Re: Which DNSBLs do you use?
>> On Jun 17, 2016, at 7:25 AM, Vincent Foxwrote: >> >> Greylisting imo helps a lot with RBL lag. Greylisting is a must and it definitely helps with RBL lag. >It can, but it's definitely a double edge sword. Depending on the way the >remote MTA works, I've experienced emails being delayed for quite sometime. I >had a lot of users requesting to be removed from the >graylist, and eventually >decided to drop it. When you're waiting for the confirmation of a PO from a >new vendor on raw materials you need for a batch being made tomorrow it can be >very frustrating :) Use postscreen for RBL weighting to spread out the responsibility so unreliable RBLs can still be used to add the the scoring. Then use https://github.com/stevejenkins/postwhite to add in trustworthly sending domains and large ISPs that are too big to block (yahoo, aol, comcast, etc.) without too many consequences. Then use that same list from postwhite to bypass greylisting (put first in list before greylisting). Over time, you will have a good list of trustworthy senders so greylisting will only happen on a subset of inbound email so most mail won't have a delay. Brand new compromised senders will be delayed. See the postscreen_spf_whitelist.cidr entries below.: smtpd_recipient_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_access_pcre, check_client_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/postscreen_spf_whitelist.cidr, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unknown_reverse_client_hostname, reject_unlisted_sender, reject_unlisted_recipient, # SQLgrey on 127.0.0.1:2501 check_policy_service inet:127.0.0.1:2501, # must have subscription to IVM to use this one below reject_rhsbl_sender uri.invaluement.com, reject_unverified_recipient, permit postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr cidr:/etc/postfix/postscreen_spf_whitelist.cidr I have some scripts that analyze my SA scoring for the sending domains to give me some safe/trustworthy domains to add to that postwhite list since they always score very low and have some other characteristics like being listed in whitelists. These senders with good reputations and have valid unsubsubscribe processes get the green light through my mail server even in SA by using SHORTCIRCUIT meta rules. This makes SA even faster by scanning less mail when it would have scored it very low consistently anyway. >They MTA will let the remote client know the email was rejected, or the local >client can go into SPAM folder and find the email, with graylists, the sender >nor the receiver may realize the status of the email. >> >> Delay suspect IP long enough that by the time they retry, if they do, they >> are on half a dozen RBL and score high and reject. >> >> Sent from my iPhone >>
Re: Which DNSBLs do you use?
Am 17.06.2016 um 16:37 schrieb Shawn Bakhtiar: On Jun 17, 2016, at 7:25 AM, Vincent Foxwrote: Greylisting imo helps a lot with RBL lag. It can, but it's definitely a double edge sword. Depending on the way the remote MTA works, I've experienced emails being delayed for quite sometime. I had a lot of users requesting to be removed from the graylist, and eventually decided to drop it. When you're waiting for the confirmation of a PO from a new vendor on raw materials you need for a batch being made tomorrow it can be very frustrating :) set it up proper, just don't greylist everything by skip clients on several DNSWL or pass SPF and the same way put aggressive HELO/PTR checks as well as sender-verification below smtpd_recipient_restrictions = ... other stuff check_policy_service unix:private/spf-policy permit_dnswl_client list.dnswl.org permit_dnswl_client ips.whitelisted.org permit_dnswl_client wl.mailspike.net permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5] permit_dnswl_client bl.nszones.com=127.0.0.5 permit_dnswl_client score.senderscore.com=127.0.4.[80..100] permit_dnswl_client iadb.isipp.com permit_dnswl_client sa-accredit.habeas.com permit_dnswl_client dnswl.inps.de=127.0.[0;1].[2..10] permit_dnswl_client swl.spamhaus.org=127.0.2.[2;3;102;103] check_helo_access proxy:pcre:/etc/postfix/blacklist_helo.cf check_reverse_client_hostname_access proxy:pcre:/etc/postfix/ptr.cf check_policy_service unix:/var/spool/postfix/postgrey/socket reject_unverified_sender /etc/python-policyd-spf/policyd-spf.conf debugLevel = 1 defaultSeedOnly = 1 HELO_reject = No_Check Mail_From_reject = Fail Mail_From_pass_restriction = OK PermError_reject = False TempError_Defer = True signature.asc Description: OpenPGP digital signature
Re: Which DNSBLs do you use?
> On Jun 17, 2016, at 7:25 AM, Vincent Foxwrote: > > Greylisting imo helps a lot with RBL lag. It can, but it's definitely a double edge sword. Depending on the way the remote MTA works, I've experienced emails being delayed for quite sometime. I had a lot of users requesting to be removed from the graylist, and eventually decided to drop it. When you're waiting for the confirmation of a PO from a new vendor on raw materials you need for a batch being made tomorrow it can be very frustrating :) They MTA will let the remote client know the email was rejected, or the local client can go into SPAM folder and find the email, with graylists, the sender nor the receiver may realize the status of the email. > > Delay suspect IP long enough that by the time they retry, if they do, they > are on half a dozen RBL and score high and reject. > > Sent from my iPhone > >> On Jun 17, 2016, at 13:23, Reindl Harald wrote: >> >> >> >> Am 17.06.2016 um 02:57 schrieb Alex: For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It also currently hits just sorbs. The individual score for each would have to be so low, even with such a poor reputation, that it hardly makes it worthwhile. I can't reject just on the almost worst reputation as you can have or just on sorbs, and the combination of the two isn't significant enough either. >> >> and hence you score several DNSBL *and* DNSWL and make decisions on the >> final score >> >>> I also meant to point out that with a reputation like 4 out of a 100, >>> you'd think it would be listed on more RBLs than just sorbs. Something >>> is wrong there. A mail server doesn't receive an absolutely horrible >>> reputation without being blacklisted elsewhere. >> >> bla - it takes time until a IP makes it to different RBL's and hence use >> many of them with moderate scoring so that you can make useful decisions and >> liekly have new offenders on enugh most of the time >> >>> Senderscore is not trustworthy >> >> NO RBL alone is trustworthy, hence you score them in the MTA as well as in >> the contentfilter >>
Re: Which DNSBLs do you use?
Greylisting imo helps a lot with RBL lag. Delay suspect IP long enough that by the time they retry, if they do, they are on half a dozen RBL and score high and reject. Sent from my iPhone > On Jun 17, 2016, at 13:23, Reindl Haraldwrote: > > > > Am 17.06.2016 um 02:57 schrieb Alex: >>> For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It >>> also currently hits just sorbs. The individual score for each would >>> have to be so low, even with such a poor reputation, that it hardly >>> makes it worthwhile. I can't reject just on the almost worst >>> reputation as you can have or just on sorbs, and the combination of >>> the two isn't significant enough either. > > and hence you score several DNSBL *and* DNSWL and make decisions on the final > score > >> I also meant to point out that with a reputation like 4 out of a 100, >> you'd think it would be listed on more RBLs than just sorbs. Something >> is wrong there. A mail server doesn't receive an absolutely horrible >> reputation without being blacklisted elsewhere. > > bla - it takes time until a IP makes it to different RBL's and hence use many > of them with moderate scoring so that you can make useful decisions and > liekly have new offenders on enugh most of the time > >> Senderscore is not trustworthy > > NO RBL alone is trustworthy, hence you score them in the MTA as well as in > the contentfilter >
Re: Which DNSBLs do you use?
Am 17.06.2016 um 02:54 schrieb Alex: On Thu, Jun 16, 2016 at 6:35 PM, David Joneswrote: We were also using the senderscore RBL based on Reindel and others recommendations, but disabled it after it just rejected too much ham. The senderscore.org RBL scores for low reputation are a pain sometimes but those senders need to know how to filter outbound email properly and detect compromised accounts. Senders won't change or improve if there isn't some pain or motivation. It can't be my users. I had three levels of management on the phone wanting an explanation as to why messages were being rejected because one did not make a proper job while configure the scoring i still need to see a single false positive reject, especially since there are 5 classifications with different scoring in our DNSWL part of the game containing currently nearly 1 IP's and subnets postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*7 dnsbl.inps.de=127.0.0.2*7 hostkarma.junkemailfilter.com=127.0.0.2*4 dnsbl.sorbs.net=127.0.0.7*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 zen.spamhaus.org=127.0.0.2*3 score.senderscore.com=127.0.4.[0..20]*3 bl.spamcannibal.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl-1.uceprotect.net=127.0.0.2*2 all.spamrats.com=127.0.0.38*2 bl.nszones.com=127.0.0.[2;3]*1 dnsbl-2.uceprotect.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.4*1 score.senderscore.com=127.0.4.[0..69]*1 dnsbl.sorbs.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.1.2*1 dnsbl.sorbs.net=127.0.0.15*1 ips.backscatterer.org=127.0.0.2*1 bl.nszones.com=127.0.0.5*-1 score.senderscore.com=127.0.4.[90..100]*-1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]*-2 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 signature.asc Description: OpenPGP digital signature
Re: Which DNSBLs do you use?
Am 17.06.2016 um 02:57 schrieb Alex: For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It also currently hits just sorbs. The individual score for each would have to be so low, even with such a poor reputation, that it hardly makes it worthwhile. I can't reject just on the almost worst reputation as you can have or just on sorbs, and the combination of the two isn't significant enough either. and hence you score several DNSBL *and* DNSWL and make decisions on the final score I also meant to point out that with a reputation like 4 out of a 100, you'd think it would be listed on more RBLs than just sorbs. Something is wrong there. A mail server doesn't receive an absolutely horrible reputation without being blacklisted elsewhere. bla - it takes time until a IP makes it to different RBL's and hence use many of them with moderate scoring so that you can make useful decisions and liekly have new offenders on enugh most of the time Senderscore is not trustworthy NO RBL alone is trustworthy, hence you score them in the MTA as well as in the contentfilter signature.asc Description: OpenPGP digital signature
Re: Which DNSBLs do you use?
>> For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It >> also currently hits just sorbs. The individual score for each would >> have to be so low, even with such a poor reputation, that it hardly >> makes it worthwhile. I can't reject just on the almost worst >> reputation as you can have or just on sorbs, and the combination of >> the two isn't significant enough either. >I also meant to point out that with a reputation like 4 out of a 100, >you'd think it would be listed on more RBLs than just sorbs. Something >is wrong there. A mail server doesn't receive an absolutely horrible >reputation without being blacklisted elsewhere. Senderscore is not >trustworthy. I disagree. In fact, you can run a report and see the graph of the past month of email which is more than you can see with other RBLs. If you setup senderscore weighting in postscreen like it has been posted on this list (like 6 out of 8 for that low of a score), then it would have been blocked in combination with SORBS. When you see the senderscore.org graph go up on volume (blue) and the score (red) go down, that server is definitely blasting out some spam. Also add it to your SA scoring so low reputation scores in senderscore.org will add some points to augment Bayes and other rules. Senderscore.org seems to be faster reacting than other RBLs, which is why you may not have seen that IP on RBLs at that time. However, look at it now... Wow! http://multirbl.valli.org/lookup/212.227.126.135.html I have a feeling that some major ISPs and commercial products utilize senderscore.org. They don't seem to have a query limit so they are wanting people to use them. I have not had a false positive yet as long as you setup weighting properly in postscreen and scoring in SA. Still Invaluement plus Zen has been the best combination. Senderscore.org is good to add to those since it seems to catch compromised servers quickly.
Re: Which DNSBLs do you use?
Hi, > For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It > also currently hits just sorbs. The individual score for each would > have to be so low, even with such a poor reputation, that it hardly > makes it worthwhile. I can't reject just on the almost worst > reputation as you can have or just on sorbs, and the combination of > the two isn't significant enough either. I also meant to point out that with a reputation like 4 out of a 100, you'd think it would be listed on more RBLs than just sorbs. Something is wrong there. A mail server doesn't receive an absolutely horrible reputation without being blacklisted elsewhere. Senderscore is not trustworthy.
Re: Which DNSBLs do you use?
Hi, On Thu, Jun 16, 2016 at 6:35 PM, David Joneswrote: >>We were also using the senderscore RBL based on Reindel and others > >>recommendations, but disabled it after it just rejected too much ham. > > The senderscore.org RBL scores for low reputation are a pain sometimes > but those senders need to know how to filter outbound email properly > and detect compromised accounts. Senders won't change or improve > if there isn't some pain or motivation. It can't be my users. I had three levels of management on the phone wanting an explanation as to why messages were being rejected. > This shows a fundamental problem in mail filtering that needs to be > addressed somehow. When a good mail filter blocks email from a > mail server listed on an RBL, who is at fault. The sender blames the > receiving mail filter because the bounce messages aren't understand- > able to the average user. So the sender has no easy way to contact > the recipient unless they use a different email address. Then the > recipient contacts their own support group (us) and we look like > the bad guy for blocking the email when it is really a repuation > problem with the sender that is very hard to get in contact with. > Then if you can get in touch with the sending mail server admin, > they usually don't know enough about how RBLs or mail filtering > works well enough so you have to spend a lot of time showing > them http://senderscore.org or http://multirbl.valli.org/ and > explain what all of that stuff means. Yes, you've identified the exact issue. Perhaps it was the immediate increase in rejected mail that resulted from the senderscore RBL. There was immediate push-back and absolute resistance to being taught the hard way. For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It also currently hits just sorbs. The individual score for each would have to be so low, even with such a poor reputation, that it hardly makes it worthwhile. I can't reject just on the almost worst reputation as you can have or just on sorbs, and the combination of the two isn't significant enough either. Just because the mail server has been compromised or every other piece of email that was received by that system was spam doesn't mean the next one will be. The users look to us to judge only *their* message for what it is, not how it was sent. In other words, they expect us to turn off the reputation filters, RBLs, etc, because the content of their particular email they're waiting on is not spam. The users just don't care. They'll start to subvert the corporate mail system and start using freemail accounts outside of the company before they would see some epiphany and take it upon themselves to have the faulty mail system fixed.
Re: Which DNSBLs do you use?
Am 17.06.2016 um 00:20 schrieb Alex: Hi, On Thu, Jun 16, 2016 at 10:16 AM,wrote: Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with Postfix's postscreen. Instead of just *one* DNSBL, which is imo always a risk, I use multiple dnsbls, and weight them in scoring. In my experience, it works fantastically well. A great write up on the approach is here http://rob0.nodns4.us/postscreen.html Yes, this does work well. Have you done anything to disable or otherwise control the same lookups that exist from within spamassassin? We've had some trouble with overlap or some of the rules adding scores to messages with Received headers that aren't checked by postscreen. I've had to disable or lower the score for rules like RCVD_IN_SBL_CSS, some of the MSPIKE rules, and others. We were also using the senderscore RBL based on Reindel and others recommendations, but disabled it after it just rejected too much ham. they are not for reject, they are for *scoring* signature.asc Description: OpenPGP digital signature
Re: Which DNSBLs do you use?
Am 16.06.2016 um 16:43 schrieb Shawn Bakhtiar: On Jun 16, 2016, at 7:31 AM, Reindl Haraldwrote: Am 16.06.2016 um 16:21 schrieb Shawn Bakhtiar: Agreed. We use sendmail, and check our DNSBL's their, it is much more efficient to use them before we ever engage SA. It is extremely rare to find an IP that lands on a reputable DNSBL and in those cases we can whitelist. Of course most of our traffic is B2B, not sure how effective this would be in B2C or C2C. no difference - the majority of so blacklisted servers are infected enduser machines which have no business to connect to any machine on port 25 and for a well scored decision it don't matter anyways I disagree with no different. From a process perspective IMHO it's much faster to reject with postfix or sendmail than to engage a perl script (via pipe or tcp port no less) to check the email content before continuing to process. It adds a little bit more processing if they are not on the DNSBL, but saves a lot of processing if they are. uhm - where did i say anything else? i refered to "not sure how effective this would be in B2C or C2C" Which actually begs the OT question: Why is SA not written in C? because it was written in perl and nobody did write it in C? becau it don't matter since when your SA proceeds a relevant amount of inbound mail your overall setup is wrong? signature.asc Description: OpenPGP digital signature
Re: Which DNSBLs do you use?
>We were also using the senderscore RBL based on Reindel and others >recommendations, but disabled it after it just rejected too much ham. The senderscore.org RBL scores for low reputation are a pain sometimes but those senders need to know how to filter outbound email properly and detect compromised accounts. Senders won't change or improve if there isn't some pain or motivation. This shows a fundamental problem in mail filtering that needs to be addressed somehow. When a good mail filter blocks email from a mail server listed on an RBL, who is at fault. The sender blames the receiving mail filter because the bounce messages aren't understand- able to the average user. So the sender has no easy way to contact the recipient unless they use a different email address. Then the recipient contacts their own support group (us) and we look like the bad guy for blocking the email when it is really a repuation problem with the sender that is very hard to get in contact with. Then if you can get in touch with the sending mail server admin, they usually don't know enough about how RBLs or mail filtering works well enough so you have to spend a lot of time showing them http://senderscore.org or http://multirbl.valli.org/ and explain what all of that stuff means. In the end, we have to whitelist the IP from Postscreen because we can't get the sender to fix their own problem and we open ourselves for possible spam getting through. Their's no good answer to this solution but to push back to make mail server admins aware of the spam coming from their server and the low reputation of their mail server IP. Most people I have worked with to explain this have been very receptive and thankful for the help since they tell me they have experience "odd or strangeness" with some emails to certain recipients. Dave
Re: Which DNSBLs do you use?
Hi, On Thu, Jun 16, 2016 at 10:16 AM,wrote: > Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with > Postfix's postscreen. > > Instead of just *one* DNSBL, which is imo always a risk, I use multiple > dnsbls, and weight them in scoring. > > In my experience, it works fantastically well. > > A great write up on the approach is here > > http://rob0.nodns4.us/postscreen.html Yes, this does work well. Have you done anything to disable or otherwise control the same lookups that exist from within spamassassin? We've had some trouble with overlap or some of the rules adding scores to messages with Received headers that aren't checked by postscreen. I've had to disable or lower the score for rules like RCVD_IN_SBL_CSS, some of the MSPIKE rules, and others. We were also using the senderscore RBL based on Reindel and others recommendations, but disabled it after it just rejected too much ham.
Re: Which DNSBLs do you use?
We use zen.spamhaus.org bl.spamcop.net b.barracudacentral.org Some statistics since Sunday's logrotation for a handful of domains. Some spam still gets through. Overall, though... 370 messages blocked by rbl zen.spamhaus.org 108 messages blocked by rbl bl.spamcop.net 63 messages blocked by rbl b.barracudacentral.org 567 messages quarantined by amavis 565 messages blocked by amavis 3587 blocked by no reverse DNS 4693 messages blocked by all methods Cheers, Curtis On 6/16/2016 1:07 PM, Kris Deugau wrote: Alessio Cecchi wrote: Hi, we use www.invaluement.com - ivmSIP to block IPs at SMTP level - ivmSIP24 and ivmURI in Spamassassin with custom score Also b.barracudacentral.org is good and with low FP. Probably zen.spamhaus.org is the best dnsbl but is too expensive for us. Invaluement SIP is almost comparable to Zen as performance but much less expensive. We use both, but we've found the Invaluement is more of a good complement to Spamhaus rather than a replacement - there's not all that much overlap. We only reject with Spamhaus, but we keep those rules enabled in SA due to customers forwarding mail from their third-party webhost to their ISP email account with us - I've added trust path entries for many of these users so that the DNSBLs are checking against the right "originating" IP. -kgd -- Best Regards Curtis Maurand Principal Xyonet Web Hosting mailto:cmaur...@xyonet.com http://www.xyonet.com
Re: Which DNSBLs do you use?
Alessio Cecchi wrote: > Hi, we use www.invaluement.com > > - ivmSIP to block IPs at SMTP level > - ivmSIP24 and ivmURI in Spamassassin with custom score > > Also b.barracudacentral.org is good and with low FP. > > Probably zen.spamhaus.org is the best dnsbl but is too expensive for us. > Invaluement SIP is almost comparable to Zen as performance but much less > expensive. We use both, but we've found the Invaluement is more of a good complement to Spamhaus rather than a replacement - there's not all that much overlap. We only reject with Spamhaus, but we keep those rules enabled in SA due to customers forwarding mail from their third-party webhost to their ISP email account with us - I've added trust path entries for many of these users so that the DNSBLs are checking against the right "originating" IP. -kgd
Re: Which DNSBLs do you use?
> On Jun 16, 2016, at 7:54 AM, Merijn van den Kroonenberg> wrote: > >> Agreed. >> >> We use sendmail, and check our DNSBL's their, it is much more efficient to >> use them before we ever engage SA. It is extremely rare to find an IP that >> lands on a reputable DNSBL and in those cases we can whitelist. Of course >> most of our traffic is B2B, not sure how effective this would be in B2C or >> C2C. > > What do you use in sendmail to check the blacklists? > > And do you use scoring or just direct block when on a BL? > > > I simply reject when an IP address is on a BL. no questions asked. I also reject if the host fails its reverse lookup. In cases where a vendor or customer has a misconfigured email server, we can whitelist and notify them. I've actually helped several of our customers who were having issues with their clients resolve bad configurations. The problem lies in that I have come across more than a few SPAM mail filtering services that don't have correct configuration (i.e things like reverse lookup identify a different host). A more nefarious case I've run across is that a mail filtering services charging on a per outbound email, so clients are using the service for inbound, but than use their own MTA to send (bypassing the ISPs) so they don't get charged. Again, our servers only deal with B2B, not sure of the impact in B2C/C2C. SA is processes intensive, if you're looking to save CPU time, using BLs at the MTA process level is much faster (IMHO).
Re: Which DNSBLs do you use?
> Agreed. > > We use sendmail, and check our DNSBL's their, it is much more efficient to > use them before we ever engage SA. It is extremely rare to find an IP that > lands on a reputable DNSBL and in those cases we can whitelist. Of course > most of our traffic is B2B, not sure how effective this would be in B2C or > C2C. What do you use in sendmail to check the blacklists? And do you use scoring or just direct block when on a BL?
Re: Which DNSBLs do you use?
> On Jun 16, 2016, at 7:31 AM, Reindl Haraldwrote: > > > Am 16.06.2016 um 16:21 schrieb Shawn Bakhtiar: >> Agreed. >> >> We use sendmail, and check our DNSBL's their, it is much more efficient to >> use them before we ever engage SA. It is extremely rare to find an IP that >> lands on a reputable DNSBL and in those cases we can whitelist. Of course >> most of our traffic is B2B, not sure how effective this would be in B2C or >> C2C. > > no difference - the majority of so blacklisted servers are infected enduser > machines which have no business to connect to any machine on port 25 and for > a well scored decision it don't matter anyways > I disagree with no different. From a process perspective IMHO it's much faster to reject with postfix or sendmail than to engage a perl script (via pipe or tcp port no less) to check the email content before continuing to process. It adds a little bit more processing if they are not on the DNSBL, but saves a lot of processing if they are. Which actually begs the OT question: Why is SA not written in C? > also spammers don't care if you are business or not, easily to test with > spam-traps and how fast they are abused with all sort of junk > >>> On Jun 16, 2016, at 7:16 AM, jaso...@mail-central.com wrote: >>> >>> Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with >>> Postfix's postscreen. > > postfix 'in front' has the job to complement and not replace blacklists in SA > since they still matter when some client don't reach the reject score but get > additional point in the content filtering > >>> Instead of just *one* DNSBL, which is imo always a risk, I use multiple >>> dnsbls, and weight them in scoring. >>> >>> In my experience, it works fantastically well. >>> >>> A great write up on the approach is here >>> >>> http://rob0.nodns4.us/postscreen.html >>> >>> OF course, that presumes Postfix. You might me able to do the same with >>> other servers, or maybe don't have the option at all. >
Re: Which DNSBLs do you use?
Am 16.06.2016 um 16:21 schrieb Shawn Bakhtiar: Agreed. We use sendmail, and check our DNSBL's their, it is much more efficient to use them before we ever engage SA. It is extremely rare to find an IP that lands on a reputable DNSBL and in those cases we can whitelist. Of course most of our traffic is B2B, not sure how effective this would be in B2C or C2C. no difference - the majority of so blacklisted servers are infected enduser machines which have no business to connect to any machine on port 25 and for a well scored decision it don't matter anyways also spammers don't care if you are business or not, easily to test with spam-traps and how fast they are abused with all sort of junk On Jun 16, 2016, at 7:16 AM, jaso...@mail-central.com wrote: Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with Postfix's postscreen. postfix 'in front' has the job to complement and not replace blacklists in SA since they still matter when some client don't reach the reject score but get additional point in the content filtering Instead of just *one* DNSBL, which is imo always a risk, I use multiple dnsbls, and weight them in scoring. In my experience, it works fantastically well. A great write up on the approach is here http://rob0.nodns4.us/postscreen.html OF course, that presumes Postfix. You might me able to do the same with other servers, or maybe don't have the option at all. signature.asc Description: OpenPGP digital signature
Re: Which DNSBLs do you use?
Agreed. We use sendmail, and check our DNSBL's their, it is much more efficient to use them before we ever engage SA. It is extremely rare to find an IP that lands on a reputable DNSBL and in those cases we can whitelist. Of course most of our traffic is B2B, not sure how effective this would be in B2C or C2C. > On Jun 16, 2016, at 7:16 AM, jaso...@mail-central.com wrote: > > Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with > Postfix's postscreen. > > Instead of just *one* DNSBL, which is imo always a risk, I use multiple > dnsbls, and weight them in scoring. > > In my experience, it works fantastically well. > > A great write up on the approach is here > > http://rob0.nodns4.us/postscreen.html > > OF course, that presumes Postfix. You might me able to do the same with > other servers, or maybe don't have the option at all. > > Jason
Re: Which DNSBLs do you use?
Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with Postfix's postscreen. Instead of just *one* DNSBL, which is imo always a risk, I use multiple dnsbls, and weight them in scoring. In my experience, it works fantastically well. A great write up on the approach is here http://rob0.nodns4.us/postscreen.html OF course, that presumes Postfix. You might me able to do the same with other servers, or maybe don't have the option at all. Jason
Re: Which DNSBLs do you use?
On 6/16/2016 9:49 AM, Alessio Cecchi wrote: Probably zen.spamhaus.org is the best dnsbl but is too expensive for us. Invaluement SIP is almost comparable to Zen as performance but much less expensive. Thanks, Alessio, for the recommendation. But I need to make one clarification... SIP and SIP24 should not be considered a replacement for ZEN because they purposely do NOT try to "catch every botnet" and instead focus on the more sneaky spams as well as new emitters. If someone tries to replace Zen with SIP and SIP24 (combined) they would usually be very disappointed in their overall spam filtering, unless... as I presume to be the case for Alessio Cecchi ... they had other very good measures in place for blocking botnet spams? But the vast majority of invaluement users use SIP and SIP24 as a supplement to Zen, and find that Zen blocks much spam that invaluement misses. Therefore, as I said, SIP and SIP24 (combined) are intended to be a supplement to Zen, not a replacement of Zen. (just want to make sure this is clear!) -- Rob McEwen http://www.invaluement.com
Re: Which DNSBLs do you use?
On 6/16/2016 9:49 AM, Alessio Cecchi wrote: Il 14/06/2016 13:46, Heinrich Boeder ha scritto: Hi Folks, I have been on this list for quiet some time now and the topic "DNSBL" was discussed pretty often, but I was still wondering which DNSBLs you guys use for your mail environment. So here are my questions: Which DNSBLs do you use? Which one can you suggest the most? Hi, we use www.invaluement.com - ivmSIP to block IPs at SMTP level - ivmSIP24 and ivmURI in Spamassassin with custom score Also b.barracudacentral.org is good and with low FP. Probably zen.spamhaus.org is the best dnsbl but is too expensive for us. Invaluement SIP is almost comparable to Zen as performance but much less expensive. zen.spamhaus.org works great for us. It is free as long as you are not using it as part of a commercial service and your volume is less than 300,000 queries per day. I have heard that Invaluement works well, but I haven't tried it since there is no free access ($15/month minimum). I use Zen as a blacklist in my MTA to drop most spam before it hits SA. Then I use the default blacklists (plus Razor and DCC) in SA. -- Bowie
Re: Which DNSBLs do you use?
Il 14/06/2016 13:46, Heinrich Boeder ha scritto: Hi Folks, I have been on this list for quiet some time now and the topic "DNSBL" was discussed pretty often, but I was still wondering which DNSBLs you guys use for your mail environment. So here are my questions: Which DNSBLs do you use? Which one can you suggest the most? Hi, we use www.invaluement.com - ivmSIP to block IPs at SMTP level - ivmSIP24 and ivmURI in Spamassassin with custom score Also b.barracudacentral.org is good and with low FP. Probably zen.spamhaus.org is the best dnsbl but is too expensive for us. Invaluement SIP is almost comparable to Zen as performance but much less expensive. Ciao -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice
Re: Which DNSBLs do you use?
zen.spamhaus.org bl.spamcop.net b.barracudacentral.org dnsbl.inksystems.com <-- private internal one derived from honeypot email address we have. I have disabled dnsbl.sorbs.net as they are too aggressive for our purposes, they block a lot of Gmail et al, which a lot of our customers and vendors use. > On Jun 14, 2016, at 4:46 AM, Heinrich Boeder> wrote: > > Hi Folks, > > I have been on this list for quiet some time now and the topic "DNSBL" was > discussed pretty often, but I was still wondering which DNSBLs you guys use > for your mail environment. > > So here are my questions: Which DNSBLs do you use? Which one can you suggest > the most? > > Kind Regards, > > - heinrich > > heinr...@heinrichboeder.com -- www.heinrichboeder.com > key: 0xC15DAD56 -- 363D 5BC3 9C45 9D09 3D78 1C28 DB68 F047 C15D AD56 >
Re: Which DNSBLs do you use?
Am 14.06.2016 um 13:46 schrieb Heinrich Boeder: Hi Folks, I have been on this list for quiet some time now and the topic "DNSBL" was discussed pretty often, but I was still wondering which DNSBLs you guys use for your mail environment. So here are my questions: Which DNSBLs do you use? Which one can you suggest the most? it's all about scoring and the way below SPamAssassin don't see much junk at all postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?2}${stress:10}s postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*7 dnsbl.inps.de=127.0.0.2*7 hostkarma.junkemailfilter.com=127.0.0.2*4 dnsbl.sorbs.net=127.0.0.7*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 zen.spamhaus.org=127.0.0.2*3 score.senderscore.com=127.0.4.[0..20]*3 dnsbl.sorbs.net=127.0.0.6*3 bl.spamcannibal.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl-1.uceprotect.net=127.0.0.2*2 all.spamrats.com=127.0.0.38*2 bl.nszones.com=127.0.0.[2;3]*1 dnsbl-2.uceprotect.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.4*1 score.senderscore.com=127.0.4.[0..69]*1 dnsbl.sorbs.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.1.2*1 dnsbl.sorbs.net=127.0.0.15*1 ips.backscatterer.org=127.0.0.2*1 bl.nszones.com=127.0.0.5*-1 score.senderscore.com=127.0.4.[90..100]*-1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 signature.asc Description: OpenPGP digital signature