Am Donnerstag, 8. Februar 2018, 08:16:54 CET schrieb Odhiambo Washington via Exim-users: > So, I have to ask what people are using these days when it comes to > dnslists? > And what other tools/tricks are in use that would help fight spam?
hmm, in my experience, dnslists are just one step of effective anti spam filtering today. We developed a complex multi-stage anti-spam system for our email services which had to be tuned and managed actively, but with the smallest amount of time/work possible. I think by principle the (by far) most efficient anti-spam fighting still is possible on MXes and not on SMTP/Mail "hops" "behind". A good DNS setup for outgoing email to reduce/avoid bounces from "hijacked" sender addresses is important too. If you look for a in-exim "easy to handle" list, i could recommend (currently): sbl-xbl.spamhaus.org nomail.rhsbl.sorbs.net/$sender_address_domain cbl.abuseat.org web.dnsbl.sorbs.net socks.dnsbl.sorbs.net http.dnsbl.sorbs.net zen.spamhaus.org b.barracudacentral.org psbl.surriel.com but be warned, the most effective lists contain a few (known) "false positives" (i.e. spamhaus) of large email services (i.e. yahoo, local free mail services), because they do not handle their large email traffic within the DNSBLs policies (i.e. contain lot of spam). You have to watch and whitelist them by hand in the beginning. Place i.e. a proper error message with a url pointing to further details and a contact to you / postmaster. But DNSBLs are just one thing - todays spammers try to get access and use proper relays with hijacked sender addresses (to go through DMARC / SPF / DKIM) which is important to reach i.e. gmail recipients. DNSBL will block real email. Our Anti-Spam solution (handling a few hunderthousands of mails by day) has three "main stages": - EXIM SA (with Greylisting) - EXIM ACL and a few DNSBL, DMARC (SPF/DKIM) - Spamassassin (with compiled rluez - DCC, Pyzor2, Razor and Bayesian) - EXIM - AMAVIS Antivirus (with two scanners) We use a long list of DNSBLs with a "spam propability" value on each added (or subtracted) to/from a spam propability counter which goes into Spamassassin. SA internally works similiar and in SA we handle DCC (and razor + pyzor2). You may ask at SA lists / view SA docs for more indepth details as this would be off list here. This means each (new) email sender generates a lot of connections (primarily DNS). It may makes sense to have your own DNS resolvers (against root) and possibly DCC instance. The Bayesian Subsystem of SA as the antivirus subsystem takes significant CPU / system load. Be aware of local laws if you "read" the users emails (our customers allows us to use their email content for spam analysis - check possible local law). Over many years now the solution works very well for our users/customers, which (as business users) have a very low acceptance for false positives as for (real) spam. Depending from time we get around 97%-99.5% of "real" spam out, while the measuring there is not very sharp, because it "hits" against the definition of "spam". If we go higher,, inacceptable false positives will arise. At the beginning we had to fill in a few hard whitelist entries in different subsystems for a few very large (mostly local and freemail) email providers which "go their own way"). If a bounce rises today to a real sender the reason is on his side (defect email or temporary defect on the mail system on senders side). It is important to deliver proper / helpful error messages (without giving to much info to spammers out). We do not have any "Spam folder" in users mailboxes as this doenst saves time for the users. We recommend our users to disable such in email clients as the amount of false positives could be higher then "real" spam landing there. There will be email which is recognized by users as "spam" which is regular list / newsletter email the user has accepted in the past - let users marking them as "spam" this often leads to further problems with false positives later. hth a bit, best regards, Niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc ---
Description: This is a digitally signed message part.
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/