Re: Fastest listing RBL ?

2017-02-15 Thread Ian Zimmerman 
On 2017-02-15 16:30, Tom Hendrikx wrote:

> Note that the period that you describe as 'seen by SA a bit later' is
> typically less than a second.

Not in my case.  I have a custom Exim configuration where I
intentionally wait for a period of time (currently 4 minutes) between
SMTP acceptance and delivery (SA runs at delivery time), precisely
because I want to give all the collaborative mechanisms the maximum
chance to kick in.

When I wrote my OP, 4 minutes was shorter than my BIND max-ncache-ttl
parameter.  I have since set that to 180 (3 minutes), so that angle
shouldn't matter any more.  Still the balance between bouncing the most
junk outright and the risk of false positives means it's something to
think about.

> Which RBLs to use, depends on the typical spam you receive, and the
> policies that you wish to apply. IMHO, the trust you put in RBLs (and
> their listing policies) should be more important in making decisions
> than their typical response time to new (types of) spam and their
> TTLs.

Agreed.

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html

Re: Fastest listing RBL ?

2017-02-15 Thread Vincent Fox 

I cannot state strongly enough, that blocking
entire top-level domains these days should come
before RBL.  *.top, *.link, *.download, etc.

RBL depends on paid or free.

Paid: Spamhaus, the 800 lb gorilla of RBL.
Also URIBL various feeds.  Direct query to a dedicated
address with fresh data FTW.

Free: I find SORBS pretty quick to list.  However I dislike them for
their annoying delisting procedures when my SMTP pool gets on
their list due to a compromised account.  Takes days to get off.

Honorable Mention: SpamEatingMonkeys

Re: Fastest listing RBL ?

2017-02-15 Thread Rob McEwen 

On 2/14/2017 11:04 PM, Ian Zimmerman wrote:

Given a piece of horrible spam, on which RBL is the sending IP address
likely to appear first?

I want to rationally decide which RBL/s to consult at SMTP time.  Afraid
to use all of them, not just due to false positives, but also due to
negative caching in DNS, which could affect the result when the spam is
seen by SA a bit later.


Ian,

(if possible) Start monitoring the sending IPs of barely missed incoming 
spam, in real time, as they come in. As soon as possible after the spam 
comes in, check that IP on multirbl.valli.org (or mxtoolbox), and see 
which RBLs are listing that IP (recognizing that SOME of those are going 
to be situations where the IP wasn't blacklisted until seconds after the 
spam was received - but many were listed before then)


Throw out the examples where the IP has a good reputation in places like 
SenderScore or SenderBase... or where the IP is an MTA of a large/famous 
hoster/ISP (but take note of which lists were listing those) - However, 
SOME of those listings with decent scores at SenderScore or SenderBase 
are appropriately blacklisted, such as a small sender with a massive 
security hole where they are suddenly spewing out a massive amount of 
spam. But if you notice an RBL hitting on MANY like this - they might be 
too aggressive and even worthless - or perhaps more appropriate for low 
scoring. There are a few lists which are VERY fast-reacting to new 
spams, but have horrific expiration polices and/or are poorly managed - 
and would produce many FPs if used in production. But there are some 
other lists which are just a little too aggressive for outright 
blocking, but are very useful for scoring a few points (or less).


You should then notice about only about ~5-8 lists which rise to the top 
- in the checking I described, they seem to have very few FPs (you won't 
know for sure until you test them in production) - and they are very 
fast reacting. Still, SOME of these are just a little too aggressive for 
outright blocking (or scoring at/above threshold) - but are great for 
high scoring. But you may not be able to accurately measure their FP 
level until you've used them in production for some weeks.


A smaller amount of these RBLs (that rose to the top)... in addition to 
being fast-reacting... block much unique spam missed by the other lists 
AND have few enough FPs for you to probably feel comfortable outright 
blocking (or scoring at/above threshold). You might find ~3-5 such 
lists, including zen.spamhaus.org in that elite group.


--
Rob McEwen

Re: Fastest listing RBL ?

2017-02-15 Thread Tom Hendrikx 


On 15-02-17 15:19, Bowie Bailey wrote:
> On 2/14/2017 11:04 PM, Ian Zimmerman wrote:
>> Given a piece of horrible spam, on which RBL is the sending IP address
>> likely to appear first?
>>
>> I want to rationally decide which RBL/s to consult at SMTP time.  Afraid
>> to use all of them, not just due to false positives, but also due to
>> negative caching in DNS, which could affect the result when the spam is
>> seen by SA a bit later.
> 
> I find zen.spamhaus.org to be the most reliable RBL to use for
> blacklisting.
> 
> I wouldn't worry too much about negative caching.  It looks like the TTL
> for negative results with Spamhaus is 10 seconds.
> 

Naturally, blocklists decide based on their data (f.i. removal times for
typical listings, the way they publish updates, etc) the best ttl for
their data. You should probably just use them.

Note that the period that you describe as 'seen by SA a bit later' is
typically less than a second. In the rare case that postfix sees other
values than spamassassin for the same delivery, many people on this list
will (on first sight) assume your setup is broken when you see
differences in that timeframe, in stead of 'very smart with RBLs and TTLs'.

Which RBLs to use, depends on the typical spam you receive, and the
policies that you wish to apply. IMHO, the trust you put in RBLs (and
their listing policies) should be more important in making decisions
than their typical response time to new (types of) spam and their TTLs.

Kind regards,
Tom

Re: Fastest listing RBL ?

2017-02-15 Thread Bowie Bailey 

On 2/14/2017 11:04 PM, Ian Zimmerman wrote:

Given a piece of horrible spam, on which RBL is the sending IP address
likely to appear first?

I want to rationally decide which RBL/s to consult at SMTP time.  Afraid
to use all of them, not just due to false positives, but also due to
negative caching in DNS, which could affect the result when the spam is
seen by SA a bit later.


I find zen.spamhaus.org to be the most reliable RBL to use for blacklisting.

I wouldn't worry too much about negative caching.  It looks like the TTL 
for negative results with Spamhaus is 10 seconds.


--
Bowie

Re: Fastest listing RBL ?

2017-02-15 Thread David Jones 
>From: Ian Zimmerman 
>Sent: Tuesday, February 14, 2017 10:04 PM
>To: users@spamassassin.apache.org
>Subject: Fastest listing RBL ?
    
>Given a piece of horrible spam, on which RBL is the sending IP address
>likely to appear first?

>I want to rationally decide which RBL/s to consult at SMTP time.  Afraid
>to use all of them, not just due to false positives, but also due to
>negative caching in DNS, which could affect the result when the spam is
>seen by SA a bit later.

What MTA are you using?  Postfix is very flexible and Postscreen is
powerful.  It can be setup with dozens of RBLs with weights so even
not-so-good RBLs can be used to safely.  If you turn up the RBL
sensitivity with a lot of them in postscreen, it will require using
postwhite to prevent blocking legit mail from major hosting
providers.  In this case SA will have to handle those messages
based on content.

Greylisting is the best help to add a delay to give time for RBLs to
list new IPs.  Greylisting can be setup selectively so it doesn't
slow down email from trusted senders which is the most common
objection to using greylisting.  I thought it would be impossible
to implement it without my users complaining but I was able to
do it with a little care over a few weeks.

Dave