EASY_DNS_BLACKLIST - where is RBL list?

erick85

Verified User
Joined
Oct 20, 2020
Messages
65
I would like the ESF to score for the presence of IP on the RBL, rather than rejecting messages immediately (as exim does). I found the EASY_DNS_BLACKLIST parameter in the ESF configuration, but I am not able to locate the list of blacklists that I could define for checking. Where it is? Alternatively, is it possible to configure Exim somehow to check RBL but not to reject the message (only score). I know SpamAssassin has this option, but I'd like to do it a level higher.
 
The list is in exim.conf but you can change it by creating a custom configuration like this.

I don't know that quick where the setting is to only score, if present.
You might try to change scores in /etc/.easy_spam_fighter and create a variables.conf.custom in there.
Lower or higher values can be used like this:
EASY_DNS_BLACKLIST == 100
you have to use the = character twice.
 
I know this manual. But it doesn't help, because if the IP is on one of these RBLs, the message is immediately rejected (even if I set the EASY_DNS_BLACKLIST == 1 parameter in the configuration). I cannot find just this dependence.
 
I know this manual. But it doesn't help, because if the IP is on one of these RBLs, the message is immediately rejected
That’s the point of a blacklist. You don’t control them. If the ip you have is on the blacklist. Follow the process to get off the list. These list are not owned by da.
 
If it's only a few ip's, you probably could use whitelist options. I would not recommend to disable RBL's.
We had a too many ip's blocked by spamhaus, so we used the help option to remove spamhaus from the RBL list and kept the rest in place.
 
My main assumption is bouncing e-mails if the IP is e.g. on spamhouse and scoring if the IP is e.g. on SORBS. This is because spamhaus has far less false positives, but would still like to use SORBS as an additional score indicator for ESF.
 
It sounds like you want to treat RBLs differently. Reject based on one, add a score based on another, just generally have control over a weighted reaction to listings.

I don't think you'll accomplish this with the built in functions. However, you might be able to disable RBLs in exim from the server config in the DA panel, then customize rspamd to handle them instead. https://rspamd.com/doc/modules/rbl.html
 
t sounds like you want to treat RBLs differently.
I'm not sure. I just don't want to have an RBL blocking mails due to false positives. Issue here is that Zen was looking to my (and others) home ISP address, and blocks based on that. In any case it was blocking too many good mails. And we all used smtp-auth via the server so RBL shouldn't look at that, the others don't either. So I've only thrown Zen out.
One can easily adjust that via the exim.strings.conf.custom file like this:
Code:
RBL_DNS_LIST==cbl.abuseat.org : bl.spamcop.net : b.barracudacentral.org
this way only the zen list is left out.

At home I'm using Mailwasher Pro and in this I also tested sbl-xbl to see if that would be doing any better. But it wasn't.

At this moment we're figting spam fairly good, however we're not that big a company and it's only 3 servers..
I was thinking of changing from spamassassin to rspamd at a later time.
 
I'm not sure. I just don't want to have an RBL blocking mails due to false positives. Issue here is that Zen was looking to my (and others) home ISP address, and blocks based on that. In any case it was blocking too many good mails. And we all used smtp-auth via the server so RBL shouldn't look at that, the others don't either. So I've only thrown Zen out.
One can easily adjust that via the exim.strings.conf.custom file like this:
Code:
RBL_DNS_LIST==cbl.abuseat.org : bl.spamcop.net : b.barracudacentral.org
this way only the zen list is left out.

At home I'm using Mailwasher Pro and in this I also tested sbl-xbl to see if that would be doing any better. But it wasn't.

At this moment we're figting spam fairly good, however we're not that big a company and it's only 3 servers..
I was thinking of changing from spamassassin to rspamd at a later time.

If you want to benefit from my day to day work feel free to add bl.mxrbl.com. This is the direct result of daily log audits and very carefully selected choices. The intention is zero false positives.
 
Oh that's great, thank you very much I will add it now, also in my Mailwasher Pro so I have a nice overview on it's results.
Cool, thanks!
 
My main assumption is bouncing e-mails if the IP is e.g. on spamhouse and scoring if the IP is e.g. on SORBS. This is because spamhaus has far less false positives, but would still like to use SORBS as an additional score indicator for ESF.
i have the feeling that your prime intent is not yet served

i too would rather see ESF/spamassassin taking care of RBLs than EXIM

so I set them in exim, but only as "passive information" - unexecuting

but i cant find any further use , but at least it defuses the exim's quite radical way (IMO) to simple drop an email

it should at least trigger a high score in any way

Code:
RBL_DNS_LIST==cbl.abuseat.org/warn : b.barracudacentral.org/warn : zen.spamhaus.org/warn

I still am searching for a solution to either check against RBLs in the user's domain-wide SA-filter or serverwide or sieve-based
 
If you want to benefit from my day to day work feel free to add bl.mxrbl.com. This is the direct result of daily log audits and very carefully selected choices. The intention is zero false positives.
Actually, you said you won't play GOD but it's actually what you're doing with us...
We reach to you to know why you blacklisted all our ASN (we have more than 3000 IPs). And this is our mail exchange. I'll leave it here for everyone to know how you manage your RBL list and how wrong your "best practices" are:
Me:

Hello.
I was notified that you have blacklisted my whole ASN. That is not a good practice.
Also, we are not a spam network. We are a legit datacenter company operating in Viseu, Portugal.
We also have counter-measures to prevent any of our clients to send spam from our network.
If someone complains about spam going out from one of our IPs, you have to forward the complain to our abuse email ([[email protected]](mailto:[email protected])). We handle the abuse reports at 15 mins from 7am till 11pm.
So, can you please unblock all the IPs and inform me what IP has originated spam so we can handle the issue?

Reply from mxrbl:

To be clear, I don't have to do anything and what is a "good practice" is what best serves my company and my customers. If I only find spam from your network and long listings of PTR records look like obvious spam trends, I list the whole ASN. It's not personal, I have a job to do the same as you.
A quick run through your ASN looks like spam to me. Let me tell you what I see, you can run with it after hopefully understanding my perspective.
All of this matches spam trends:
[list of 8 IPs and their PTR records]
Randomly generated hostnames for a domain that either has no website or looks suspiciously like something that wouldn't at all need multiple IPs for the type of business implied:
[list of 256 IPs and their PTR records]
Should I go on or is that enough for you to work with?

Me:

So... You block the ips and ASN based only o PTR records?
There are several reasons why PTR records need to be configured for IP addresses (mail is only one of them).
Did you actually have records of spam being sent from my ASN/IPs?
If yes, please send the signature.
Since September 2020 that we filter all mail going out on our IPs to insure the good reputation of our network.
Also, juste because there are 10-20 ips that where detected sending spam, you can't block a ASN that has more than 3000 IPs. That's not fair! If you act like that, why not block the hurricane electric or cogent? The answer is obvious, isn't it?
Let's work correctly. ;)
I have a public abuse mail for where complains can be sent. And that abuse is publicly listed on the RIR (ripe). I pay a team to handle the complaints and act quickly.
Best Regards,

mxrbl:

Yes I go by reverse DNS as well. If you don't have a ton of spammers on your network, then you once did and you never cleaned their PTR records. Let me know when things look cleaner. You don't have to like the way I do things, your approval is not required. You are free to ignore MXRBL entirely and consider us irrelevant if you like. Please don't write back while your ranges are littered with obvious spammer PTR records.

me:

Hello.
My ranges are clean. I won't change the PTR records because those PTR are needed for other services.
I contacted you in first place because I have a client that subscribed a SSL certificate and he isn't receiving the email with the invoice and the certificate itself because his provider is using your rbl.
So, doing like everyone do, if you don't have any reports from actual spam being sent from my network, you please remove all records?

still me:

For info, the PTR records you listed aren't using for mail but for server automation on a energy counting record system of one of our clients.
We have a lot of clients that do use PTR records for other means than mailing systems (SAN traffic, diagnosis, etc...). And asking them to change all PTR records is overkill.
You start by blocking a full ASN just because you're based on a single aspect. Maybe 2-3 years ago we had a client that sent spam from one of our IPs, but I can assure you that today that is not possible. And also, you should base your filtering on spam signatures and not on PTR records. Are you also blocking the full HE ASN? I guess not or otherwise you'll be out of business...
Best Regards,

mxrbl:

If you need the PTR records that I pointed out, then you are in fact running a spam network. Delisting denied.

So, my question is: Will you, has a webhosting provider, use this RBL list to fight SPAM? I certainly not!

I point out the lack of knowledge of how SPAM filtering works and how is mxrbl "implicated" on reducing the false positives...
 
Back
Top