>From: Amir Caspi <ceph...@3phase.com> >Sent: Friday, March 27, 2015 7:30 PM >To: RW >Cc: users@spamassassin.apache.org >Subject: Re: Uptick in spam
>On Mar 27, 2015, at 6:19 PM, RW <rwmailli...@googlemail.com> wrote: >> There are deep checks for SBL (via zen) and SPAMCOP. XBL/PBL are >> last-external only >Interesting. I wonder why I see those XBL/PBL hits, then. Maybe Zen timed >out on those queries from sendmail... or >something. Either way I guess this >means I should retain Zen and SC queries in SA. You should be running a local dns caching server like BIND or PowerDNS Recursor on a mail server to help prevent time outs that can allow RBL checks to become ineffective. It's possible that your outbound mail could be hitting those RBLs in SA in the event of a compromised account or the last-external IP in the Received: depending on what internal mail server you use and if it puts that information in as X-Originating-IP or Received headers of the sending mail client. I would recommend keeping those RBLs in SA to help with outbound scanning and in case they get past the MTA-level RBL checking. It shouldn't be duplicate hits to Zen/XBL/PBL if you have sendmail rejecting that message from making it to SA. If you get any of those RBL hits in SA that sendmail is configured to reject on, then there must be some sendmail access list allowing it to bypass the RBL checks. Esets NOD32 is very fast, very inexpensive, and works well with MailScanner. The invaluement RBL is not expensive either and it is awesome. We pay thousands per year for a Spamhaus feed because of our volume and mailboxes. The invaluement RBL is only hundreds per year and it's almost as good as Spamhaus Zen. I have Spamhaus in front of invaluement in my postfix configuration but I may try flipping the order just to see if it will start blocking more than Spamhaus. Dave >Thanks. >--- Amir