I have never used any blacklists, however I am starting to get complaints from users about spam. I read Bill's blacklist and it seems a little complicated for me right now. Could I get some suggestions on how to start. Is it better to start with existing blacklists instead of creating my own? What is the best approach?
Maintaining your own is a real chore but sometimes is the only way to be sure. You cannot depend on thew public blacklists to catch everything you want to catch, and they really shouldn't be as severe and expansive as my list, which is useful here but not much of anywhere else.
The one public blacklist that is suitable for any site is the CBL, whose DNS root is cbl.abuseat.org and whose website is at http://cbl.abuseat.org. That list is strictly machines that have behaved like open proxies or 'spam zombies' in how they send mail. While the details of what that means are not specified on that site, I suspect that it means things like absurd HELO's, use of pipelining inappropriately, or ignoring 5xx responses to MAIL or RCPT commands. In practice, the CBL has extremely few false positives even on very large systems (million+ messages per day) and the only ones I've heard of were cases where in fact the listed machines were running trojans or open proxies in addition to being legitimate mailservers. If you don't have the mental bandwidth to spare on the maintenance of a local list or on figuring out which of the other 500 lists might fit you well, start with the CBL and see if the results are adequate.
Beyond the CBL, I also use the following public blacklists:
sbl.spamhaus.org korea.services.net opm.blitzed.org relays.visi.com verisign.blackholes.us
Note that if you do business with the spamming fraudulent incompetents at Verisign, you won't want that last one. The others are extremely conservative, although the korea.services.net list will effectively eliminate your ability to receive mail from those networks in Korea which have failed to obliterate their piece of the rather astounding Korean spam problem. Last I heard, that translated to all of Korea's networks.
The others are very safe for just about anyone who doesn't really want to talk to spammers. The SBL is run by "our own" Steve Linford (are you still here Steve?) and covers address space directly assigned to known chronic spammers, while the BOPM list covers abused open proxies identified by spam in hand and IRC servers that check their clients at connection, while the VISI Relays list (aka RSL) is a list founded by the inventor of responsible relays list management (what a novel concept!) Al Iverson, and is run on the basis of testing machines for which they have apparent relay spam in hand. One interesting feature of the RSL and CBL is that both will delist anyone who asks for their machine to be delisted. This may seem absurd, but it works very well because they also will relist any machine that earns it. Since the delisting process would not scale well for spammers, this means that machines which are fixed drop from those lists swiftly but machines with chronic problems at worst only flash off the lists for a short time.
Local blacklists are a matter of taste and need. My local blacklist is highly effective, but I am now running at 2-3 false positives that I know about every month, after about a year (pre-Swen) where I had just 2. My approach includes:
1. Any source of viruses or virus notifications is listed, with multiple listings on the same net enlarged to /24 or allocation block as I see fit and have the time. This is actually mostly consumer ISP mailservers. I may start whacking the old entries as ISP's wise up about this garbage.
2. Any IP address that hits my webserver attack landmines is listed immediately and automatically, as well as being blocked from the webserver. These are essentially all worm-ridden Windows boxes, and so are likely to be hit by one of the spamming worms at some point.
3. Any IP that sends me spam which makes it through the existing local and public blacklists is evaluated subjectively, and in many cases results in listing a /24, the smallest registered address range around it, or the top-level registered address range. Those judgement calls are based on my experience with the entities responsible for the network in question and my sense of how likely I am to get legit email from the network.
4. I drill holes whenever I discover that I am more likely to get legit email from a particular range than I am to get spam. See recent messages between myself and Clement Ross for an example.
5. Every account here has at least one and usually two forms of 'wormhole' addressing available that gets past the blacklist. This means that we avoid false positives by giving special addresses to people who are likely to mail from listed space.
6. Really bad address space is blocked at the router. I protect my P575 mailserver from the worst chronic spammer networks where I know I will get nothing good but do get pounded repeatedly by rejecting traffic to port 25 from them. Big pieces of Asia are in there now, as is a large bit of Italy.
Note that my local blacklist grew too big for SIMS about a year ago, and while the version online looks like a SIMS blacklist, that's just a legacy software quirk: I have scripts that add entries and convert the whole thing to a local DNSBL zone which I have SIMS point at.
--
Bill Cole
[EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
