Hi, On Mon, 27 Sep 2004 15:10:30 -0700 [EMAIL PROTECTED] wrote:
> On Mon, 27 Sep 2004 12:52:41 -0400 (EDT), "Dan Mahoney, System Admin" > <[EMAIL PROTECTED]> said: > > Hey guys, as a quick survey, if you're blocking ips at the MTA level, > > which are you using? > > I think it's a bad idea and don't do it at all. Much better to configure > your MTA to reject mail based on a SpamAssassin score which nicely > combines the RBLs and other spam indicators. Our MTA returns a 550 after > the DATA is received on any message that SpamAssassin scores higher than > 10, which blocks about 90% of all spam we get (that's about 70% of all > incoming mail, lately). I'll counter that rejecting before DATA saves on bandwidth and CPU, and can be done safely with a judicious choice of DNSBLs. Here's part of my Postfix config, comments appended: smtpd_client_restrictions = permit_mynetworks, # my net # manual white- and blacklists check_client_access hash:/etc/postfix/access, # systems persistently bouncing mail to nonexistent users check_client_access hash:/etc/postfix/access_bounce_morons, # systems with no fDNS or rDNS; this can FP if you correspond with # poorly-managed systems reject_unknown_client, # no need to accept mail from known exploited machines, open relays, # open proxies, dynamically-assigned addresses, or systems that can't # accept mail reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client combined.njabl.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client rhsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client relays.ordb.org, reject_rbl_client bogusmx.rfc-ignorant.org I manually maintain a list of servers that HELO as my domain and that have sent to spamtraps and broken addresses (a surprising amount of web-scraping robots choke on plus-tagged addresses; you'd be appalled at how much mail is directed at [EMAIL PROTECTED], an address that has never worked.) I also firewall traffic from unassigned ARIN netspace - see http://www.iana.org/assignments/ipv4-address-space. I've hacked in multiline greeting banner support and plan to upgrade Postfix to support greylisting/tempfailing which should gracefully reject a lot of traffic with minimal false positives. > If I was forced to reject based on a single RBL for some reason, I would > look at the scores SpamAssassin gives for a hit on each one as a fairly > objective indicator of which RBLs are best. Note that DSBL.org scores > highest, with SpamHaus' XBL right behind. As I understand it, the > genetic algorithms reduce the scores a lot if a significant number of > false positives are encountered. My approach is to understand the listing policies of each blacklist, verify those policies are followed consistently, and decide whether the listing policy is defensible to my user base. I don't really care how the GA scores each list because I'm blocking on the basis of a known and defensible policy. My choice of lists will vary depending on the user base but my rationale won't. And yes, I watch my logs. Anything that passes all that gets handed to SpamAssassin and the little spam that does make it through gets fed to SpamCop. -- Bob Apthorpe