On the surface, SA hitting multiple RBLs sounds inefficient. However does each 
hit add to the SA rating? If so, that sounds like a plan. That is if a message 
is rejected by N RBLs, it is more significant than just one RBL.

  Original Message  
From: Bill Cole
Sent: Wednesday, October 12, 2016 9:11 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: PostFix as a "/dev/null" MTA?

On 12 Oct 2016, at 18:59, li...@lazygranch.com wrote:

> You really can't rate RBLs in a normal setup since if one rejects the 
> email, the others don't get a try.

That's not the case if you use DNSBLs in postscreen or SpamAssassin. In 
those cases the lookups get done asynchronously and all the answers are 
(or at least can be) logged. e.g:

Oct 11 18:45:14 bigsky postfix/dnsblog[94896]: addr listed 
by domain blackholes.scconsult.com as
Oct 11 18:45:14 bigsky postfix/dnsblog[94893]: addr listed 
by domain zen.spamhaus.org as
Oct 11 18:45:14 bigsky postfix/dnsblog[94889]: addr listed 
by domain ix.dnsbl.manitu.net as

Either one of the last 2 on their own would be adequate for postscreen 
to reject the connection. You will note that the PIDs are in reverse 
order, indicating that the last dnsblog process spawned was the first to 
complete. This makes sense, as that DNS lookup never left the system's 
motherboard, while the others had to cross a WAN link and multiple 

My recent logs have no examples of multi-DNSBL messages making it to SA, 
because my config is designed to avoid the need to have SA look at mail, 
but when it does get a message that hits multiple DNSBLs, I see them all 
in the log of rule hits for ones that get rejected an also a header for 
the very rare case of them getting through (which is effectively 
impossible unless they are targeting postmaster@ or abuse@).

Reply via email to