Re: Fastest listing RBL ?
On 2017-02-15 16:30, Tom Hendrikx wrote: > Note that the period that you describe as 'seen by SA a bit later' is > typically less than a second. Not in my case. I have a custom Exim configuration where I intentionally wait for a period of time (currently 4 minutes) between SMTP acceptance and delivery (SA runs at delivery time), precisely because I want to give all the collaborative mechanisms the maximum chance to kick in. When I wrote my OP, 4 minutes was shorter than my BIND max-ncache-ttl parameter. I have since set that to 180 (3 minutes), so that angle shouldn't matter any more. Still the balance between bouncing the most junk outright and the risk of false positives means it's something to think about. > Which RBLs to use, depends on the typical spam you receive, and the > policies that you wish to apply. IMHO, the trust you put in RBLs (and > their listing policies) should be more important in making decisions > than their typical response time to new (types of) spam and their > TTLs. Agreed. -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Re: Fastest listing RBL ?
I cannot state strongly enough, that blocking entire top-level domains these days should come before RBL. *.top, *.link, *.download, etc. RBL depends on paid or free. Paid: Spamhaus, the 800 lb gorilla of RBL. Also URIBL various feeds. Direct query to a dedicated address with fresh data FTW. Free: I find SORBS pretty quick to list. However I dislike them for their annoying delisting procedures when my SMTP pool gets on their list due to a compromised account. Takes days to get off. Honorable Mention: SpamEatingMonkeys
Re: Fastest listing RBL ?
On 2/14/2017 11:04 PM, Ian Zimmerman wrote: Given a piece of horrible spam, on which RBL is the sending IP address likely to appear first? I want to rationally decide which RBL/s to consult at SMTP time. Afraid to use all of them, not just due to false positives, but also due to negative caching in DNS, which could affect the result when the spam is seen by SA a bit later. Ian, (if possible) Start monitoring the sending IPs of barely missed incoming spam, in real time, as they come in. As soon as possible after the spam comes in, check that IP on multirbl.valli.org (or mxtoolbox), and see which RBLs are listing that IP (recognizing that SOME of those are going to be situations where the IP wasn't blacklisted until seconds after the spam was received - but many were listed before then) Throw out the examples where the IP has a good reputation in places like SenderScore or SenderBase... or where the IP is an MTA of a large/famous hoster/ISP (but take note of which lists were listing those) - However, SOME of those listings with decent scores at SenderScore or SenderBase are appropriately blacklisted, such as a small sender with a massive security hole where they are suddenly spewing out a massive amount of spam. But if you notice an RBL hitting on MANY like this - they might be too aggressive and even worthless - or perhaps more appropriate for low scoring. There are a few lists which are VERY fast-reacting to new spams, but have horrific expiration polices and/or are poorly managed - and would produce many FPs if used in production. But there are some other lists which are just a little too aggressive for outright blocking, but are very useful for scoring a few points (or less). You should then notice about only about ~5-8 lists which rise to the top - in the checking I described, they seem to have very few FPs (you won't know for sure until you test them in production) - and they are very fast reacting. Still, SOME of these are just a little too aggressive for outright blocking (or scoring at/above threshold) - but are great for high scoring. But you may not be able to accurately measure their FP level until you've used them in production for some weeks. A smaller amount of these RBLs (that rose to the top)... in addition to being fast-reacting... block much unique spam missed by the other lists AND have few enough FPs for you to probably feel comfortable outright blocking (or scoring at/above threshold). You might find ~3-5 such lists, including zen.spamhaus.org in that elite group. -- Rob McEwen
Re: Fastest listing RBL ?
On 15-02-17 15:19, Bowie Bailey wrote: > On 2/14/2017 11:04 PM, Ian Zimmerman wrote: >> Given a piece of horrible spam, on which RBL is the sending IP address >> likely to appear first? >> >> I want to rationally decide which RBL/s to consult at SMTP time. Afraid >> to use all of them, not just due to false positives, but also due to >> negative caching in DNS, which could affect the result when the spam is >> seen by SA a bit later. > > I find zen.spamhaus.org to be the most reliable RBL to use for > blacklisting. > > I wouldn't worry too much about negative caching. It looks like the TTL > for negative results with Spamhaus is 10 seconds. > Naturally, blocklists decide based on their data (f.i. removal times for typical listings, the way they publish updates, etc) the best ttl for their data. You should probably just use them. Note that the period that you describe as 'seen by SA a bit later' is typically less than a second. In the rare case that postfix sees other values than spamassassin for the same delivery, many people on this list will (on first sight) assume your setup is broken when you see differences in that timeframe, in stead of 'very smart with RBLs and TTLs'. Which RBLs to use, depends on the typical spam you receive, and the policies that you wish to apply. IMHO, the trust you put in RBLs (and their listing policies) should be more important in making decisions than their typical response time to new (types of) spam and their TTLs. Kind regards, Tom
Re: Fastest listing RBL ?
On 2/14/2017 11:04 PM, Ian Zimmerman wrote: Given a piece of horrible spam, on which RBL is the sending IP address likely to appear first? I want to rationally decide which RBL/s to consult at SMTP time. Afraid to use all of them, not just due to false positives, but also due to negative caching in DNS, which could affect the result when the spam is seen by SA a bit later. I find zen.spamhaus.org to be the most reliable RBL to use for blacklisting. I wouldn't worry too much about negative caching. It looks like the TTL for negative results with Spamhaus is 10 seconds. -- Bowie
Re: Fastest listing RBL ?
>From: Ian Zimmerman>Sent: Tuesday, February 14, 2017 10:04 PM >To: users@spamassassin.apache.org >Subject: Fastest listing RBL ? >Given a piece of horrible spam, on which RBL is the sending IP address >likely to appear first? >I want to rationally decide which RBL/s to consult at SMTP time. Afraid >to use all of them, not just due to false positives, but also due to >negative caching in DNS, which could affect the result when the spam is >seen by SA a bit later. What MTA are you using? Postfix is very flexible and Postscreen is powerful. It can be setup with dozens of RBLs with weights so even not-so-good RBLs can be used to safely. If you turn up the RBL sensitivity with a lot of them in postscreen, it will require using postwhite to prevent blocking legit mail from major hosting providers. In this case SA will have to handle those messages based on content. Greylisting is the best help to add a delay to give time for RBLs to list new IPs. Greylisting can be setup selectively so it doesn't slow down email from trusted senders which is the most common objection to using greylisting. I thought it would be impossible to implement it without my users complaining but I was able to do it with a little care over a few weeks. Dave