Re: Which DNSBLs do you use?

2016-06-17 Thread David Jones 

>> On Jun 17, 2016, at 7:25 AM, Vincent Fox  wrote:
>>
>> Greylisting imo helps a lot with RBL lag.

Greylisting is a must and it definitely helps with RBL lag.

>It can, but it's definitely a double edge sword. Depending on the way the 
>remote MTA works, I've experienced emails being delayed for quite sometime. I 
>had a lot of users requesting to be removed from the >graylist, and eventually 
>decided to drop it. When you're waiting for the confirmation of a PO from a 
>new vendor on raw materials you need for a batch being made tomorrow it can be 
>very frustrating :)

Use postscreen for RBL weighting to spread out the responsibility so unreliable 
RBLs can
still be used to add the the scoring.

Then use https://github.com/stevejenkins/postwhite to add in trustworthly 
sending domains
and large ISPs that are too big to block (yahoo, aol, comcast, etc.) without 
too many consequences.

Then use that same list from postwhite to bypass greylisting (put first in list 
before greylisting).
Over time, you will have a good list of trustworthy senders so greylisting will 
only happen on a subset of
inbound email so most mail won't have a delay.  Brand new compromised senders 
will be delayed.

See the postscreen_spf_whitelist.cidr entries below.:

smtpd_recipient_restrictions =
  permit_mynetworks,
  check_helo_access pcre:/etc/postfix/helo_access_pcre,
  check_client_access hash:/etc/postfix/access,
  check_client_access cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_non_fqdn_hostname,
  reject_invalid_hostname,
  reject_unauth_destination,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_unknown_reverse_client_hostname,
  reject_unlisted_sender,
  reject_unlisted_recipient,
  # SQLgrey on 127.0.0.1:2501
  check_policy_service inet:127.0.0.1:2501,
  # must have subscription to IVM to use this one below
  reject_rhsbl_sender uri.invaluement.com,
  reject_unverified_recipient,
  permit

postscreen_access_list =
  permit_mynetworks,
  cidr:/etc/postfix/postscreen_access.cidr
  cidr:/etc/postfix/postscreen_spf_whitelist.cidr

I have some scripts that analyze my SA scoring for the sending domains to give
me some safe/trustworthy domains to add to that postwhite list since they
always score very low and have some other characteristics like being listed
in whitelists.  These senders with good reputations and have valid 
unsubsubscribe
processes get the green light through my mail server even in SA by using
SHORTCIRCUIT meta rules.  This makes SA even faster by scanning less mail when
it would have scored it very low consistently anyway.

>They MTA will let the remote client know the email was rejected, or the local 
>client can go into SPAM folder and find the email, with graylists, the sender 
>nor the receiver may realize the status of the email.

>>
>> Delay suspect IP long enough that by the time they retry, if they do,  they 
>> are on half a dozen RBL and score high and reject.
>>
>> Sent from my iPhone
>>

Re: Which DNSBLs do you use?

2016-06-17 Thread Reindl Harald 



Am 17.06.2016 um 16:37 schrieb Shawn Bakhtiar:

On Jun 17, 2016, at 7:25 AM, Vincent Fox  wrote:

Greylisting imo helps a lot with RBL lag.


It can, but it's definitely a double edge sword. Depending on the way the 
remote MTA works, I've experienced emails being delayed for quite sometime. I 
had a lot of users requesting to be removed from the graylist, and eventually 
decided to drop it. When you're waiting for the confirmation of a PO from a new 
vendor on raw materials you need for a batch being made tomorrow it can be very 
frustrating :)


set it up proper, just don't greylist everything by skip clients on 
several DNSWL or pass SPF and the same way put aggressive HELO/PTR 
checks as well as sender-verification below


smtpd_recipient_restrictions =
 ... other stuff 
 check_policy_service unix:private/spf-policy
 permit_dnswl_client list.dnswl.org
 permit_dnswl_client ips.whitelisted.org
 permit_dnswl_client wl.mailspike.net
 permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
 permit_dnswl_client bl.nszones.com=127.0.0.5
 permit_dnswl_client score.senderscore.com=127.0.4.[80..100]
 permit_dnswl_client iadb.isipp.com
 permit_dnswl_client sa-accredit.habeas.com
 permit_dnswl_client dnswl.inps.de=127.0.[0;1].[2..10]
 permit_dnswl_client swl.spamhaus.org=127.0.2.[2;3;102;103]
 check_helo_access proxy:pcre:/etc/postfix/blacklist_helo.cf
 check_reverse_client_hostname_access proxy:pcre:/etc/postfix/ptr.cf
 check_policy_service unix:/var/spool/postfix/postgrey/socket
 reject_unverified_sender

/etc/python-policyd-spf/policyd-spf.conf
debugLevel = 1
defaultSeedOnly = 1
HELO_reject = No_Check
Mail_From_reject = Fail
Mail_From_pass_restriction = OK
PermError_reject = False
TempError_Defer = True



signature.asc
Description: OpenPGP digital signature

Re: Which DNSBLs do you use?

2016-06-17 Thread Shawn Bakhtiar 

> On Jun 17, 2016, at 7:25 AM, Vincent Fox  wrote:
> 
> Greylisting imo helps a lot with RBL lag.

It can, but it's definitely a double edge sword. Depending on the way the 
remote MTA works, I've experienced emails being delayed for quite sometime. I 
had a lot of users requesting to be removed from the graylist, and eventually 
decided to drop it. When you're waiting for the confirmation of a PO from a new 
vendor on raw materials you need for a batch being made tomorrow it can be very 
frustrating :)

They MTA will let the remote client know the email was rejected, or the local 
client can go into SPAM folder and find the email, with graylists, the sender 
nor the receiver may realize the status of the email.

> 
> Delay suspect IP long enough that by the time they retry, if they do,  they 
> are on half a dozen RBL and score high and reject.
> 
> Sent from my iPhone
> 
>> On Jun 17, 2016, at 13:23, Reindl Harald  wrote:
>> 
>> 
>> 
>> Am 17.06.2016 um 02:57 schrieb Alex:
 For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It
 also currently hits just sorbs. The individual score for each would
 have to be so low, even with such a poor reputation, that it hardly
 makes it worthwhile. I can't reject just on the almost worst
 reputation as you can have or just on sorbs, and the combination of
 the two isn't significant enough either.
>> 
>> and hence you score several DNSBL *and* DNSWL and make decisions on the 
>> final score
>> 
>>> I also meant to point out that with a reputation like 4 out of a 100,
>>> you'd think it would be listed on more RBLs than just sorbs. Something
>>> is wrong there. A mail server doesn't receive an absolutely horrible
>>> reputation without being blacklisted elsewhere.
>> 
>> bla - it takes time until a IP makes it to different RBL's and hence use 
>> many of them with moderate scoring so that you can make useful decisions and 
>> liekly have new offenders on enugh most of the time
>> 
>>> Senderscore is not trustworthy
>> 
>> NO RBL alone is trustworthy, hence you score them in the MTA as well as in 
>> the contentfilter
>>

Re: Which DNSBLs do you use?

2016-06-17 Thread Vincent Fox 
Greylisting imo helps a lot with RBL lag.

Delay suspect IP long enough that by the time they retry, if they do,  they are 
on half a dozen RBL and score high and reject.

Sent from my iPhone

> On Jun 17, 2016, at 13:23, Reindl Harald  wrote:
> 
> 
> 
> Am 17.06.2016 um 02:57 schrieb Alex:
>>> For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It
>>> also currently hits just sorbs. The individual score for each would
>>> have to be so low, even with such a poor reputation, that it hardly
>>> makes it worthwhile. I can't reject just on the almost worst
>>> reputation as you can have or just on sorbs, and the combination of
>>> the two isn't significant enough either.
> 
> and hence you score several DNSBL *and* DNSWL and make decisions on the final 
> score
> 
>> I also meant to point out that with a reputation like 4 out of a 100,
>> you'd think it would be listed on more RBLs than just sorbs. Something
>> is wrong there. A mail server doesn't receive an absolutely horrible
>> reputation without being blacklisted elsewhere.
> 
> bla - it takes time until a IP makes it to different RBL's and hence use many 
> of them with moderate scoring so that you can make useful decisions and 
> liekly have new offenders on enugh most of the time
> 
>> Senderscore is not trustworthy
> 
> NO RBL alone is trustworthy, hence you score them in the MTA as well as in 
> the contentfilter
>

Re: Which DNSBLs do you use?

2016-06-17 Thread Reindl Harald 



Am 17.06.2016 um 02:54 schrieb Alex:

On Thu, Jun 16, 2016 at 6:35 PM, David Jones  wrote:

We were also using the senderscore RBL based on Reindel and others



recommendations, but disabled it after it just rejected too much ham.


The senderscore.org RBL scores for low reputation are a pain sometimes
but those senders need to know how to filter outbound email properly
and detect compromised accounts.  Senders won't change or improve
if there isn't some pain or motivation.


It can't be my users. I had three levels of management on the phone
wanting an explanation as to why messages were being rejected


because one did not make a proper job while configure the scoring

i still need to see a single false positive reject, especially since 
there are 5 classifications with different scoring in our DNSWL part of 
the game containing currently nearly 1 IP's and subnets


postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
 dnsbl.sorbs.net=127.0.0.10*9
 dnsbl.sorbs.net=127.0.0.14*9
 zen.spamhaus.org=127.0.0.[10;11]*8
 dnsbl.sorbs.net=127.0.0.5*7
 zen.spamhaus.org=127.0.0.[4..7]*7
 b.barracudacentral.org=127.0.0.2*7
 zen.spamhaus.org=127.0.0.3*7
 dnsbl.inps.de=127.0.0.2*7
 hostkarma.junkemailfilter.com=127.0.0.2*4
 dnsbl.sorbs.net=127.0.0.7*4
 bl.spamcop.net=127.0.0.2*4
 bl.spameatingmonkey.net=127.0.0.[2;3]*4
 dnsrbl.swinog.ch=127.0.0.3*4
 ix.dnsbl.manitu.net=127.0.0.2*4
 psbl.surriel.com=127.0.0.2*4
 bl.mailspike.net=127.0.0.[10;11;12]*4
 bl.mailspike.net=127.0.0.2*4
 zen.spamhaus.org=127.0.0.2*3
 score.senderscore.com=127.0.4.[0..20]*3
 bl.spamcannibal.org=127.0.0.2*3
 dnsbl.sorbs.net=127.0.0.6*3
 dnsbl.sorbs.net=127.0.0.8*2
 hostkarma.junkemailfilter.com=127.0.0.4*2
 dnsbl.sorbs.net=127.0.0.9*2
 dnsbl-1.uceprotect.net=127.0.0.2*2
 all.spamrats.com=127.0.0.38*2
 bl.nszones.com=127.0.0.[2;3]*1
 dnsbl-2.uceprotect.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.4*1
 score.senderscore.com=127.0.4.[0..69]*1
 dnsbl.sorbs.net=127.0.0.3*1
 hostkarma.junkemailfilter.com=127.0.1.2*1
 dnsbl.sorbs.net=127.0.0.15*1
 ips.backscatterer.org=127.0.0.2*1
 bl.nszones.com=127.0.0.5*-1
 score.senderscore.com=127.0.4.[90..100]*-1
 wl.mailspike.net=127.0.0.[18;19;20]*-2
 hostkarma.junkemailfilter.com=127.0.0.1*-2
 ips.whitelisted.org=127.0.0.2*-2
 list.dnswl.org=127.0.[0..255].0*-2
 dnswl.inps.de=127.0.[0;1].[2..10]*-2
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5



signature.asc
Description: OpenPGP digital signature

Re: Which DNSBLs do you use?

2016-06-17 Thread Reindl Harald 



Am 17.06.2016 um 02:57 schrieb Alex:

For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It
also currently hits just sorbs. The individual score for each would
have to be so low, even with such a poor reputation, that it hardly
makes it worthwhile. I can't reject just on the almost worst
reputation as you can have or just on sorbs, and the combination of
the two isn't significant enough either.


and hence you score several DNSBL *and* DNSWL and make decisions on the 
final score



I also meant to point out that with a reputation like 4 out of a 100,
you'd think it would be listed on more RBLs than just sorbs. Something
is wrong there. A mail server doesn't receive an absolutely horrible
reputation without being blacklisted elsewhere.


bla - it takes time until a IP makes it to different RBL's and hence use 
many of them with moderate scoring so that you can make useful decisions 
and liekly have new offenders on enugh most of the time



Senderscore is not trustworthy


NO RBL alone is trustworthy, hence you score them in the MTA as well as 
in the contentfilter




signature.asc
Description: OpenPGP digital signature

Re: Which DNSBLs do you use?

2016-06-16 Thread David Jones 
>> For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It

>> also currently hits just sorbs. The individual score for each would
>> have to be so low, even with such a poor reputation, that it hardly
>> makes it worthwhile. I can't reject just on the almost worst
>> reputation as you can have or just on sorbs, and the combination of
>> the two isn't significant enough either.

>I also meant to point out that with a reputation like 4 out of a 100,
>you'd think it would be listed on more RBLs than just sorbs. Something
>is wrong there. A mail server doesn't receive an absolutely horrible
>reputation without being blacklisted elsewhere. Senderscore is not
>trustworthy.

I disagree.  In fact, you can run a report and see the graph of the
past month of email which is more than you can see with other
RBLs.  If you setup senderscore weighting in postscreen like it
has been posted on this list (like 6 out of 8 for that low of a score),
then it would have been blocked in combination with SORBS.

When you see the senderscore.org graph go up on volume (blue)
and the score (red) go down, that server is definitely blasting
out some spam.

Also add it to your SA scoring so low reputation scores in
senderscore.org will add some points to augment Bayes
and other rules.

Senderscore.org seems to be faster reacting than other RBLs,
which is why you may not have seen that IP on RBLs at that
time.  However, look at it now...  Wow!
http://multirbl.valli.org/lookup/212.227.126.135.html

I have a feeling that some major ISPs and commercial
products utilize senderscore.org.  They don't seem to have
a query limit so they are wanting people to use them.  I have
not had a false positive yet as long as you setup weighting
properly in postscreen and scoring in SA.

Still Invaluement plus Zen has been the best combination.
Senderscore.org is good to add to those since it seems to
catch compromised servers quickly.

Re: Which DNSBLs do you use?

2016-06-16 Thread Alex 
Hi,

> For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It
> also currently hits just sorbs. The individual score for each would
> have to be so low, even with such a poor reputation, that it hardly
> makes it worthwhile. I can't reject just on the almost worst
> reputation as you can have or just on sorbs, and the combination of
> the two isn't significant enough either.

I also meant to point out that with a reputation like 4 out of a 100,
you'd think it would be listed on more RBLs than just sorbs. Something
is wrong there. A mail server doesn't receive an absolutely horrible
reputation without being blacklisted elsewhere. Senderscore is not
trustworthy.

Re: Which DNSBLs do you use?

2016-06-16 Thread Alex 
Hi,

On Thu, Jun 16, 2016 at 6:35 PM, David Jones  wrote:
>>We were also using the senderscore RBL based on Reindel and others
>
>>recommendations, but disabled it after it just rejected too much ham.
>
> The senderscore.org RBL scores for low reputation are a pain sometimes
> but those senders need to know how to filter outbound email properly
> and detect compromised accounts.  Senders won't change or improve
> if there isn't some pain or motivation.

It can't be my users. I had three levels of management on the phone
wanting an explanation as to why messages were being rejected.

> This shows a fundamental problem in mail filtering that needs to be
> addressed somehow.  When a good mail filter blocks email from a
> mail server listed on an RBL, who is at fault.  The sender blames the
> receiving mail filter because the bounce messages aren't understand-
> able to the average user.  So the sender has no easy way to contact
> the recipient unless they use a different email address.  Then the
> recipient contacts their own support group (us) and we look like
> the bad guy for blocking the email when it is really a repuation
> problem with the sender that is very hard to get in contact with.
> Then if you can get in touch with the sending mail server admin,
> they usually don't know enough about how RBLs or mail filtering
> works well enough so you have to spend a lot of time showing
> them http://senderscore.org or http://multirbl.valli.org/ and
> explain what all of that stuff means.

Yes, you've identified the exact issue.

Perhaps it was the immediate increase in rejected mail that resulted
from the senderscore RBL. There was immediate push-back and absolute
resistance to being taught the hard way.

For example, 212.227.126.135, scores 4 out of a 100 on senderscore. It
also currently hits just sorbs. The individual score for each would
have to be so low, even with such a poor reputation, that it hardly
makes it worthwhile. I can't reject just on the almost worst
reputation as you can have or just on sorbs, and the combination of
the two isn't significant enough either.

Just because the mail server has been compromised or every other piece
of email that was received by that system was spam doesn't mean the
next one will be. The users look to us to judge only *their* message
for what it is, not how it was sent. In other words, they expect us to
turn off the reputation filters, RBLs, etc, because the content of
their particular email they're waiting on is not spam.

The users just don't care. They'll start to subvert the corporate mail
system and start using freemail accounts outside of the company before
they would see some epiphany and take it upon themselves to have the
faulty mail system fixed.

Re: Which DNSBLs do you use?

2016-06-16 Thread Reindl Harald 



Am 17.06.2016 um 00:20 schrieb Alex:

Hi,

On Thu, Jun 16, 2016 at 10:16 AM,   wrote:

Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with Postfix's 
postscreen.

Instead of just *one* DNSBL, which is imo always  a risk, I use multiple 
dnsbls, and weight them in scoring.

In my experience, it works fantastically well.

A great write up on the approach is here

  http://rob0.nodns4.us/postscreen.html


Yes, this does work well. Have you done anything to disable or
otherwise control the same lookups that exist from within
spamassassin?

We've had some trouble with overlap or some of the rules adding scores
to messages with Received headers that aren't checked by postscreen.
I've had to disable or lower the score for rules like RCVD_IN_SBL_CSS,
some of the MSPIKE rules, and others.

We were also using the senderscore RBL based on Reindel and others
recommendations, but disabled it after it just rejected too much ham.


they are not for reject, they are for *scoring*



signature.asc
Description: OpenPGP digital signature

Re: Which DNSBLs do you use?

2016-06-16 Thread Reindl Harald 



Am 16.06.2016 um 16:43 schrieb Shawn Bakhtiar:



On Jun 16, 2016, at 7:31 AM, Reindl Harald  wrote:


Am 16.06.2016 um 16:21 schrieb Shawn Bakhtiar:

Agreed.

We use sendmail, and check our DNSBL's their, it is much more efficient to use 
them before we ever engage SA. It is extremely rare to find an IP that lands on 
a reputable DNSBL and in those cases we can whitelist. Of course most of our 
traffic is B2B, not sure how effective this would be in B2C or C2C.


no difference - the majority of so blacklisted servers are infected enduser 
machines which have no business to connect to any machine on port 25 and for a 
well scored decision it don't matter anyways



I disagree with no different. From a process perspective IMHO it's much faster 
to reject with postfix or sendmail than to engage a perl script (via pipe or 
tcp port no less) to check the email content before continuing to process. It 
adds a little bit more processing if they are not on the DNSBL, but saves a lot 
of processing if they are.


uhm - where did i say anything else?

i refered to "not sure how effective this would be in B2C or C2C"


Which actually begs the OT question: Why is SA not written in C?


because it was written in perl and nobody did write it in C?

becau it don't matter since when your SA proceeds a relevant amount of 
inbound mail your overall setup is wrong?




signature.asc
Description: OpenPGP digital signature

Re: Which DNSBLs do you use?

2016-06-16 Thread David Jones 
>We were also using the senderscore RBL based on Reindel and others

>recommendations, but disabled it after it just rejected too much ham.

The senderscore.org RBL scores for low reputation are a pain sometimes
but those senders need to know how to filter outbound email properly
and detect compromised accounts.  Senders won't change or improve
if there isn't some pain or motivation.

This shows a fundamental problem in mail filtering that needs to be
addressed somehow.  When a good mail filter blocks email from a
mail server listed on an RBL, who is at fault.  The sender blames the
receiving mail filter because the bounce messages aren't understand-
able to the average user.  So the sender has no easy way to contact
the recipient unless they use a different email address.  Then the
recipient contacts their own support group (us) and we look like
the bad guy for blocking the email when it is really a repuation
problem with the sender that is very hard to get in contact with.
Then if you can get in touch with the sending mail server admin,
they usually don't know enough about how RBLs or mail filtering
works well enough so you have to spend a lot of time showing
them http://senderscore.org or http://multirbl.valli.org/ and
explain what all of that stuff means.

In the end, we have to whitelist the IP from Postscreen because
we can't get the sender to fix their own problem and we open
ourselves for possible spam getting through.

Their's no good answer to this solution but to push back to
make mail server admins aware of the spam coming from their
server and the low reputation of their mail server IP.  Most
people I have worked with to explain this have been very
receptive and thankful for the help since they tell me they
have experience "odd or strangeness" with some emails to
certain recipients.

Dave

Re: Which DNSBLs do you use?

2016-06-16 Thread Alex 
Hi,

On Thu, Jun 16, 2016 at 10:16 AM,   wrote:
> Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with 
> Postfix's postscreen.
>
> Instead of just *one* DNSBL, which is imo always  a risk, I use multiple 
> dnsbls, and weight them in scoring.
>
> In my experience, it works fantastically well.
>
> A great write up on the approach is here
>
>   http://rob0.nodns4.us/postscreen.html

Yes, this does work well. Have you done anything to disable or
otherwise control the same lookups that exist from within
spamassassin?

We've had some trouble with overlap or some of the rules adding scores
to messages with Received headers that aren't checked by postscreen.
I've had to disable or lower the score for rules like RCVD_IN_SBL_CSS,
some of the MSPIKE rules, and others.

We were also using the senderscore RBL based on Reindel and others
recommendations, but disabled it after it just rejected too much ham.

Re: Which DNSBLs do you use?

2016-06-16 Thread Curtis Maurand 

We use

zen.spamhaus.org
bl.spamcop.net
b.barracudacentral.org

Some statistics since Sunday's logrotation for a handful of domains.  
Some spam still gets through.  Overall, though...


370 messages blocked by rbl zen.spamhaus.org

108 messages blocked by rbl  bl.spamcop.net

63 messages blocked by rbl  b.barracudacentral.org

567 messages quarantined by amavis

565 messages blocked by amavis

3587 blocked by no reverse DNS

4693 messages blocked by all methods

Cheers,
Curtis

On 6/16/2016 1:07 PM, Kris Deugau wrote:

Alessio Cecchi wrote:

Hi, we use www.invaluement.com

- ivmSIP to block IPs at SMTP level
- ivmSIP24 and ivmURI in Spamassassin with custom score

Also b.barracudacentral.org is good and with low FP.

Probably zen.spamhaus.org is the best dnsbl but is too expensive for us.
Invaluement SIP is almost comparable to Zen as performance but much less
expensive.

We use both, but we've found the Invaluement is more of a good
complement to Spamhaus rather than a replacement - there's not all that
much overlap.

We only reject with Spamhaus, but we keep those rules enabled in SA due
to customers forwarding mail from their third-party webhost to their ISP
email account with us - I've added trust path entries for many of these
users so that the DNSBLs are checking against the right "originating" IP.

-kgd


--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: Which DNSBLs do you use?

2016-06-16 Thread Kris Deugau 
Alessio Cecchi wrote:
> Hi, we use www.invaluement.com
> 
> - ivmSIP to block IPs at SMTP level
> - ivmSIP24 and ivmURI in Spamassassin with custom score
> 
> Also b.barracudacentral.org is good and with low FP.
> 
> Probably zen.spamhaus.org is the best dnsbl but is too expensive for us.
> Invaluement SIP is almost comparable to Zen as performance but much less
> expensive.

We use both, but we've found the Invaluement is more of a good
complement to Spamhaus rather than a replacement - there's not all that
much overlap.

We only reject with Spamhaus, but we keep those rules enabled in SA due
to customers forwarding mail from their third-party webhost to their ISP
email account with us - I've added trust path entries for many of these
users so that the DNSBLs are checking against the right "originating" IP.

-kgd

Re: Which DNSBLs do you use?

2016-06-16 Thread Shawn Bakhtiar 

> On Jun 16, 2016, at 7:54 AM, Merijn van den Kroonenberg  
> wrote:
> 
>> Agreed.
>> 
>> We use sendmail, and check our DNSBL's their, it is much more efficient to
>> use them before we ever engage SA. It is extremely rare to find an IP that
>> lands on a reputable DNSBL and in those cases we can whitelist. Of course
>> most of our traffic is B2B, not sure how effective this would be in B2C or
>> C2C.
> 
> What do you use in sendmail to check the blacklists?
> 
> And do you use scoring or just direct block when on a BL?
> 
> 
> 

I simply reject when an IP address is on a BL. no questions asked. I also 
reject if the host fails its reverse lookup. In cases where a vendor or 
customer has a misconfigured email server, we can whitelist and notify them. 
I've actually helped several of our customers who were having issues with their 
clients resolve bad configurations. 

The problem lies in that I have come across more than a few SPAM mail filtering 
services that don't have correct configuration (i.e things like reverse lookup 
identify a different host). A more nefarious case I've run across is that a 
mail filtering services charging on a per outbound email, so clients are using 
the service for inbound, but than use their own MTA to send (bypassing the 
ISPs) so they don't get charged.

Again, our servers only deal with B2B, not sure of the impact in B2C/C2C.

SA is processes intensive, if you're looking to save CPU time, using BLs at the 
MTA process level is much faster (IMHO).

Re: Which DNSBLs do you use?

2016-06-16 Thread Merijn van den Kroonenberg 
> Agreed.
>
> We use sendmail, and check our DNSBL's their, it is much more efficient to
> use them before we ever engage SA. It is extremely rare to find an IP that
> lands on a reputable DNSBL and in those cases we can whitelist. Of course
> most of our traffic is B2B, not sure how effective this would be in B2C or
> C2C.

What do you use in sendmail to check the blacklists?

And do you use scoring or just direct block when on a BL?

Re: Which DNSBLs do you use?

2016-06-16 Thread Shawn Bakhtiar 

> On Jun 16, 2016, at 7:31 AM, Reindl Harald  wrote:
> 
> 
> Am 16.06.2016 um 16:21 schrieb Shawn Bakhtiar:
>> Agreed.
>> 
>> We use sendmail, and check our DNSBL's their, it is much more efficient to 
>> use them before we ever engage SA. It is extremely rare to find an IP that 
>> lands on a reputable DNSBL and in those cases we can whitelist. Of course 
>> most of our traffic is B2B, not sure how effective this would be in B2C or 
>> C2C.
> 
> no difference - the majority of so blacklisted servers are infected enduser 
> machines which have no business to connect to any machine on port 25 and for 
> a well scored decision it don't matter anyways
> 

I disagree with no different. From a process perspective IMHO it's much faster 
to reject with postfix or sendmail than to engage a perl script (via pipe or 
tcp port no less) to check the email content before continuing to process. It 
adds a little bit more processing if they are not on the DNSBL, but saves a lot 
of processing if they are.

Which actually begs the OT question: Why is SA not written in C?

> also spammers don't care if you are business or not, easily to test with 
> spam-traps and how fast they are abused with all sort of junk
> 
>>> On Jun 16, 2016, at 7:16 AM, jaso...@mail-central.com wrote:
>>> 
>>> Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with 
>>> Postfix's postscreen.
> 
> postfix 'in front' has the job to complement and not replace blacklists in SA 
> since they still matter when some client don't reach the reject score but get 
> additional point in the content filtering
> 
>>> Instead of just *one* DNSBL, which is imo always  a risk, I use multiple 
>>> dnsbls, and weight them in scoring.
>>> 
>>> In my experience, it works fantastically well.
>>> 
>>> A great write up on the approach is here
>>> 
>>> http://rob0.nodns4.us/postscreen.html
>>> 
>>> OF course, that presumes Postfix.  You might me able to do the same with 
>>> other servers, or maybe don't have the option at all.
>

Re: Which DNSBLs do you use?

2016-06-16 Thread Reindl Harald 



Am 16.06.2016 um 16:21 schrieb Shawn Bakhtiar:

Agreed.

We use sendmail, and check our DNSBL's their, it is much more efficient to use 
them before we ever engage SA. It is extremely rare to find an IP that lands on 
a reputable DNSBL and in those cases we can whitelist. Of course most of our 
traffic is B2B, not sure how effective this would be in B2C or C2C.


no difference - the majority of so blacklisted servers are infected 
enduser machines which have no business to connect to any machine on 
port 25 and for a well scored decision it don't matter anyways


also spammers don't care if you are business or not, easily to test with 
spam-traps and how fast they are abused with all sort of junk



On Jun 16, 2016, at 7:16 AM, jaso...@mail-central.com wrote:

Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with Postfix's 
postscreen.


postfix 'in front' has the job to complement and not replace blacklists 
in SA since they still matter when some client don't reach the reject 
score but get additional point in the content filtering



Instead of just *one* DNSBL, which is imo always  a risk, I use multiple 
dnsbls, and weight them in scoring.

In my experience, it works fantastically well.

A great write up on the approach is here

 http://rob0.nodns4.us/postscreen.html

OF course, that presumes Postfix.  You might me able to do the same with other 
servers, or maybe don't have the option at all.




signature.asc
Description: OpenPGP digital signature

Re: Which DNSBLs do you use?

2016-06-16 Thread Shawn Bakhtiar 
Agreed.

We use sendmail, and check our DNSBL's their, it is much more efficient to use 
them before we ever engage SA. It is extremely rare to find an IP that lands on 
a reputable DNSBL and in those cases we can whitelist. Of course most of our 
traffic is B2B, not sure how effective this would be in B2C or C2C.

> On Jun 16, 2016, at 7:16 AM, jaso...@mail-central.com wrote:
> 
> Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with 
> Postfix's postscreen.
> 
> Instead of just *one* DNSBL, which is imo always  a risk, I use multiple 
> dnsbls, and weight them in scoring.
> 
> In my experience, it works fantastically well.
> 
> A great write up on the approach is here
> 
>  http://rob0.nodns4.us/postscreen.html
> 
> OF course, that presumes Postfix.  You might me able to do the same with 
> other servers, or maybe don't have the option at all.
> 
> Jason

Re: Which DNSBLs do you use?

2016-06-16 Thread jasonsu 
Fwiw, I've moved the DNSBL issue out of SA and put it 'in front' with Postfix's 
postscreen.

Instead of just *one* DNSBL, which is imo always  a risk, I use multiple 
dnsbls, and weight them in scoring.

In my experience, it works fantastically well.

A great write up on the approach is here

  http://rob0.nodns4.us/postscreen.html

OF course, that presumes Postfix.  You might me able to do the same with other 
servers, or maybe don't have the option at all.

Jason

Re: Which DNSBLs do you use?

2016-06-16 Thread Rob McEwen 

On 6/16/2016 9:49 AM, Alessio Cecchi wrote:

Probably zen.spamhaus.org is the best dnsbl but is too expensive for us.
Invaluement SIP is almost comparable to Zen as performance but much less
expensive.


Thanks, Alessio, for the recommendation.

But I need to make one clarification... SIP and SIP24 should not be 
considered a replacement for ZEN because they purposely do NOT try to 
"catch every botnet" and instead focus on the more sneaky spams as well 
as new emitters. If someone tries to replace Zen with SIP and SIP24 
(combined) they would usually be very disappointed in their overall spam 
filtering, unless... as I presume to be the case for Alessio Cecchi ... 
they had other very good measures in place for blocking botnet spams? 
But the vast majority of invaluement users use SIP and SIP24 as a 
supplement to Zen, and find that Zen blocks much spam that invaluement 
misses.


Therefore, as I said, SIP and SIP24 (combined) are intended to be a 
supplement to Zen, not a replacement of Zen.


(just want to make sure this is clear!)

--
Rob McEwen
http://www.invaluement.com

Re: Which DNSBLs do you use?

2016-06-16 Thread Bowie Bailey 

On 6/16/2016 9:49 AM, Alessio Cecchi wrote:


Il 14/06/2016 13:46, Heinrich Boeder ha scritto:

Hi Folks,

I have been on this list for quiet some time now and the topic "DNSBL"
was discussed pretty often, but I was still wondering which DNSBLs you
guys use for your mail environment.

So here are my questions: Which DNSBLs do you use? Which one can you
suggest the most?


Hi, we use www.invaluement.com

- ivmSIP to block IPs at SMTP level
- ivmSIP24 and ivmURI in Spamassassin with custom score

Also b.barracudacentral.org is good and with low FP.

Probably zen.spamhaus.org is the best dnsbl but is too expensive for 
us. Invaluement SIP is almost comparable to Zen as performance but 
much less expensive.


zen.spamhaus.org works great for us.  It is free as long as you are not 
using it as part of a commercial service and your volume is less than 
300,000 queries per day.  I have heard that Invaluement works well, but 
I haven't tried it since there is no free access ($15/month minimum).


I use Zen as a blacklist in my MTA to drop most spam before it hits SA.  
Then I use the default blacklists (plus Razor and DCC) in SA.


--
Bowie

Re: Which DNSBLs do you use?

2016-06-16 Thread Alessio Cecchi 


Il 14/06/2016 13:46, Heinrich Boeder ha scritto:

Hi Folks,

I have been on this list for quiet some time now and the topic "DNSBL"
was discussed pretty often, but I was still wondering which DNSBLs you
guys use for your mail environment.

So here are my questions: Which DNSBLs do you use? Which one can you
suggest the most?


Hi, we use www.invaluement.com

- ivmSIP to block IPs at SMTP level
- ivmSIP24 and ivmURI in Spamassassin with custom score

Also b.barracudacentral.org is good and with low FP.

Probably zen.spamhaus.org is the best dnsbl but is too expensive for us. 
Invaluement SIP is almost comparable to Zen as performance but much less 
expensive.


Ciao
--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice

Re: Which DNSBLs do you use?

2016-06-14 Thread Shawn Bakhtiar 
zen.spamhaus.org
bl.spamcop.net
b.barracudacentral.org
dnsbl.inksystems.com <-- private internal one derived from honeypot email 
address we have.

I have disabled dnsbl.sorbs.net as they are too aggressive for our purposes, 
they block a lot of Gmail et al, which a lot of our customers and vendors use.



> On Jun 14, 2016, at 4:46 AM, Heinrich Boeder  
> wrote:
> 
> Hi Folks,
> 
> I have been on this list for quiet some time now and the topic "DNSBL" was 
> discussed pretty often, but I was still wondering which DNSBLs you guys use 
> for your mail environment.
> 
> So here are my questions: Which DNSBLs do you use? Which one can you suggest 
> the most?
> 
> Kind Regards,
> 
> - heinrich
> 
> heinr...@heinrichboeder.com -- www.heinrichboeder.com
> key: 0xC15DAD56 -- 363D 5BC3 9C45 9D09 3D78  1C28 DB68 F047 C15D AD56
>

Re: Which DNSBLs do you use?

2016-06-14 Thread Reindl Harald 



Am 14.06.2016 um 13:46 schrieb Heinrich Boeder:

Hi Folks,

I have been on this list for quiet some time now and the topic "DNSBL"
was discussed pretty often, but I was still wondering which DNSBLs you
guys use for your mail environment.

So here are my questions: Which DNSBLs do you use? Which one can you
suggest the most?


it's all about scoring and the way below SPamAssassin don't see much 
junk at all


postscreen_dnsbl_threshold  = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action  = enforce
postscreen_greet_wait = ${stress?2}${stress:10}s
postscreen_dnsbl_sites =
 dnsbl.sorbs.net=127.0.0.10*9
 dnsbl.sorbs.net=127.0.0.14*9
 zen.spamhaus.org=127.0.0.[10;11]*8
 dnsbl.sorbs.net=127.0.0.5*7
 zen.spamhaus.org=127.0.0.[4..7]*7
 b.barracudacentral.org=127.0.0.2*7
 zen.spamhaus.org=127.0.0.3*7
 dnsbl.inps.de=127.0.0.2*7
 hostkarma.junkemailfilter.com=127.0.0.2*4
 dnsbl.sorbs.net=127.0.0.7*4
 bl.spamcop.net=127.0.0.2*4
 bl.spameatingmonkey.net=127.0.0.[2;3]*4
 dnsrbl.swinog.ch=127.0.0.3*4
 ix.dnsbl.manitu.net=127.0.0.2*4
 psbl.surriel.com=127.0.0.2*4
 bl.mailspike.net=127.0.0.[10;11;12]*4
 bl.mailspike.net=127.0.0.2*4
 zen.spamhaus.org=127.0.0.2*3
 score.senderscore.com=127.0.4.[0..20]*3
 dnsbl.sorbs.net=127.0.0.6*3
 bl.spamcannibal.org=127.0.0.2*3
 dnsbl.sorbs.net=127.0.0.8*2
 hostkarma.junkemailfilter.com=127.0.0.4*2
 dnsbl.sorbs.net=127.0.0.9*2
 dnsbl-1.uceprotect.net=127.0.0.2*2
 all.spamrats.com=127.0.0.38*2
 bl.nszones.com=127.0.0.[2;3]*1
 dnsbl-2.uceprotect.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.2*1
 dnsbl.sorbs.net=127.0.0.4*1
 score.senderscore.com=127.0.4.[0..69]*1
 dnsbl.sorbs.net=127.0.0.3*1
 hostkarma.junkemailfilter.com=127.0.1.2*1
 dnsbl.sorbs.net=127.0.0.15*1
 ips.backscatterer.org=127.0.0.2*1
 bl.nszones.com=127.0.0.5*-1
 score.senderscore.com=127.0.4.[90..100]*-1
 wl.mailspike.net=127.0.0.[18;19;20]*-2
 hostkarma.junkemailfilter.com=127.0.0.1*-2
 ips.whitelisted.org=127.0.0.2*-2
 list.dnswl.org=127.0.[0..255].0*-2
 dnswl.inps.de=127.0.[0;1].[2..10]*-2
 list.dnswl.org=127.0.[0..255].1*-3
 list.dnswl.org=127.0.[0..255].2*-4
 list.dnswl.org=127.0.[0..255].3*-5



signature.asc
Description: OpenPGP digital signature