Choosing blocklists

[nobaloney]

You may have wondered how I choose blocklists.

The first thing I do is research who others are using, and why or why not, specific lists are being used.

Then after choosing the lists I think I'll use, I pick an arbitrary order, and install them on the server hosting mail for my domains.

Then I watch them for at least a week to make refinements in the order in which i use them. The lists that have restrictive usage policies generally (but not always), go on the bottom.

Finally I find an order which seems effective, and I publish the list.

So now that the new SpamBlocker-powered exim.conf file Version 4 has been out for a while, I've decided to revisit the blocklist issue again. So I did some checking again.

This time I checked on the block rate of the all the used DNS-based lists over the last month (ending 4am this morning) and again on the server on which I host my own domain names.

I found some interesting results:

# of
emails	blocklist

14827	cbl.abuseat.org
 1065	dnsbl.njabl.org
 3247	bl.spamcop.net
   46	dnsbl.ahbl.org
    0	combined.rbl.msrbl.net
36235	b.barracudacentral.org
 5409	zen.spamhaus.org
 4109	hostkarma.junkemailfilter.com=127.0.0.2
   28	rhsbl.ahbl.org

Based on this list, I'm going to check all our other servers, and if the results are similar I know I'll be making some changes to the master; some of these lists just aren't worth checking for the small results we get; it doesn't seem realistic to check a half million emails against a blocklist for a total of between 0 and 46 catches.

However I'll probably leave all of them in the published file; your spam profile may be considerably different from mine.

Jeff

 

[interfasys]

I suggest you put b.barracudacentral.org first and you'll see a dramatic decrease in the number of emails being blocked by lists placed below it.

In my case, zen blocks 10% of what barracuda blocks when placed after it and the others are almost insignificant (at the level of what SURBL and special signatures block).

 

[SeLLeRoNe]

so following that lines you suggest to put the higher result first and other down?

something like this in exim.conf?

#EDIT#41:
  deny message = Email blocked by $dnslist_domain
       hosts    = !+relay_hosts
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       !authenticated = *
       dnslists = \
       b.barracudacentral.org : \
       cbl.abuseat.org : \
       zen.spamhaus.org : \
       hostkarma.junkemailfilter.com=127.0.0.2 : \
       bl.spamcop.net
#       dnsbl.njabl.org : \
#       dnsbl.ahbl.org : \
#       combined.rbl.msrbl.net

Regards

 

[interfasys]

Yes, just remove cbl.abuseat.org, it's already included in zen.

The idea is that you'll make way less DNS requests than if you had barracuda at the bottom.

 

[SeLLeRoNe]

but if barracuda define as spam an email so the rest shouln'd get involved, right?

 

[interfasys]

That's correct.
From Exim's doc:

As soon as Exim finds an existing DNS record, processing of the list stops. Thus, multiple entries on the list provide an “or” conjunction

 

[SeLLeRoNe]

so no matter remove the others, should find (difficult) somethig that other doesnt no?

 

[interfasys]

If I understand you correctly (I can't see your hands ), then yes, you should keep the other list, so that they can catch special cases.

 

[SeLLeRoNe]

u gotcha what i mean sorry my english isnt so good ^^ not main tounge

 

[interfasys]

I know, it's the same for me

 

[bcoker]

I've signed up at Baracudacentral. I've added the following to exim.conf

deny message = Email blocked by $dnslist_domain
       hosts    = !+relay_hosts
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       !authenticated = *
       dnslists = b.barracudacentral.org

I then restarted exim.

Is this all the config that is necessary? If not and within the scope of a brief response could someone enlighten me.

Also, if this is all that's needed what is the best way to test it's performance?

Thank you very much.

 

[interfasys]

You should add a couple more, just because barracuda doesn't block everything, but bear in mind that this is subject to personal preferences.
This is quite safe:

deny message = Email blocked by $dnslist_domain($dnslist_text)
hosts = !+relay_hosts
domains = +use_rbl_domains
domains = !+skip_rbl_domains
!authenticated = *
dnslists = \
b.barracudacentral.org : \
zen.spamhaus.org : \
bl.spamcop.net : \
hostkarma.junkemailfilter.com=127.0.0.2

 

[bcoker]

Thanks interfasys,

OK I will add a couple more. It's hard to judge with such low traffic. Also, just to confirm, once I make the addition, save exim.conf and restart that should be all that's needed?

 

[interfasys]

If you're looking for spam, there are quite a few ways to set up honey traps , but you should only add more lists if you find out that your mail server suddenly lets through thousands of spams a day.

 

[nobaloney]

@interfasys:

Currently SpamBlocker exim.conf file for DirectAdmin Version 4 uses these lists, in this order:

       dnslists = \
       cbl.abuseat.org : \
       dnsbl.njabl.org : \
       bl.spamcop.net : \
       dnsbl.ahbl.org : \
       combined.rbl.msrbl.net : \
       b.barracudacentral.org : \
       zen.spamhaus.org : \
       hostkarma.junkemailfilter.com=127.0.0.2

With the caveat, of course, that certain blocklists may not be usable without registration and possibly should be removed.

What order does your testing suggest we should use?

Thanks.

Jeff

 

[interfasys]

Hello Jeff,

I would suggest this:

dnslists = \
b.barracudacentral.org : \
zen.spamhaus.org : \
bl.spamcop.net : \
dnsbl.ahbl.org : \
combined.rbl.msrbl.net : \
hostkarma.junkemailfilter.com=127.0.0.2

The first one only requires a free registration in order to be able to use it and will catch most spam.
Zen will still have some work to do and the other ones will rarely catch anything (surbl and helo rules catch more spam than the other lists).

Olivier

 

[nobaloney]

So you're recommending we remove two lists? Have you tried putting them at the bottom to see if they catch anything?

What happens if you remove zen which some people may not be able to use?

What happens if you remove hostkarma which some people may not be able to use?

Jeff

 

[interfasys]

The 2 lists that I removed are already part of zen (it's been discussed numerous times.)

So, yes, if someone removes zen, then those 2 should be added back.

Nothing different than what happens now will happen if you remove hostkarma. you'll get a bit more spam.

The important thing is to put barracuda first.

 

[nobaloney]

Thanks for your help. I'll be working on this soon. I'm discussing other changes with John as well.

Jeff

 

[interfasys]

A good way to find out if a list/antispam feature gets used is to use existats.
It obviously won't give you any info regarding any pre and post filters, but I find it useful to diagnose what Exim blocks.