Re: disable spamhaus rbl?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Diego Pomatta schrieb: > After reading all the replies I was left wondering.. > These kind of rules are not used when spamd is started with the -L > (--local) switch, right? > I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to query > spamhaus at smtp time. (qmail - tcpserver) > /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org' > I always considered it to be more efficient this way, would this be > correct? Almost correct -- SA will not only consider the "connecting" IP address, but also look at the "most likely source" IP address, as determined by the trusted_network & Co. algorithm. Ie., having RBLs *both* on the MTA and in SA gives you a double benefit: reduce the load on SA by rejecting certain messages early (modulo false positive issues mentioned in this thread), and possibly hitting more RBLed sources by going beyond what is possible in the MTA alone. While there are additional DNS queries for the additional candidate IP addresses (if present), the result for the connecting IP address will already be cached (if previously queried by the MTA) and hence cause no additional DNS traffic. Personally, I prefer checking (some) RBLs both in the MTA and in SA for the added benefit, but YMMV. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFGwtosxbHw2nyi/okRAlf5AJwJ3KVq/sRq8FlqO6vQBF6rHLUx2ACg0U5t u104adPfhKSFZtLjU2dXt/M= =EZJh -END PGP SIGNATURE-
Re: disable spamhaus rbl?
Kai Schaetzl wrote: Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300: I always considered it to be more efficient this way, would this be correct? It's a matter of trust. If you trust the RBL to produce an insignificant amount of false positives for you then rejecting at MTA level is the best thing you can do. I do it the same way. But there are people/companies who think they cannot even afford a single FP, so they cannot do this. Some also use RBLs as a source of greylisting which is a very good compromise. BTW: you should use zen and not xbl+sbl, anymore, visit the spamhaus.org site. Kai Will do, thanks.
Re: disable spamhaus rbl?
Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300: > I always considered it to be more efficient this way, would this be correct? It's a matter of trust. If you trust the RBL to produce an insignificant amount of false positives for you then rejecting at MTA level is the best thing you can do. I do it the same way. But there are people/companies who think they cannot even afford a single FP, so they cannot do this. Some also use RBLs as a source of greylisting which is a very good compromise. BTW: you should use zen and not xbl+sbl, anymore, visit the spamhaus.org site. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
RE: disable spamhaus rbl?
> After reading all the replies I was left wondering.. > These kind of rules are not used when spamd is started with the -L > (--local) switch, right? > I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to > query spamhaus at smtp time. (qmail - tcpserver) > /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org' > I always considered it to be more efficient this way, would > this be correct? If I am not mistaken, this methodology will simply dump any hits on spamhaus rather than score a hit in combination with other scores. Someone can correct me if I am wrong. - Skip
Re: disable spamhaus rbl?
Fletcher Mattox escribió: Spamhaus has determined that my query rate is too high to continue using their servers for free. So they have, apparently, blocked my queries at their router, which incurs a 5 second timeout. How do I tell SpamAssassin to stop using all spamhaus servers, including zen? I tried this in local.cf: score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 But it seems not to work. I still see lots of outgoing queries with tcpdump, and I still get these debug messages: After reading all the replies I was left wondering.. These kind of rules are not used when spamd is started with the -L (--local) switch, right? I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to query spamhaus at smtp time. (qmail - tcpserver) /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org' I always considered it to be more efficient this way, would this be correct? /Regards
RE: disable spamhaus rbl?
You almost got it right! Try score __RCVD_IN_ZEN 0.0 score RCVD_IN_SBL 0.0 score RCVD_IN_XBL 0.0 score RCVD_IN_PBL 0.0 score URIBL_SBL 0.0 Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: Fletcher Mattox [mailto:[EMAIL PROTECTED] > Sent: 13 August 2007 22:43 > To: users@spamassassin.apache.org > Subject: Re: disable spamhaus rbl? > > Theo Van Dinter writes: > > Alternately, add a "spamhaus.org" zone to your name server > w/ no entries so > > that queries return "instantly". > > Perfect! Thanks, Theo. > Fyi, even with > > score __RCVD_IN_ZEN 0 > score RCVD_IN_SBL 0 > score RCVD_IN_XBL 0 > score RCVD_IN_PBL 0 > > I still see lots of queries to sbl.spamhaus.org. > (But I no longer care, since the name server hack works). > > Fletcher > >
Re: disable spamhaus rbl?
Never mind. I understand. Set the scores to zero within local.cf. Forgive the noise. On Tue, 14 Aug 2007 at 02:07 -, [EMAIL PROTECTED] confabulated: On Mon, 13 Aug 2007 at 17:02 -0400, [EMAIL PROTECTED] confabulated: You need to find the source rules and set them to zero, ala: $ grep spamhaus.org /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk '/check_rbl/ { print $2 }' __RCVD_IN_ZEN RCVD_IN_XBL RCVD_IN_PBL Set those scores to 0. Wouldn't these changes get overwritten by the next sa-update performed? I'm just asking to solidify my thoughts. --- _|_ (_| |
Re: disable spamhaus rbl?
On Tue, Aug 14, 2007 at 02:07:20AM +, Duane Hill wrote: > Wouldn't these changes get overwritten by the next sa-update performed? > I'm just asking to solidify my thoughts. Nope. You set the score in your site config dir (/etc/mail/spamassassin/local.cf), which doesn't change via sa-update. -- Randomly Selected Tagline: You're growing out of some of your problems, but there are others that you're growing into. pgp3l8I68yX5Z.pgp Description: PGP signature
Re: disable spamhaus rbl?
On Mon, 13 Aug 2007 at 17:02 -0400, [EMAIL PROTECTED] confabulated: You need to find the source rules and set them to zero, ala: $ grep spamhaus.org /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk '/check_rbl/ { print $2 }' __RCVD_IN_ZEN RCVD_IN_XBL RCVD_IN_PBL Set those scores to 0. Wouldn't these changes get overwritten by the next sa-update performed? I'm just asking to solidify my thoughts. --- _|_ (_| |
Re: disable spamhaus rbl?
Fletcher, In the meantime, while you are waiting on finalizing the spamhaus contract, you are welcome to test drive my "ivmSIP.com" DNSBL for free. I mention this because, while my dnbsl is not meant to replace SpamHaus, it would probably take the edge off the pain of you not having SpamHaus for some days or weeks. (and my FP rate is just about as good as SpamHaus's... and constantly improving!). Just let me know and I'll tell you what to do to get started. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: disable spamhaus rbl?
Fletcher Mattox wrote: John Rudd wrote: Fletcher Mattox wrote: Spamhaus has determined that my query rate is too high to continue using their servers for free. So they have, apparently, blocked my queries at their router, which incurs a 5 second timeout. How do I tell SpamAssassin to stop using all spamhaus servers, including zen? I tried this in local.cf: score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 But it seems not to work. I still see lots of outgoing queries with tcpdump, and I still get these debug messages: [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds a) If you're hitting them that hard, why not pay for their service? Thanks, John, for your friendly advice. However, please keep in mind that I was *not* complaining about their policy--which is quite reasonable. In fact, since you ask, we *are* going to pay for their service, but that contract has not been finalized, and I need help now. Ok? Just in case someone else thinks I am trying to freeload. :) I love spamhaus's service, and I am happy to pay for it. When we were in that same situation, we asked them for an extension and they gave it to us. b) Are you using anything to help lighten your load on their servers, like a local caching name server so that you don't have to do repeated lookups of the same addresses? Of course we use a caching name server. We just happen to be a high volume user. Fletcher
Re: disable spamhaus rbl?
John Rudd wrote: > Fletcher Mattox wrote: > > Spamhaus has determined that my query rate is too high to continue > > using their servers for free. So they have, apparently, blocked my > > queries at their router, which incurs a 5 second timeout. How do I > > tell SpamAssassin to stop using all spamhaus servers, including zen? > > I tried this in local.cf: > > > > score RCVD_IN_SBL 0 > > score RCVD_IN_XBL 0 > > score RCVD_IN_PBL 0 > > > > But it seems not to work. I still see lots of outgoing queries with > > tcpdump, and I still get these debug messages: > > > > [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen > > [30474] dbg: dns: launching DNS A query for > > 229.51.225.220.zen.spamhaus.org. in background > > [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, > > dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds > > > a) If you're hitting them that hard, why not pay for their service? Thanks, John, for your friendly advice. However, please keep in mind that I was *not* complaining about their policy--which is quite reasonable. In fact, since you ask, we *are* going to pay for their service, but that contract has not been finalized, and I need help now. Ok? Just in case someone else thinks I am trying to freeload. :) I love spamhaus's service, and I am happy to pay for it. > b) Are you using anything to help lighten your load on their servers, > like a local caching name server so that you don't have to do repeated > lookups of the same addresses? Of course we use a caching name server. We just happen to be a high volume user. Fletcher
Re: disable spamhaus rbl?
Theo Van Dinter writes: > Alternately, add a "spamhaus.org" zone to your name server w/ no entries so > that queries return "instantly". Perfect! Thanks, Theo. Fyi, even with score __RCVD_IN_ZEN 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 I still see lots of queries to sbl.spamhaus.org. (But I no longer care, since the name server hack works). Fletcher
Re: disable spamhaus rbl?
Theo Van Dinter wrote: > On Mon, Aug 13, 2007 at 03:55:52PM -0500, Fletcher Mattox wrote: >> But it seems not to work. I still see lots of outgoing queries with >> tcpdump, and I still get these debug messages: >> >> [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen >> [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. >> in background >> [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, >> dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds > > You need to find the source rules and set them to zero, ala: > > $ grep spamhaus.org > /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk > '/check_rbl/ { print $2 }' > __RCVD_IN_ZEN > RCVD_IN_XBL > RCVD_IN_PBL > > Set those scores to 0. Consider also using CBL.abuseat.org - it is included in XBL.spamhaus.org and gives most hits of XBL. CBL.abuseat.org zone files can be downloaded via rsync. > Alternately, add a "spamhaus.org" zone to your name server w/ no entries so > that queries return "instantly". -- [pl>en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] Home site: http://anfi.homeunix.net/
Re: disable spamhaus rbl?
Fletcher Mattox wrote: Spamhaus has determined that my query rate is too high to continue using their servers for free. So they have, apparently, blocked my queries at their router, which incurs a 5 second timeout. How do I tell SpamAssassin to stop using all spamhaus servers, including zen? I tried this in local.cf: score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 But it seems not to work. I still see lots of outgoing queries with tcpdump, and I still get these debug messages: [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds a) If you're hitting them that hard, why not pay for their service? b) Are you using anything to help lighten your load on their servers, like a local caching name server so that you don't have to do repeated lookups of the same addresses?
Re: disable spamhaus rbl?
On Mon, 13 Aug 2007, Fletcher Mattox wrote: > score RCVD_IN_SBL 0 > score RCVD_IN_XBL 0 > score RCVD_IN_PBL 0 > [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, -^ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- [Small arms] are fundamentally dangerous and their removal from the equation either by control, neutralisation or removal is essential. The first step is to gain information on their numbers and whereabouts. -- the UN, who "doesn't want to confiscate guns" --- 2 days until The 62nd anniversary of the end of World War II
Re: disable spamhaus rbl?
On Mon, Aug 13, 2007 at 03:55:52PM -0500, Fletcher Mattox wrote: > But it seems not to work. I still see lots of outgoing queries with > tcpdump, and I still get these debug messages: > > [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen > [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. > in background > [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, > dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds You need to find the source rules and set them to zero, ala: $ grep spamhaus.org /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk '/check_rbl/ { print $2 }' __RCVD_IN_ZEN RCVD_IN_XBL RCVD_IN_PBL Set those scores to 0. Alternately, add a "spamhaus.org" zone to your name server w/ no entries so that queries return "instantly". -- Randomly Selected Tagline: Windows: Where do you want to go today? MacOS : Where do you want to be tomorrow? Linux : Are you coming or what? - June 2000 issue of Linux Journal pgpZYKlqjD95Q.pgp Description: PGP signature
Re: disable spamhaus rbl?
Fletcher Mattox wrote: Spamhaus has determined that my query rate is too high to continue using their servers for free. So they have, apparently, blocked my queries at their router, which incurs a 5 second timeout. How do I tell SpamAssassin to stop using all spamhaus servers, including zen? I tried this in local.cf: score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 But it seems not to work. I still see lots of outgoing queries with tcpdump, and I still get these debug messages: [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds Thanks, Fletcher score __RCVD_IN_ZEN 0
disable spamhaus rbl?
Spamhaus has determined that my query rate is too high to continue using their servers for free. So they have, apparently, blocked my queries at their router, which incurs a 5 second timeout. How do I tell SpamAssassin to stop using all spamhaus servers, including zen? I tried this in local.cf: score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 But it seems not to work. I still see lots of outgoing queries with tcpdump, and I still get these debug messages: [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds Thanks, Fletcher