SPAM Prevention/Blacklists
Greetings from Wyoming -- Just a real quick question for the folks on the Nanog list: We are using the following RBL's on our MTA right now: Spamhaus (sbl-xbl) DSBL NJABL (dynablock) Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks, Brandon
On Wed, 3 Mar 2004, Brandon Shiers wrote:
Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks,
Have you look at graylisting, temp failing mail with a sender/receiver/IP you have not seen before?
<> Nathan Stratton CTO, Co-Founder nathan at robotics.net BroadVoice, Inc. http://www.robotics.net http://www.broadvoice.com
I don't know what the prevailing attitude is, but it seems to me that 451ing unknown senders is a good way to get on the bad side of sysadmins who have to deal with the backlog until your server decides to accept them. I would think if you're willing to spend other's resources on reducing your spam load you would be willing to spend your own and implement SMTP callback, SPF or the like. I tried implementing SPF which actually caught a fair # of forged senders until I noticed that ticketmaster had invalid SPF records and we were rejecting their emails. -S On Wed, 3 Mar 2004, Nathan Allen Stratton wrote:
On Wed, 3 Mar 2004, Brandon Shiers wrote:
Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks,
Have you look at graylisting, temp failing mail with a sender/receiver/IP you have not seen before?
<> Nathan Stratton CTO, Co-Founder nathan at robotics.net BroadVoice, Inc. http://www.robotics.net http://www.broadvoice.com
!DSPAM:40465d92185491208025388!
-- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
On Wed, 3 Mar 2004, Scott Call wrote:
On Wed, 3 Mar 2004, Nathan Allen Stratton wrote:
Have you look at graylisting, temp failing mail with a sender/receiver/IP you have not seen before?
I don't know what the prevailing attitude is, but it seems to me that 451ing unknown senders is a good way to get on the bad side of sysadmins who have to deal with the backlog until your server decides to accept them.
Well every valid to/from/ip gets thrown in mysql any new message with that same to/from/ip would never be delayed again. Also I temp fail before the DATA phase so body is not sent twice and I only temp fail for 5 min.
<> Nathan Stratton CTO, Co-Founder nathan at robotics.net BroadVoice, Inc. http://www.robotics.net http://www.broadvoice.com
[I know it is not spam-l, but I still am interested. :-] On Mar 3, 2004, at 6:32 PM, Nathan Allen Stratton wrote:
On Wed, 3 Mar 2004, Scott Call wrote:
On Wed, 3 Mar 2004, Nathan Allen Stratton wrote:
Have you look at graylisting, temp failing mail with a sender/receiver/IP you have not seen before?
I don't know what the prevailing attitude is, but it seems to me that 451ing unknown senders is a good way to get on the bad side of sysadmins who have to deal with the backlog until your server decides to accept them.
Well every valid to/from/ip gets thrown in mysql any new message with that same to/from/ip would never be delayed again. Also I temp fail before the DATA phase so body is not sent twice and I only temp fail for 5 min.
How's that working? Many complaints? How much spam did it kill (that other things don't)? Thought about changing it from to/from/ip to from/ip? -- TTFN, patrick
On Mar 3, 2004, at 4:23 PM, Brandon Shiers wrote:
Just a real quick question for the folks on the Nanog list:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl) DSBL NJABL (dynablock)
Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks,
Of the ones above, I only use spamhaus, combined with opm.blitzed.org & relays.visi.com Also, I like sender verification, but that's me. -- TTFN, patrick P.S. Say hi to Frostie. :)
On Wed, 3 Mar 2004 17:45:59 -0500 "Patrick W.Gilmore" <patrick@ianai.net> wrote:
On Mar 3, 2004, at 4:23 PM, Brandon Shiers wrote:
Just a real quick question for the folks on the Nanog list:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl) DSBL NJABL (dynablock)
Of the ones above, I only use spamhaus, combined with opm.blitzed.org & relays.visi.com
i use the same ones as Patrick, but i also use the cbl (a component of the spamhaus xbl, perhaps the only one at the present time, but that could change.) one thing i do is use opm.blitzed.org and cbl.abuseat.org at connect time. hosts on these lists are pretty much guaranteed to be open proxies or compromised hosts, so listening to them at all is a waste of time. no need to wait until after RCPT TO: to 5xx, i just drop the connection.
Also, I like sender verification, but that's me.
i used it for some time, and reluctantly shut it down. blocked a lot of email abuse, but too many false positives for my taste. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
On Mar 3, 2004, at 6:00 PM, Richard Welty wrote:
Of the ones above, I only use spamhaus, combined with opm.blitzed.org & relays.visi.com
i use the same ones as Patrick, but i also use the cbl (a component of the spamhaus xbl, perhaps the only one at the present time, but that could change.)
Mind if I ask why you don't use the sbl-xbl? BTW: I also use haebeas & bogons, but not really sure you would call haebeas a blacklist. :)
one thing i do is use opm.blitzed.org and cbl.abuseat.org at connect time. hosts on these lists are pretty much guaranteed to be open proxies or compromised hosts, so listening to them at all is a waste of time. no need to wait until after RCPT TO: to 5xx, i just drop the connection.
I love opm.blitzed. I haven't tried cbl.abuseat.org. I'll have to check it out.
Also, I like sender verification, but that's me.
i used it for some time, and reluctantly shut it down. blocked a lot of email abuse, but too many false positives for my taste.
Could you go into more detail? I've only been using it a couple months, but I have a whole 1 false positive, and I'm not sure I'd call it a false positive. (Web page which sent e-mail and allowed anything in "from" address, but was password protected internal thing, so they were not doing sanity checking thinking it was guaranteed good e-mail.) Maybe I have others I just don't know about? How many people send legit e-mail with return addresses which are bogus? -- TTFN, patrick P.S. Disclaimer: I'm authoritative for the spam BLs I use.
On Wed, 3 Mar 2004 18:35:27 -0500 "Patrick W.Gilmore" <patrick@ianai.net> wrote:
On Mar 3, 2004, at 6:00 PM, Richard Welty wrote:
Of the ones above, I only use spamhaus, combined with opm.blitzed.org & relays.visi.com
i use the same ones as Patrick, but i also use the cbl (a component of the spamhaus xbl, perhaps the only one at the present time, but that could change.)
Mind if I ask why you don't use the sbl-xbl?
keep in mind that the sbl is the combination of "sbl classic" with the xbl, where the xbl is currently a feed of the cbl that may at a later date incorporate additional lists or data. i use the original sbl at RCPT TO: time. by separating them, i can use the cbl portion at connect time. it's a bit of flexibility that i like. at some future date, when the xbl diverges from the cbl i'll look at the differences and decide what to do about it.
BTW: I also use haebeas & bogons, but not really sure you would call haebeas a blacklist. :)
i've used habeas in the past, but don't at the present time.
one thing i do is use opm.blitzed.org and cbl.abuseat.org at connect time. hosts on these lists are pretty much guaranteed to be open proxies or compromised hosts, so listening to them at all is a waste of time. no need to wait until after RCPT TO: to 5xx, i just drop the connection.
I love opm.blitzed. I haven't tried cbl.abuseat.org. I'll have to check it out.
well, given that you use the sbl-xbl, you already are using the cbl. high rejection from abusive hosts, vanishingly small false positives. i love it. i like doing at connect time even better, fewer of my resources consumed by abusive hosts that way.
Also, I like sender verification, but that's me.
i used it for some time, and reluctantly shut it down. blocked a lot of email abuse, but too many false positives for my taste.
Could you go into more detail? ... Maybe I have others I just don't know about? How many people send legit e-mail with return addresses which are bogus?
the main problem is systems where the admin has foolishly started rejecting MAIL FROM:<> to cut down spam. i tried to whitelist such systems, but couldn't keep up. when i did finally drop sender verify, a suprising number of my mailing list subscribers came forward, relieved that they could send mail to the lists again. (the system that i set up with sender verify handles a number of confirmed opt-in mailing lists, mostly about cars). once i realized that the false positive problem was so much higher than i expected, i decided not to turn it back on. there are other cogent arguments against sender verify, but it was the false positive problem that drove my own decision. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
From Richard Welty, received 3/3/04, 19:36 -0500 (GMT):
Mind if I ask why you don't use the sbl-xbl?
keep in mind that the sbl is the combination of "sbl classic" with the xbl, where the xbl is currently a feed of the cbl that may at a later date incorporate additional lists or data.
I trust you mean sbl-xbl is the combination... sbl.spamhaus.org (direct spam sources & spam outfits) xbl.spamhaus.org (3rd party exploits/trojans/proxies/etc.) sbl-xbl.spamhaus.org (combination of the two) -- Steve Linford The Spamhaus Project http://www.spamhaus.org
brandons@wyoming.com ("Brandon Shiers") writes:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl) DSBL NJABL (dynablock)
Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks,
1. here's a chunk of my personal /usr/local/etc/postfix/main.cf file: smtpd_recipient_restrictions = ... reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client nonconfirm.mail-abuse.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client opm.blitzed.org, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client socks.dnsbl.sorbs.net, reject_rbl_client misc.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dynablock.easynet.nl, reject_rbl_client proxies.easynet.nl 2. but the most effective list i have is one i build from the apache log, grepping for worm spoor. most spam is sent through proxies left behind by worms, so if you autoblackhole worm-infected hosts you'll stop a HUGE amount of spam in the hours and days that follow. (spammers are now writing and releasing worms just to create proxy nets, and are also paying malfeasants to write and release worms just to create proxy nets.) 3. furthermore, DCC (see www.rhyolite.com/dcc) is hereby highly recommended. -- Paul Vixie
on Fri, Mar 05, 2004 at 07:36:36PM +0000, Paul Vixie wrote:
reject_rbl_client blackholes.easynet.nl, reject_rbl_client dynablock.easynet.nl, reject_rbl_client proxies.easynet.nl
FYI, easynet.nl stopped hosting their DNSBLs in December. http://groups.google.com/groups?selm=q60srv0prtpgqobe9icdlk4birg0t61v77%40th... -- hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com Book publishing is second only to furniture delivery in slowness. -b. schneier
participants (8)
-
Brandon Shiers -
Nathan Allen Stratton -
Patrick W.Gilmore -
Paul Vixie -
Richard Welty -
Scott Call -
Steve Linford -
Steven Champeon