also don't much care for the idea of using Sorbs only to tally points in SA, since we get so much crap, we'd like to reject most of the obvious stuff out of the gate - otherwise I envision our hard drives filling up twice as fast with crap nobody wants anyway. It sucks that microsoft can just do whatever they want since they have sooo many users, but as this is the current state of our reality, I am interested in what people are doing to deal with it as is. Is this causing anyone else problems? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Hotmail on sorbs?!?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 email builder writes: Complaint from a user led me to find this in our logfile: Sep 21 09:07:07 gaia postfix/smtpd[6392]: NOQUEUE: reject: RCPT from bay101-f11.bay101.hotmail.com[64.4.56.21]: 554 Service unavailable; Client host [64.4.56.21] blocked using dnsbl.sorbs.net; Spam Received See: http://www.sorbs.net/lookup.shtml?64.4.56.21; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=hotmail.com We are a semi-high volume site with plenty of people who expect to receive hotmail mail, so this is REALLY BAD. I cringe at the thought of making a MTA top-level whitelist entry for all the hotmail IPs that I can find, or of removing sorbs from our list of postfix RBLs. I also don't much care for the idea of using Sorbs only to tally points in SA, since we get so much crap, we'd like to reject most of the obvious stuff out of the gate - otherwise I envision our hard drives filling up twice as fast with crap nobody wants anyway. I'm afraid you're going to have to do that, in my opinion -- you'll see lots of FPs using SORBS as a front-line block. Try other DNSBLs, but SORBS is just not suitable. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFDMcGAMJF5cimLx9ARAtcVAJ45KSXOZL6N4FSQt/ryciO8zJYP9gCfWy8q GMEnFg0UZ0chR7iKNheoXiQ= =Sm5a -END PGP SIGNATURE-
RE: Hotmail on sorbs?!?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] email builder writes: Complaint from a user led me to find this in our logfile: Sep 21 09:07:07 gaia postfix/smtpd[6392]: NOQUEUE: reject: RCPT from bay101-f11.bay101.hotmail.com[64.4.56.21]: 554 Service unavailable; Client host [64.4.56.21] blocked using dnsbl.sorbs.net; Spam Received See: http://www.sorbs.net/lookup.shtml?64.4.56.21; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=hotmail.com We are a semi-high volume site with plenty of people who expect to receive hotmail mail, so this is REALLY BAD. I cringe at the thought of making a MTA top-level whitelist entry for all the hotmail IPs that I can find, or of removing sorbs from our list of postfix RBLs. I also don't much care for the idea of using Sorbs only to tally points in SA, since we get so much crap, we'd like to reject most of the obvious stuff out of the gate - otherwise I envision our hard drives filling up twice as fast with crap nobody wants anyway. I'm afraid you're going to have to do that, in my opinion -- you'll see lots of FPs using SORBS as a front-line block. Try other DNSBLs, but SORBS is just not suitable. Alternatively, you can use the individual SORBS lists, with the exception of the Spam Received list: 127.0.0.2 Open HTTP server 127.0.0.3 Open Socks server 127.0.0.4 Open Proxy server 127.0.0.5 Open SMTP relay 127.0.0.10 Dynamic address We have found these lists to have fewer false positives than the Spam Received list.
Re: Hotmail on sorbs?!?
email builder wrote: Complaint from a user led me to find this in our logfile: Sep 21 09:07:07 gaia postfix/smtpd[6392]: NOQUEUE: reject: RCPT from bay101-f11.bay101.hotmail.com[64.4.56.21]: 554 Service unavailable; Client host [64.4.56.21] blocked using dnsbl.sorbs.net; Spam Received See: http://www.sorbs.net/lookup.shtml?64.4.56.21; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=hotmail.com A customer led me to the same block. Unfortunately they were some very important emails and the customer was more than a little irate. We are a semi-high volume site with plenty of people who expect to receive hotmail mail, so this is REALLY BAD. I cringe at the thought of making a MTA top-level whitelist entry for all the hotmail IPs that I can find, or of removing sorbs from our list of postfix RBLs. We removed sorbs. I don't think it's even open for debate at the current point. If places like hotmail mx's end up on the blacklist you *will* have upset customers. I also don't much care for the idea of using Sorbs only to tally points in SA, since we get so much crap, we'd like to reject most of the obvious stuff out of the gate - otherwise I envision our hard drives filling up twice as fast with crap nobody wants anyway. Look at other rbl's, consider some or all of: abuse.rfc-ignorant.org dsn.rfc-ignorant.org list.dsbl.org sbl-xbl.spamhaus.org opm.blitzed.org It sucks that microsoft can just do whatever they want since they have sooo many users, but as this is the current state of our reality, I am interested in what people are doing to deal with it as is. Removed sorbs, no choice. Is this causing anyone else problems? Yep. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Nathanael Hoyle Systems and Networking Speed Express Networks [EMAIL PROTECTED] 432.837.2811
RE: Hotmail on sorbs?!?
It sucks that microsoft can just do whatever they want since they have sooo many users, but as this is the current state of our reality, I am interested in what people are doing to deal with it as is. Removed sorbs, no choice. Is this causing anyone else problems? Yep. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Nathanael Hoyle Systems and Networking Speed Express Networks [EMAIL PROTECTED] 432.837.2811 I have hotmail triggering in Spamcop. Since the current score is 3.8 and our threshold is 5, it is starting to cause some problems for us too. Microsoft Mail Internet Headers Version 2.0 Received: from atcoinns.atco.ca ([192.210.10.122]) by .xxx.com with Microsoft SMTPSVC(5.0.2195.6797); Wed, 21 Sep 2005 14:31:12 -0600 Received: from atcoinns.atco.ca ([192.210.10.122]) by atcoinns.atco.ca (SMSSMTP 4.0.0.59) with SMTP id M2005092114311019262 for [EMAIL PROTECTED]; Wed, 21 Sep 2005 14:31:10 -0600 Received: from bay105-f17.bay105.hotmail.com ([65.54.224.27] helo=hotmail.com) by atcoinns.atco.ca with esmtp (Exim ) for [EMAIL PROTECTED] id 1EIBFG-0006N1-HA; Wed, 21 Sep 2005 14:31:10 -0600 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 21 Sep 2005 13:30:52 -0700 Message-ID: [EMAIL PROTECTED] Received: from 65.54.224.200 by by105fd.bay105.hotmail.msn.com with HTTP; Wed, 21 Sep 2005 20:30:52 GMT X-Originating-IP: [65.54.224.200] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Bcc: Subject: Possible Spam: tashas weight Date: Wed, 21 Sep 2005 14:30:52 -0600 Mime-Version: 1.0 Content-Type: text/html; format=flowed X-OriginalArrivalTime: 21 Sep 2005 20:30:52.0587 (UTC) FILETIME=[5C5937B0:01C5BEEB] X-Spam-Prev-Subject: tashas weight X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on atcoinns.atco.ca X-Spam-Level: * X-Spam-Status: Yes, score=5.2 required=5.0 tests=HTML_20_30,HTML_MESSAGE, MIME_HTML_ONLY,MSGID_FROM_MTA_HEADER,RCVD_IN_BL_SPAMCOP_NET, SPF_HELO_PASS autolearn=disabled version=3.0.4 X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 0.8 HTML_20_30 BODY: Message is 20% to 30% HTML * 0.2 HTML_MESSAGE BODY: HTML included in message * 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 3.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?65.54.224.200] * 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
Re: Hotmail on sorbs?!?
[EMAIL PROTECTED] wrote: It sucks that microsoft can just do whatever they want since they have sooo many users, but as this is the current state of our reality, I am interested in what people are doing to deal with it as is. Removed sorbs, no choice. Is this causing anyone else problems? Yep. Their abuse report dpt is also VERY bad and they allow open relays to relay their forged emails. I have been having relly big trouble with them for some time now. I am keeping SORBS, he is VERY right that lists them, unlike other lists.
Re: Hotmail on sorbs?!?
Nathanael Hoyle wrote: abuse.rfc-ignorant.org They are also in this list as well as postmaster.rfc-ignorant.org
Re: Hotmail on sorbs?!?
Sep 21 09:07:07 gaia postfix/smtpd[6392]: NOQUEUE: reject: RCPT from bay101-f11.bay101.hotmail.com[64.4.56.21]: 554 Service unavailable; Client host [64.4.56.21] blocked using dnsbl.sorbs.net; Spam Received See: http://www.sorbs.net/lookup.shtml?64.4.56.21; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=hotmail.com I also don't much care for the idea of using Sorbs only to tally points in SA, since we get so much crap, we'd like to reject most of the obvious stuff out of the gate - otherwise I envision our hard drives filling up twice as fast with crap nobody wants anyway. I'm afraid you're going to have to do that, in my opinion -- you'll see lots of FPs using SORBS as a front-line block. Try other DNSBLs, but SORBS is just not suitable. OK, well other people also seem to be saying that SORBS is just not acceptable for a front-line RBL. Really too bad. Really. We do already use a ton of other RBLs, but just hate to let any of them go. Can someone remind me if I am correct in my recollection that SORBS comes enabled by default for use in contributing to SA scores? Thanks a lot __ Yahoo! for Good Donate to the Hurricane Katrina relief effort. http://store.yahoo.com/redcross-donate3/
Re: Hotmail on sorbs?!?
Complaint from a user led me to find this in our logfile: Sep 21 09:07:07 gaia postfix/smtpd[6392]: NOQUEUE: reject: RCPT from bay101-f11.bay101.hotmail.com[64.4.56.21]: 554 Service unavailable; Client host [64.4.56.21] blocked using dnsbl.sorbs.net; Spam Received See: http://www.sorbs.net/lookup.shtml?64.4.56.21; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=hotmail.com A customer led me to the same block. Unfortunately they were some very important emails and the customer was more than a little irate. eeck. ;) We removed sorbs. I don't think it's even open for debate at the current point. If places like hotmail mx's end up on the blacklist you *will* have upset customers. Yeah. It would be nice if there were a blacklist out there that took the best of all the others but refused to list things like hotmail for those of us who are in the situation of having users who expect connectivity to Hotmail and their ilk. Yes, it sucks, but this is what it is to have paying customers with friends who use MSN, etc, etc. I also don't much care for the idea of using Sorbs only to tally points in SA, since we get so much crap, we'd like to reject most of the obvious stuff out of the gate - otherwise I envision our hard drives filling up twice as fast with crap nobody wants anyway. Look at other rbl's, consider some or all of: abuse.rfc-ignorant.org dsn.rfc-ignorant.org OK, we use dsn only. I'm curious if their other lists are widely seen to be just as useful? list.dsbl.org sbl-xbl.spamhaus.org opm.blitzed.org We are using all these with the addition of: bl.spamcop.net combined.njabl.org relays.ordb.org cbl.abuseat.org blackhole.securitysage.com (reject_rhsbl_sender in postfix, although I'm not sure how useful this one is nowadays?) blackhole.securitysage.com (reject_rhsbl_client in postfix, although I'm not sure how useful this one is nowadays?) Thanks, Nathanael __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Hotmail on sorbs?!?
On Sep 21, 2005, at 5:23 PM, email builder wrote: We removed sorbs. I don't think it's even open for debate at the current point. If places like hotmail mx's end up on the blacklist you *will* have upset customers. Yeah. It would be nice if there were a blacklist out there that took the best of all the others but refused to list things like hotmail for those of us who are in the situation of having users who expect connectivity to Hotmail and their ilk. Yes, it sucks, but this is what it is to have paying customers with friends who use MSN, etc, etc. So, then, where should they draw that line? Let in hotmail, yahoo, aol, verizon, and earthlink ... but who not to whitelist? And, what if half of your user/customer base does NOT want you to white list aol but does want you to whitelist hotmail ... while the other half of your base is exactly the opposite? It isn't a solvable problem, IMO. Everyone will want to draw the line differently, so there wont be an easy solution of that nature. And, it's not just that I don't think the RBL can do it, I don't think that kind of thing is the job of the RBL. I think that kind of thing is your job (or, in my case, it's my job). Here at UCSC, we use spamhaus (both SBL and XBL). In order to make sure my own users/customers don't get blacklisted, I have a cron job that: a) use rsync to get a local copy of the zones. b) grep the files to notify me if any of my own addresses are listed, so that I can follow up on why. c) grep -v the files to remove any of those addresses from the zone. d) takes the end result and puts it into a place where my name servers will pick it up. (I'm also trying to get this for SURBL and RFC-Ignorant, but SURBL is taking some time, and RFC-I is unresponsive to my requests) If I wanted to be sure that hotmail didn't get in there, I would add their to the grep -v expression (or pipe it through another layer of grep -v). If a host gets listed that my users need to hear from, then they can notify me, and I'll do the same there. Alternately, you could create a set of rules that counter-weights the spam assassin results for those RBL checks, if they happen to be IP addresses you need to hear from. If you can't depend upon any particular RBL to never contain addresses you want to listen to, then you need to take one of those two strategies.
Re: Hotmail on sorbs?!?
We removed sorbs. I don't think it's even open for debate at the current point. If places like hotmail mx's end up on the blacklist you *will* have upset customers. Yeah. It would be nice if there were a blacklist out there that took the best of all the others but refused to list things like hotmail for those of us who are in the situation of having users who expect connectivity to Hotmail and their ilk. Yes, it sucks, but this is what it is to have paying customers with friends who use MSN, etc, etc. So, then, where should they draw that line? Let in hotmail, yahoo, aol, verizon, and earthlink yes. i don't think any administrator with paying customers to please would be happy if any of these were blacklisted. ... but who not to whitelist? the small guys. unfortunately, large ISPs like that have power in the number of users they have. in no way do I advocate defending that as a good thing, but the fact that this gives them an immense amount of power to do whatever they want regarding rfcs and whatnot remains a reality. smaller services are the only organizations who are going to actually be potentially moved to action by landing on one of these RBLs. when was the last time SORBS managed to change Hotmail's policies? using something as strict as a RBL that lists Hotmail can only be useful for scoring but not as an outright block. I really don't think people who regularly correspond or who have to support ppl who correspond with hotmail users would argue with that. Sounds like you aren't one of those ppl. And, what if half of your user/customer base does NOT want you to white list aol but c'mon, when was the last time someone's user base was emailing their support staff begging for aol to be blacklisted? beside, this is what per-user settings for something like SA are for. does want you to whitelist hotmail ... while the other half of your base is exactly the opposite? It isn't a solvable problem, IMO. Everyone will want to draw the line differently, so there wont be an easy solution of that nature. But BLOCKING all mails from somewhere like Hotmail *IS* a decision that someone has made which is not acceptable to we who support large user bases. So we have to make the opposite decision to only use those RBLs in SA scoring. The baseline here is that you cannot outright ban whole large services -- you HAVE to work from there, meaning that then if stuff doesn't score where your users like it, they have to adjust their own SA settings (ours do it on their own through a SquirrelMail interface). And, it's not just that I don't think the RBL can do it, I don't think that kind of thing is the job of the RBL. I think that kind of thing is your job (or, in my case, it's my job). What's our job? Banning all of Hotmail? Our job is to avoid that - it's obviously not workable at least for those in a position like the one I've described. So we have to stop using SORBS at the outset. And I'm pretty sad to do it, because so far it has been one of the best front-line defenses we've had. In general I think they are great, but this hotmail thing is NOT workable in our situation, and probably in many others Or are you saying I should sit around all day and monitor ever-changing lists of potential spammer IPs and manually adjust our MTA white/black lists? That's not exactly realistic, so I'm not sure what you are suggesting (I think I am about to find out...) Here at UCSC, we use spamhaus (both SBL and XBL). In order to make sure my own users/customers don't get blacklisted, I have a cron job that: a) use rsync to get a local copy of the zones. b) grep the files to notify me if any of my own addresses are listed, so that I can follow up on why. c) grep -v the files to remove any of those addresses from the zone. d) takes the end result and puts it into a place where my name servers will pick it up. (I'm also trying to get this for SURBL and RFC-Ignorant, but SURBL is taking some time, and RFC-I is unresponsive to my requests) Don't get me wrong, I am fully supportive of the people taking their time to run those services (where would we be without them), but their general lack of responsiveness seems strange -- no matter which service it is, I always hear people say things about how non-responsive they are. Is it that they can't manage to parse through the number of insulting inquiries they get from the legit ones? Are these people that overworked? Seems like being more responsive, even if to just tell spam-friendly ISPs to take a hike, would give them more credibility. SPEWS seems to be the most common target of this criticism, but I've heard it for SORBS, etc too If I wanted to be sure that hotmail didn't get in there, I would add their to the grep -v expression (or pipe it through another layer of grep -v). If a host gets listed that my users need to hear from, then they can notify me, and I'll
Re: Hotmail on sorbs?!?
On Sep 21, 2005, at 7:26 PM, email builder wrote: We removed sorbs. I don't think it's even open for debate at the current point. If places like hotmail mx's end up on the blacklist you *will* have upset customers. Yeah. It would be nice if there were a blacklist out there that took the best of all the others but refused to list things like hotmail for those of us who are in the situation of having users who expect connectivity to Hotmail and their ilk. Yes, it sucks, but this is what it is to have paying customers with friends who use MSN, etc, etc. So, then, where should they draw that line? Let in hotmail, yahoo, aol, verizon, and earthlink yes. i don't think any administrator with paying customers to please would be happy if any of these were blacklisted. I think you're wrong. I think it depends upon the customer base. ... but who not to whitelist? the small guys. unfortunately, large ISPs like that have power in the number of users they have. in no way do I advocate defending that as a good thing, but the fact that this gives them an immense amount of power to do whatever they want regarding rfcs and whatnot remains a reality. smaller services are the only organizations who are going to actually be potentially moved to action by landing on one of these RBLs. when was the last time SORBS managed to change Hotmail's policies? Has SORBS ever really changed anyones policies? That's certainly not what I use RBL's for. I couldn't give a rats posterior about whether or not some spammer changes careers, or some mail server changes configurations, or some ISP changes their appropriate use policies. And, what if half of your user/customer base does NOT want you to white list aol but c'mon, when was the last time someone's user base was emailing their support staff begging for aol to be blacklisted? beside, this is what per-user settings for something like SA are for. If you're in a situation where users can have per-user settings. For example, that doesn't work here. Or, if that's how you're using your RBLs. People DO use rbls as block lists, and people do use SORBS as a block list. It's hard to have per-user settings for that. does want you to whitelist hotmail ... while the other half of your base is exactly the opposite? It isn't a solvable problem, IMO. Everyone will want to draw the line differently, so there wont be an easy solution of that nature. But BLOCKING all mails from somewhere like Hotmail *IS* a decision that someone has made which is not acceptable to we who support large user bases. But it's not their job to cater to YOUR user base decisions. That's _your_ job. So we have to make the opposite decision to only use those RBLs in SA scoring. The baseline here is that you cannot outright ban whole large services -- Actually, yes, I can. And I have, for some periods of time (only, in my case, it was yahoo). And SORBS can. And, really, you can too, you just choose not to. But even if you remove that from the argument, the point is, it's not the RBL's job to cater to your policies. And if they were to try to cater to everyones policies, they would be so conflicting that it would be pointless. Which was my point for the above quoted sections. And, it's not just that I don't think the RBL can do it, I don't think that kind of thing is the job of the RBL. I think that kind of thing is your job (or, in my case, it's my job). What's our job? Banning all of Hotmail? No. Your job is to tailor the tools you use so that they fit your organization. SORBS job is to provide a list of sites that fit a particular behavior. If you want there to be exceptions to that list, then it is YOUR job to make those exceptions, not theirs. Our job is to avoid that - it's obviously not workable at least for those in a position like the one I've described. So we have to stop using SORBS at the outset. And I'm pretty sad to do it, because so far it has been one of the best front-line defenses we've had. In general I think they are great, but this hotmail thing is NOT workable in our situation, and probably in many others Or are you saying I should sit around all day and monitor ever-changing lists of potential spammer IPs and manually adjust our MTA white/black lists? That's not exactly realistic, so I'm not sure what you are suggesting (I think I am about to find out...) Do you not know what a cron job is? Here, re-read this next section that you quoted ... it is performed by a script. I do no such manual thing. I get an email every few hours that tells me what happened, I scan it for references to networks that I am responsible for, and it tells me yes, I removed all of those networks from our copy of the RBL zone. Then I put the zone into production on my own name servers, so that I never see those sites showing up as RBL'ed. Here at UCSC, we use spamhaus (both SBL and XBL).