dnswl.org whitelist contains spamming servers

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,100
Location
Switzerland
dnswl.org whitelist now contains some IPs of spammers, which means that they get whitelisted if you use the list.
It's very difficult in the current spamblocker version to block the known offending IPs or hosts without turning the dnswl.org check off completely.

Shouldn't we have the blacklists first and then the whitelists, followed by the RBLs?
 
dnswl.org whitelist now contains some IPs of spammers, which means that they get whitelisted if you use the list.
It's very difficult in the current spamblocker version to block the known offending IPs or hosts without turning the dnswl.org check off completely.
Then turn it off if you don't want to use it.
Shouldn't we have the blacklists first and then the whitelists, followed by the RBLs?
That just doesn't work. The whole purpose of a whitelist is to enable you to get email from someone who would otherwise be blocked by a blocklist. If you run the blocklistsl first you've already refused the email by the time you get to a whitelist.

I will reiterate, the newest RC (#4) works incredibly well for us; we get almost no spam through.

You can aim to get rid of that almost, but generally the closer you get to that the closer you get to blocking important email.

Jeff
 
Turning it off is not the solution as the list has only been poisoned and 99% of it can still be used.

I think you read my post wrong. I don't want the blocklists before the whitelist, but the local black/whitelists before the RBLs. I realized that white should come before black though.

Here is what I think would make sense.

Server Whitelist
Server Blacklist
RBL Whitelist
RBL Blacklist

That way, if we find a discrepancy in the RBLs, we can add the exception to our local lists, otherwise we have to disable entire whitelists, just because of a few IPs

Spamblocker is working pretty well for us as well, usually some spam comes through and quickly after that, it's blocked by some list. Recently though, a lot of spams coming from 81.228.8.18x and 81.228.9.18x are still not blocked, days after they started to appear. Some IPs are blocked, but not all of them. I think they target specifically Swiss domain names.
www.dnswl.org still lists them as safe IPs...
Spam Rat identifies them as rotten IPs, but since it's a blacklist, it has no chance of getting rid of them (already white lised)
 
Turning it off is not the solution as the list has only been poisoned and 99% of it can still be used.

I think you read my post wrong. I don't want the blocklists before the whitelist, but the local black/whitelists before the RBLs. I realized that white should come before black though.

Here is what I think would make sense.

Server Whitelist
Server Blacklist
RBL Whitelist
RBL Blacklist
Remind me of this on Friday and I'll have time to look at it over the weekend.

However do read my comments on the other thread.

Jeff
 
OK, I will.
This whole thing got me thinking. Is there a Spamblocker mail flow documented somewhere?
Things like what goes into each ACL, the order, etc.
Giving an overview of how it works, so that people can better contribute, if it's one of the goals of SB. Maybe you just want us to comment on RCs and do our own personalisation work or forks.
 
Not yet. I've been planning on doing it before the final release of SpamBlocker 3. I've been having some issues with our office system-management server, but as soon as they're done I'll get started on it.

Jeff
 
And, if i want to temporarily skip this check how can i to do?
Only dnswl.org...
 
See my reply just made to your other post. And please don't double-post in the future. Your problem may be both with SpamBlocker and SpamAssassin; if you're using both, and you disable the dnswl in SpamBlocker (see my latest version, here [nobaloney.net]), you can simply comment out the use of the specific list, and then possibly a lot of spam will go down simply because SpamBlocker (if properly configured on your server) will stop it before it gets to your SpamAssassin installation. Or try the changes to your /etc/resolv.conf file as I mentioned in my other reply.

Jeff
 
Hi Jeff,
I think that this thread is different to my other. Sorry if not..

however, how to i can do for disable only one check (list.dnswl.org in this case) from spamassassin/spamblocker?
Temporarily I have put into my local.cf a line that assign score 0 to this check.

In my exim.conf there isn't a dnswl.org step...

#EDIT#35:
accept domains = +local_domains
dnslists = list.dnswl.org
logwrite = $sender_host_address whitelisted in list.dnswl.org
but the emails also was checked by dnswl.org
If you want, i can send via private email or message my exim.conf for check...

I don't understand...
 
The two threads are exactly the same and if you continue to post in both of them on the same subject you jeopardize your posting status.

You write that your exim.conf doesn't have what you call a dnswl.org step, but then you post a stanza beginning with the line #EDIT#35 which does show reference to the dnswl.org whitelist. So I'm not sure what you mean. If you're using an older version of my SpamBlocker exim.conf file, then you're using a version I don't support, but if there's no reference to dnswl.org in it, then it's not whitelisting using that list. Unless you want to hire me to fix your problem I really don't have additional answers for you, though someone else might.

Jeff
 
I've done some testing using dig @8.8.8.8 and dig @LOCAL NAMESERVER and I've determined that yes, this is the problem.

Jeff
 
Some blocklists apply punitive answers if a given nameserver makes to many requests. So the best bet is probably to build your own, inside your network. That's what I've decided to do.

If your datacenter or upstream has a cacheing nameserver perhaps using theirs is the best thing to do.

I'm not going to list suitable nameservers because if I do, lots of people will find the thread when googling, switch to those nameservers, and then suddenly they won't be suitable anymore.

Jeff
 
Build a machine, install latest CentOS with minimal packages (or if you're brave perhaps Tiny Core Linux (wikipedia.org)).

You only need the kernel, your text editor of choice, and BIND. Make sure BIND is set up as a cacheing server. Give it either an external IP# (blocked from the rest of the world by firewalling), or an internal IP# (if you understand to do that on your network).

Then put it in your datacenter, turn it on, and change your /etc/resolv.conf file to point to it. If you think you may have to bring it down from time to time then you should probably list a second nameserver as well.

Jeff
 
Why give an external IP if is blocked from any incoming connection? Maybe just internal should be good aswell i suppose, just important is that he can reach internet. but here my question... what nameserver so i should give to the server? If (for example) i put google nameservers the problem wouldnt just be the same (i suppose is just a forwarding or so or no?)?

What did you meant with "; only your editor of choice, and "?

Thanks for your help.

Regards
 
Why give an external IP if is blocked from any incoming connection? Maybe just internal should be good aswell i suppose, just important is that he can reach internet.
You don't just need to reach the nameserver, you need to be able to receive replies as well; for that you need an IP#.
but here my question... what nameserver so i should give to the server? If (for example) i put google nameservers the problem wouldnt just be the same (i suppose is just a forwarding or so or no?)?
You set up your nameserver as a cacheing server; let it find everything. You give it any name you want but it must be a real name. It goes only in your /etc/resolv.conf file(s).
What did you meant with "; only your editor of choice, and "?[/error]; I was typing something else and then hit ENTER a few times to clear space for my rewrite. Then I forgot to remove it. I've edited my post and removed it now.

Jeff
 
Oh ok,

the part i dont get is this:

Give it either an external IP# (blocked from the rest of the world by firewalling).

So, everything closed except 53? Or just connected to internet is enough?

Thanks
 
Back
Top