RBL_DNS_LIST SUGGESTION
- Thread starter itcms
- Start date
You can check out this souce code https://github.com/sofibox/blcheck/blob/master/blcheck
Look at the variable CONF_RBL_SERVICES= there are a lot of well-known RBL list there.
But putting more lists in your exim.conf would probably decrease exim performance. You can test the script for IP blacklist and see if it false positive by the result. If it is good, put in exim.conf
Look at the variable CONF_RBL_SERVICES= there are a lot of well-known RBL list there.
But putting more lists in your exim.conf would probably decrease exim performance. You can test the script for IP blacklist and see if it false positive by the result. If it is good, put in exim.conf
Thanks alot
Actually, you said you won't play GOD but it's actually what you're doing with us...
We reach to you to know why you blacklisted all our ASN (we have more than 3000 IPs). And this is our mail exchange. I'll leave it here for everyone to know how you manage your RBL list and how wrong your "best practices" are:
Me:
> Hello.
> I was notified that you have blacklisted my whole ASN. That is not a good practice.
> Also, we are not a spam network. We are a legit datacenter company operating in Viseu, Portugal.
> We also have counter-measures to prevent any of our clients to send spam from our network.
> If someone complains about spam going out from one of our IPs, you have to forward the complain to our abuse email ([[email protected]](mailto:[email protected])). We handle the abuse reports at 15 mins from 7am till 11pm.
> So, can you please unblock all the IPs and inform me what IP has originated spam so we can handle the issue?
Reply from mxrbl:
> To be clear, I don't have to do anything and what is a "good practice" is what best serves my company and my customers. If I only find spam from your network and long listings of PTR records look like obvious spam trends, I list the whole ASN. It's not personal, I have a job to do the same as you.
> A quick run through your ASN looks like spam to me. Let me tell you what I see, you can run with it after hopefully understanding my perspective.
> All of this matches spam trends:
> [list of 8 IPs and their PTR records]
> Randomly generated hostnames for a domain that either has no website or looks suspiciously like something that wouldn't at all need multiple IPs for the type of business implied:
> [list of 256 IPs and their PTR records]
> Should I go on or is that enough for you to work with?
Me:
> So... You block the ips and ASN based only o PTR records?
> There are several reasons why PTR records need to be configured for IP addresses (mail is only one of them).
> Did you actually have records of spam being sent from my ASN/IPs?
> If yes, please send the signature.
> Since September 2020 that we filter all mail going out on our IPs to insure the good reputation of our network.
> Also, juste because there are 10-20 ips that where detected sending spam, you can't block a ASN that has more than 3000 IPs. That's not fair! If you act like that, why not block the hurricane electric or cogent? The answer is obvious, isn't it?
> Let's work correctly.
> I have a public abuse mail for where complains can be sent. And that abuse is publicly listed on the RIR (ripe). I pay a team to handle the complaints and act quickly.
> Best Regards,
mxrbl:
> Yes I go by reverse DNS as well. If you don't have a ton of spammers on your network, then you once did and you never cleaned their PTR records. Let me know when things look cleaner. You don't have to like the way I do things, your approval is not required. You are free to ignore MXRBL entirely and consider us irrelevant if you like. Please don't write back while your ranges are littered with obvious spammer PTR records.
me:
> Hello.
> My ranges are clean. I won't change the PTR records because those PTR are needed for other services.
> I contacted you in first place because I have a client that subscribed a SSL certificate and he isn't receiving the email with the invoice and the certificate itself because his provider is using your rbl.
> So, doing like everyone do, if you don't have any reports from actual spam being sent from my network, you please remove all records?
still me:
> For info, the PTR records you listed aren't using for mail but for server automation on a energy counting record system of one of our clients.
> We have a lot of clients that do use PTR records for other means than mailing systems (SAN traffic, diagnosis, etc...). And asking them to change all PTR records is overkill.
> You start by blocking a full ASN just because you're based on a single aspect. Maybe 2-3 years ago we had a client that sent spam from one of our IPs, but I can assure you that today that is not possible. And also, you should base your filtering on spam signatures and not on PTR records. Are you also blocking the full HE ASN? I guess not or otherwise you'll be out of business...
> Best Regards,
mxrbl:
> If you need the PTR records that I pointed out, then you are in fact running a spam network. Delisting denied.
So, my question is: Will you, has a webhosting provider, use this RBL list to fight SPAM? I certainly not!
I point out the lack of knowledge of how SPAM filtering works and how is mxrbl "implicated" on reducing the false positives...
So... why don't you block also Hurricane Electric or Cogent?
I tell you why, because those enterprises, despite having a lot (I mean a lot) of IPs that do send SPAM, if you block them, you'll be out of business because you're basically blocking the 75% of the world.
I want RBLs to work inteligently by blocking the SPAM using inteligent detection systems. If you block amazon, microsoft, hetzner, contabo and so on... you'll have a lot of false positives. And clients/users that are on those networks won't be able to send legit mail to you.
but it still OWN blocklist, mxroute don't make you to use it, as I don't make you or any to use my blocklist.
For example on few servers we have locked whole continents because they provide local service, and it's easier, and cheaper than filter all incoming traffic.
For example on few servers we have locked whole continents because they provide local service, and it's easier, and cheaper than filter all incoming traffic.
Its always possible to exclude dedicated IPs or Ranges from Blocklist. We block also several ASNs, for good reasons. If really a customer need to get mail from one of them, we whitelist this hostname or IP. Nobody can demand a whitelisting from a private RBL, its the thing of an server admin, to use or not use some RBL, or whitelist IPs.
And please dont doublepost, you wrote the same also here https://forum.directadmin.com/threads/easy_dns_blacklist-where-is-rbl-list.63008/#post-350689
But when someone contact you to unblock a IP or a ASN and provide valid reasons, would you do it?
I understand that. But has already seen on other forums (a simple google search is enough) they "sell" their service like it can be used on a general rule for all servers.
Anyway, it's not a good practice to block IPs or ranges bases only on the PTR records. Just because I have a client that generated PTR records for the subnet I am renting to him because he need reverse validation on his statistic power system is not a reason for someone to block my whole ASN. (just my 2 cents!)
of course, but DA forum not right place to solve such questions.
Undeniable, unquestionable spam network: https://bgp.he.net/net/212.192.216.0/22#_dns
Webix's network: https://bgp.he.net/net/5.183.96.0/22#_dns
Scroll down a bit on the second one and use the first one as a reference. Because I can't expect everyone to know the patterns that I do in my head, so a good comparison is "unquestionable" compared to "in dispute."
Bonus points, but I don't have a comparison, I've just seen this kind of page at spam domains a hundred times: castlerockcompany.org.uk
No brand at the website but plenty of IPs associated with the domain using a spammy pattern, a very simplistic domain that looks like a local brand. The website only has a newsletter registration form. Anyone who has spent more than a day fighting spam has seen this pattern enough to trust their own eyes here, words won't be a useful counter to anyone who has. It's the usual "catch an expired domain and use it for spam" technique. Not even worth talking about really.
And that's just one of the domains that match the spam pattern in his network's PTR records. If any good people end up in his network, they're welcome to submit a whitelisting request. I can't imagine they will though because this guy has all the time in the world to spam forums complaining about me, and not a second to spend cleaning up his network. Can't find any legitimate senders on the network right now in audits so no loss from the listing, just mitigated risk at the worst.
Not gonna argue with him here, I'm just doing the usual due diligence to toss this comment down. He can kick, scream, and holler all day long but until he recognizes he has spammers on his network it’s just not worth talking about. I don’t care if I have logs of those IPs spamming or not, they’re either spamming someone or they’re about to, or they’re using it as a home base and doing it elsewhere (least likely as that only needs 1 IP). I don’t have logs of desirable mail from those IPs either so nothing of value has been lost (my sample size is very good). Any way you spin it I still see what I see and my eyes aren’t that bad, I just got new glasses.
Only thing to argue over is if I’m hallucinating and I’m certain that I’m not. I assume that his customers don’t care about the listing because I haven’t heard a peep out of any of them, but that’s probably because spammers don’t often try their hand at tricking me as it has a low success rate.
Webix's network: https://bgp.he.net/net/5.183.96.0/22#_dns
Scroll down a bit on the second one and use the first one as a reference. Because I can't expect everyone to know the patterns that I do in my head, so a good comparison is "unquestionable" compared to "in dispute."
Bonus points, but I don't have a comparison, I've just seen this kind of page at spam domains a hundred times: castlerockcompany.org.uk
No brand at the website but plenty of IPs associated with the domain using a spammy pattern, a very simplistic domain that looks like a local brand. The website only has a newsletter registration form. Anyone who has spent more than a day fighting spam has seen this pattern enough to trust their own eyes here, words won't be a useful counter to anyone who has. It's the usual "catch an expired domain and use it for spam" technique. Not even worth talking about really.
And that's just one of the domains that match the spam pattern in his network's PTR records. If any good people end up in his network, they're welcome to submit a whitelisting request. I can't imagine they will though because this guy has all the time in the world to spam forums complaining about me, and not a second to spend cleaning up his network. Can't find any legitimate senders on the network right now in audits so no loss from the listing, just mitigated risk at the worst.
Not gonna argue with him here, I'm just doing the usual due diligence to toss this comment down. He can kick, scream, and holler all day long but until he recognizes he has spammers on his network it’s just not worth talking about. I don’t care if I have logs of those IPs spamming or not, they’re either spamming someone or they’re about to, or they’re using it as a home base and doing it elsewhere (least likely as that only needs 1 IP). I don’t have logs of desirable mail from those IPs either so nothing of value has been lost (my sample size is very good). Any way you spin it I still see what I see and my eyes aren’t that bad, I just got new glasses.
Only thing to argue over is if I’m hallucinating and I’m certain that I’m not. I assume that his customers don’t care about the listing because I haven’t heard a peep out of any of them, but that’s probably because spammers don’t often try their hand at tricking me as it has a low success rate.
Last edited:
So you publicly assume that you are stupid!
You don't have logs of any type of spam that was sent from my network. But you block it because of "assumptions"?
Let me tell you that you will never have logs of spam being sent from my network. Because I filter all outbound SMTP traffic.
But because of your stupidity of work that "you see with your own eyes" the PTR records, you assume that it is a spam network.
Anyway, I am tossing at you here and on other foruns, yes. Because I want everyone to know the scam of work you do.
A good spam analyst doesn't look at PTR records, but at mail signatures. And these days even that is becoming "old" has everyone is moving to machine learning.
I got complains, yes, fortunately, I get to convince the implicated hosters to not use your list because of the way you work. And hopefully, other providers will open their eyes and do the right thing.
I am all about fighting spam, but fighting it the right way, not the easy way.
Please dont start a flame war, this is not a place for personal revenge trial, as also explained here:
remove cbl.abuseat.org from exim.conf
False positives are also often caused by spamhaus in my experience. Removing everything would result in getting hit hard by a lot of spam I guess. I use bl.spamcop.net and b.barracudacentral.org and 1 other from @mxroute but I don't know if I'm allowed to say that or if everybody is allowed to...
forum.directadmin.com
If he will block you for the wrong reasons, you too will be angry at him. No?Please dont start a flame war, this is not a place for personal revenge trial, as also explained here:
remove cbl.abuseat.org from exim.conf
False positives are also often caused by spamhaus in my experience. Removing everything would result in getting hit hard by a lot of spam I guess. I use bl.spamcop.net and b.barracudacentral.org and 1 other from @mxroute but I don't know if I'm allowed to say that or if everybody is allowed to...
I simply would not use his list in my environment. I dont want to go emotional in business decisions.
Richard G
Verified User
Irritated maybe, but I wouldn't start an issue on public here. E-mail and PM is to be used for that.
And I wouldn't use his list if I would have issues (which I don't), like I don't use spamhaus because that often gives false positives.
The Microsoft lists are way more critical. So what happens if they block you for the wrong reasons? Start a flame war at Microsoft forums?
Please stop spoiling other peoples topics with this and either stop or try to solve it a decent way.
This is still the website of a spammer: http://castlerockcompany.org.uk
It's still on the network. A good defense starts with kicking spammers off a network. I'm not the only one who gets it, read up on others noticing the trend:
https://forum.avast.com/index.php?topic=248713.0
https://us3.campaign-archive.com/?u=735bc799c0f96577515d4f4d8&id=617d8f2ef3 (Control+F, fill in "SUBMIT YOUR")
"I only host the unsubscribe forms for spammers" is not a good defense, sorry. Unsubscribe forms don't need multiple IPs with randomly generated hostnames as PTRs. The network is shady, as is its operator, who continues to prove it with his unprofessional behavior. The more you defend hosting spammers on your network, the more entrenched my opinion that I did my job correctly will be. End of story. Enjoy that sweet spam money, you're not the first and won't be the last to be drawn in by it. I'm not sorry that I caught it before I saw the spam, that's just good detective work.
And anyone saying modern spam filtering should just be AI outs themselves for being more interested in tech articles and white papers than practical application. Which is fine, but if you're doing the work you have to come down from that cloud and meet the work on the ground. Google's machine learning is the only one doing a good job and their spam filters are not open source. Good spam filtering involves a multi tiered strategy and if you leave one option on the table you're not really committed to it. I eat, sleep, and breathe it. It's not a hobby or something I occasionally take a look at once every 3 months.
Rspamd's learning algorithm isn't much better than the bayesian algorithm still used by SpamAssassin and I haven't seen that do anything significantly positive for almost a decade. I've been training rspamd with data sets for a couple of years and I've jack shit to show for it. Why do you think their ASN module is still there and fuzzy hasn't replaced the whole thing? Because they know full well that no single module of theirs replaces the rest.
It's still on the network. A good defense starts with kicking spammers off a network. I'm not the only one who gets it, read up on others noticing the trend:
https://forum.avast.com/index.php?topic=248713.0
https://us3.campaign-archive.com/?u=735bc799c0f96577515d4f4d8&id=617d8f2ef3 (Control+F, fill in "SUBMIT YOUR")
"I only host the unsubscribe forms for spammers" is not a good defense, sorry. Unsubscribe forms don't need multiple IPs with randomly generated hostnames as PTRs. The network is shady, as is its operator, who continues to prove it with his unprofessional behavior. The more you defend hosting spammers on your network, the more entrenched my opinion that I did my job correctly will be. End of story. Enjoy that sweet spam money, you're not the first and won't be the last to be drawn in by it. I'm not sorry that I caught it before I saw the spam, that's just good detective work.
And anyone saying modern spam filtering should just be AI outs themselves for being more interested in tech articles and white papers than practical application. Which is fine, but if you're doing the work you have to come down from that cloud and meet the work on the ground. Google's machine learning is the only one doing a good job and their spam filters are not open source. Good spam filtering involves a multi tiered strategy and if you leave one option on the table you're not really committed to it. I eat, sleep, and breathe it. It's not a hobby or something I occasionally take a look at once every 3 months.
Rspamd's learning algorithm isn't much better than the bayesian algorithm still used by SpamAssassin and I haven't seen that do anything significantly positive for almost a decade. I've been training rspamd with data sets for a couple of years and I've jack shit to show for it. Why do you think their ASN module is still there and fuzzy hasn't replaced the whole thing? Because they know full well that no single module of theirs replaces the rest.
Last edited: