Spam Cannibal DNSBL?

E

eger

Verified User
Joined
Nov 3, 2006
Messages
71
Wondering if anyone is using the Spam Cannibal DNSBL and if there were any false positives after starting to use it?

I had never seen this DNSBL before. But it contained a C block that I had received spam from for weeks when no other DNSBL would block it. I am thinking about adding it to my DNSBL list.

Any thoughts?
 
Do you mean: bl.spamcannibal.org ?

They look interesting. I've added them to my personal email server; I'll look again in 24 hours and see how many additional spams they've caught.

Jeff
 
Do you have a way for Exim to check how many messages have been blocked per DNSBL or are you using a different MTA for that? I would love to know how much additional messages it blocks. I guess I could just go grepping logs...
 
That's what I do; I grep logs. I suppose I could write a tool, but so could you ;) .

It's easy enough because each error message has the name of the blocklist in all caps. For example see either your /etc/exim.conf file or your /var/log/exim/rejectlog file.

Jeff
 
OK, well I had my first false-positive ever today and it was because of this blacklist. I am not sure how well this one works. But the list is blocking a major /24 of Postini which is used by organizations as a mail server. Not good.

I may continue to test it. But I had been using all defaults in spamblocker before without any false positives. Just one week after starting to use SpamCannibal I got one!
 
Thanks for the report.

We had a false positive as well; we now whitelist constantcontact.com.

There's nothing wrong with using blocklists and whitelists; it can make your server even more secure against spammers.

Let us know what you had to whitelist; perhaps we can whitelist certain domains directly in the exim.conf file.

We need more reports.

Jeff
 
It's hard to know what to whitelist because the IP that was blocked is most likely used by many businesses as their email sending server by Postini. The Positini service is likely to rotate sending IP's and have large blocks of IP addresses. I only use domain whitelisting for temporary resolutions.

I just had my second false positive with spamcannibal. They are blocking a comcast.net sending server now. 2 within a week of each other. So far it's not looking good for this DNSBL... maybe should start rethinking adding to spamblocker v3 release?

I am going to run it for a while longer to see if I get another false positive. 3 strikes and it's out!
 
After a week of testing spamcannibal gives a lot of false positives. Several clients complained and we had to disable it immediately. I suggest anyone else to do the same.
 
I just had strike three for SpamCannibal also. They seem to just be WAY too trigger happy to block IP's in large blocks. Glad I wasn't the only one who got immediate false positives.
 
I understand some folk have had problems with SpamCannibal. If you have, then I wish you'd post the domains getting the false positives. We've had only one since the testing of SpamCannibal started, so we're happy to continue using it. The jury is still out on whether or not SpamBlocker will use SpamCannibal by default. In our experience SpamCop has a lot more false positives.

While some of us would like to think that even one false positive a year is one too many, actually the few documented false positives we've seen together during this test period is actually quite good, and as we start whitelisting instead of complaining (that's why we have whitelists) the numbers will get much better.

No spam control will be automatic; you'll always have to be making adjustments to your anti-spam efforts and procedures. That's why there are so many companies who sell hardware and updates.

Jeff
 
This is strange because I have never had any false positives reported by any of the default SpamBlocker 2 lists.

The blocks on SpamCannibal were not domains. They were large blocks of IP addresses. One was for a Postini /24 (which appears to be a large corporate email service, not good), second was for one of Comcasts major SMTP servers for west coast users in California (again, a LARGE amount of people blocked by that one), third was probably just a crazy coincidence. But was a company I work with a lot and their SMTP server had been listed and the headers shown by SpamCannibal didn't even indicate the message roriginating anywhere in the chain of their server.

Sorry I no longer have the IP addresses that triggered these.
 
Thanks for the update. If anyone else has any information please let me know. SpamCannibal is recommended to be used with whitelists, and if we can't find or create the proper whitelists we may not be able to use it.

Jeff
 
I've got exactly the same problems. Yesterday I installed the SpamBlocker 2.1.1 and everything else that was necessary to go with it - new Exim and Perl 5.8.8 and Spamassassin 3.2.1

Now that it all works as advertised, I am happy with it except I am getting false positives for the first time ever and all because of spamcannibal. I double checked the IPs of the mail servers that were blocked and couldn't find any RBL references on services like http://www.dnsstuff.com/tools/ip4r.ch?ip=xxx.xxx.xxx.xxx and spamhaus - the bounced servers came up clean and so did the domains.

I have had many clients complain today and send me emails to my "errors" email address for the first time. Until now I was wondering if anyone ever sends an email to be unblocked - apparently they do.
I worry that it is blocking all sorts of legitimate emails. The Whitelist feature would be great - without it I will have to shut off spamcannibal.
 
I have been using SpamCannibal for scoring in SA rather than as a blocklist in exim and have found it to be rather false positive friendly! Next weekend I will post my weekly sa-stats.pl scores for it....
 
we are also hearing a alot of from our clients as well getting bounced emails because of SpamCannibal

I am going to disable it for the time being..
 
Same here, also disabled Spam Cannibal on all our servers since it's blocking to much, I even emailed the Spam Cannibal list maintainer but, from what I understood, they almost never remove ip's from their list. They decided to block a major European ISP, Demon, just because 3 spam mails were sent from their servers, 2 in 2004 and 1 in 2007. As I'm writing this, also after Demon contacted them directly, they still block them.
 
Be careful with SpamCannibal

SpamCannibal is nice, but they block /24's at a time. One of our upstream providers (Sprint / Embarq) does not offer rDNS (unless you pay $2k or more a month), even if you own a large block. --they suck.. but what is worse is that SpamCannibal doesn't offer a whitelist feature...

Because one IP in a /24 (on a different subnet, 2 years earlier) sent spam to them, they blocked the entire /24 block including 120 of our IP's on the other end of the block. -- all in all, about 32,000 IP's could be affected by the lack of a whitelist. 128 spams, each on one /24 could block 32,000 IP's (about 2,000-6,000 business clients).


In short we are SOL on sending email to uses of SpamCannibal, thankfully we have a second ISP we use with a different IP range to load balance so emails will eventually get to the recipient.

I personally like Spamhaus, at least there, they will work with ISP's and end users on correcting the issue instead of just blocking 1% of the internet because 1 user sent spam to them on the same network.
 
I'm going to remove SpamCannibal from future versions of SpamBlocker exim.conf.

Jeff
 
jlasman said:
I'm going to remove SpamCannibal from future versions of SpamBlocker exim.conf.

Jeff
Click to expand...

So, for us to remove it now we should comment out these lines in excim.conf?

deny message = Email blocked by SPAMCANNIBAL - to unblock see http://www.example.com/blocked.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcannibal.org

Then restart exim ?
 
You must log in or register to reply here.
Back
Top