On 12 Oct 2016, at 18:59, li...@lazygranch.com wrote:
You really can't rate RBLs in a normal setup since if one rejects the email, the others don't get a try.
That's not the case if you use DNSBLs in postscreen or SpamAssassin. In those cases the lookups get done asynchronously and all the answers are (or at least can be) logged. e.g:
Oct 11 18:45:14 bigsky postfix/dnsblog: addr 18.104.22.168 listed by domain blackholes.scconsult.com as 127.0.0.2 Oct 11 18:45:14 bigsky postfix/dnsblog: addr 22.214.171.124 listed by domain zen.spamhaus.org as 127.0.0.4 Oct 11 18:45:14 bigsky postfix/dnsblog: addr 126.96.36.199 listed by domain ix.dnsbl.manitu.net as 127.0.0.2
Either one of the last 2 on their own would be adequate for postscreen to reject the connection. You will note that the PIDs are in reverse order, indicating that the last dnsblog process spawned was the first to complete. This makes sense, as that DNS lookup never left the system's motherboard, while the others had to cross a WAN link and multiple routers.
My recent logs have no examples of multi-DNSBL messages making it to SA, because my config is designed to avoid the need to have SA look at mail, but when it does get a message that hits multiple DNSBLs, I see them all in the log of rule hits for ones that get rejected an also a header for the very rare case of them getting through (which is effectively impossible unless they are targeting postmaster@ or abuse@).