Need RBL Advice

[IT_Architect]

I'm implementing SpamBlocker 4.0. I'm new to this area so I would like to know your concerns and experiences with RBLs. I'd like to know what you use and why. The following is the list from SpamBlocker 4.0, but do not confine your opinions to just those.

cbl.abuseat.org
dnsbl.njabl.org
bl.spamcop.net
dnsbl.ahbl.org
combined.rbl.msrbl.net
b.barracudacentral.org
zen.spamhaus.org
hostkarma.junkemailfilter.com

The only thoughts I have about any on the above list is that Barracuda seems to be placing people on their list and then having a link on their unlisting page for whitelisting at emailreg.org, which if you go there costs $20 per domain per year. Barracuda tends to target businesses that use mobile devices. They have gone through some lengths to conceal their relationship with emailreg.org, but it apparently very sizable financial linkage has been discovered. Moreover while they won't acknowledge it, they made the mistake of using an IP range in the block that belongs to Barracuda. While some may try to justify it as a logical extension of their business, their effort to conceal it makes it tough sell for people to see it as other than racketeering. That said, they are also one of the most popular. The only other RBLs I don't like are two that I'm listed on for backscatter, which are Sorbs and Backscatter, which is why I'm doing time in and the reason for the update at this time. Not that I can say they are bad, but fortunately for me, there must be few servers using them because nobody has complained about their mail not getting through.

I've also installed SpamAssassin from ports and implemented it according to DA KB. I haven't implemented RBLs in SpamAssassin but I have _RELAYCOUNTRY_.

In addition I'm using the PF firewall and may to block services by country.

Thanks!

 

[IT_Architect]

I studied the list that SpamBlocker 4 and the order, and concluded it to be well thought out. I'm going to start here to get it working, and notice SpamAssassin by default uses them as well. I'm going to leave that alone too for now. I also have my plan to add filtering by country for the PF Firewall. Now I just need to get to coding. I'll let you know what I come up with.

 

[nobaloney]

I try. I really do .

You can remove the SpamAssassin rules that check the same RBLs. However they don't use any additional DNS lookups, as the lookups are cached.

Jeff

 

[IT_Architect]

I try. I really do .You can remove the SpamAssassin rules that check the same RBLs. However they don't use any additional DNS lookups, as the lookups are cached.Jeff

You've wasted more brain cells on spam than I have, so let me bounce this http://www.spamhaus.org/whitepapers/effective_filtering.html off you and see what you think.

There is a fly in the ointment, and that is that I don't have a firm grasp on the terminology and technology of the varying types of lists, and therefore don't have a good basis for what I should change, if anything. I did find a golden link http://spamassassin.apache.org/tests.html for SpamAssassin that shows the lists they are using mixed in with their scoring system.

Perhaps you can give me some rough guidance as to what changes if any you would make provided you think the strategy they spelled out is a good one.

Thanks!

 

[nobaloney]

You've wasted more brain cells on spam than I have,

Probably .

so let me bounce this http://www.spamhaus.org/whitepapers/effective_filtering.html off you and see what you think.

Interesting. However:

Their footnote #3 is misleading. By default the tests in exim and other MTAs I know about, when zen.spamhaus.org is tested, return an A record indicating which of their RBLs returned the hit. For example:

$ dig 162.85.67.68.zen.spamhaus.org +short
127.0.0.2
$

You can get the txt record as described in the footnote:

$ dig 162.85.67.68.zen.spamhaus.org txt +short
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL99415"
$

but exim does the former, not the latter. I don't know how to get exim to do the latter. Perhaps someone else here does or can find out.

And I believe that you should control where you send people to whitelist them, not just send them off to a spamhaus page. So SpamBlocker-powered exim.conf for Directadmin allows you to set up your own error message.

And I still don't recommend using spamhaus.org first, until you've decided that you can: here's their Terms of Service. There are other discussions on this subject on these forums; search for spamhaus.

Note that the ReadMe document for my SpamBlocker-powered exim.conf file for DirectAdmin includes a note that you should check to make sure you're eligible to use SpamHaus.

I did find a golden link http://spamassassin.apache.org/tests.html for SpamAssassin that shows the lists they are using mixed in with their scoring system.

Good find indeed.

Perhaps you can give me some rough guidance as to what changes if any you would make provided you think the strategy they spelled out is a good one.

I don't get involved much with SpamAssassin; I tend to use the default settings. Note that their tests are scoring tests. So they're generally quite safe. Note also that use of SpamAssassin could also make you subject to the Spamhaus Terms of Service.

Note that I don't even try to determine if your usage meets Spamhaus terms of service; I have enough problems figuring out mine.

Jeff

 

[nobaloney]

More on blocklist placement in SpamBlocker-powered exim.conf, Version 4:

The blocklist placement I use by default was tested to some extent, but in certain cases arbitrary decisions were made.

The default placement (as I use on my personal testbed server) is a good example.

During one recent week:

Total Emails handled: 233,419 (100.00%)
Total Delivered: 2,205 (0.94%)
Total Blocked: 231,214 (99.06%)
Total Blocked by Spamhaus: 747 (0.32%)
Total Blocked by Hostkarma: 863 (0.37%)
Total checked against Spamhaus: 3,815 (1.63%)
Total checked against Hostkarma: 3,068 (1.31%)

As you can see, by placing Spamhaus and Hostkarma next to last and last, we assure they check only a very small amount of the email actually hitting the server. There are 168 hours in a week; 3,815 emails per week is only 23 emails per hour; 3068 emails per week is only 18 emails per hour.

But these are my figures for one server, used only for testing email.

Jeff

 

[IT_Architect]

Note that I don't even try to determine if your usage meets Spamhaus terms of service; I have enough problems figuring out mine.

Ain't that the truth! At first, I determined that I'm in the pay-for category. As I was researching, to decide if I should pay for it, I read posts from the Barracuda appliance techs whose standard operating procedure is to turn of their own list , and use an order similar with Spamhaus and Hostkarma at the bottom. While browsing the contents of the link I posted earlier, I learned that three of their lists are part of SpamAssassin's standard install. You won't find the anywhere in the config file docs, except to turn RBLs off. I learned about parameters to turn off their individual lists from forum posts. Looking at SpamAssassin's sample configs, there is no mention that they are using using RBLs at all. You need to add it if you don't want to. There has got to be a lot of people using Spamhaus that don't know they are using it. I re-read their terms of service. It appears that you need to pay if you:
1. Exceed the traffic levels for free
2. Resell their services in a product. You could include web hosting iln that, but the places they collect their money are from those selling selling e-mail scrubbing services and ISP mail systems. Barracuda firewalls do not ship from the factory with it, and the tech or user can add it.

One thing theSpamhaus site mentions is if your traffic levels get on their radar, and you are not paying, they mess with the response. Thus, it appears that the defacto terms of use that seems to meet with their satisfaction and the industry's liking is, if you don't hammer them, they won't make you pay. That strategy has motivated an industry to put them on the bottom of their list of checks, and thereby reduced their costs.

I have what I need, and thanks for your help. I has been incredibly valuable to me.

 

[nobaloney]

Not to mention that if you use Google DNS for your it's likely their responses are likely already in the Google DNS cache and they may not be getting hit at all.

I assure you that I chose my list order myself; I didn't check with anyone else or anywhre else.

I used to own an ISP and I've got a great domain to test with; it still lots of spam every day, with no legitimate email at all.

Jeff

 

[IT_Architect]

Not to mention that if you use Google DNS for your it's likely their responses are likely already in the Google DNS cache and they may not be getting hit at all.

True

I assure you that I chose my list order myself; I didn't check with anyone else or anywhre else.

I never thought that for a moment. I just noticed that those two are about the only common denominators in people's lists, and always on the bottom. From that I reasoned that they must be good, and that people put them at the bottom to stay under the traffic radar because neither are necessarily free.

I used to own an ISP and I've got a great domain to test with; it still lots of spam every day, with no legitimate email at all.

I've done very little testing in this area. All I've run is the older SpamAssassin. My big problem last week is I've never been attacked so badly. (Pakistan and China) They put quite a load on our servers. But their done for now. I'm blocking GEO and while I was patching everything I put the new SpamBlocker and SpamAssassain. Something is going on too though because I noticed a lot of that traffic doesn't even make it to my pod in the DC now.