RE: manitu.net RBL, opinions? Re: postwhite? (why not?)

[L . P . H . van Belle]

I use this list for postscreen, big list. 
Use with care, this one is customized for my needs. 

The why to cidr's in the access list. The first is manualy maintaint. 
The second cidr and spamhous drop are auto updated by script.

Greetz, 
Louis


postscreen_greet_banner =$myhostname, checking blacklists, please wait.
postscreen_greet_action = drop
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/personal/postscreen_access_list.cidr, # personal 
white/black list.
pcre:/etc/postfix/personal/postscreen_access_list-reject.fqrdns.pcre # 
faulty rdns record list, like hosters with dynamic ips.
cidr:/etc/postfix/personal/postscreen_access_list-drop.spamhaus-lasso.cidr 
# Spamhaus DROP List
postscreen_whitelist_interfaces = $mynetworks, static:all
postscreen_blacklist_action = drop
postscreen_dnsbl_reply_map  = 
pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre # customized reply. 
postscreen_dnsbl_action = enforce
postscreen_dnsbl_ttl= 2h
postscreen_dnsbl_threshold  = 4
postscreen_dnsbl_threshold = 4
postscreen_dnsbl_sites =
zen.spamhaus.org*4
b.barracudacentral.org*4
bad.psky.me*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
cbl.anti-spam.org.cn=127.0.8.2*2
dnsbl.kempt.net*1
dnsbl.inps.de*2
bl.spamcop.net*2
srn.surgate.net=127.0.0.2
spam.dnsbl.sorbs.net*1
rbl.rbldns.ru*2
psbl.surriel.com*2
bl.mailspike.net*2
rep.mailspike.net=127.0.0.[13;14]*1
bl.suomispam.net*2
bl.blocklist.de*2
ix.dnsbl.manitu.net*2
dnsbl-2.uceprotect.net
dnsbl.justspam.org=127.0.0.2*2
all.s5h.net=127.0.0.2*2
hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
rbl.abuse.ro=127.0.0.[2;4]*2
dnsbl.spfbl.net=127.0.0.[2;4]*2
# No RDNS
dnsbl.spfbl.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.0.3*1
# whitelists
swl.spamhaus.org*-6
dnswl.spfbl.net=127.0.0.[2;3;4]*-3
list.dnswl.org=127.0.[0..255].[2;3]*-4
rep.mailspike.net=127.0.0.[17;18]*-1
rep.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-4
nobl.junkemailfilter.com=127.0.0.5*-4
#

 

> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> Verzonden: dinsdag 6 maart 2018 15:44
> Aan: Postfix users
> Onderwerp: Re: manitu.net RBL, opinions? Re: postwhite? (why not?)
> 
> On 6 Mar 2018, at 1:26, MRob wrote:
> 
> > On 2018-03-05 18:05, Bill Cole wrote:
> >>> Would you mind sharing which RBLs you recommend to use in 
> >>> postscreen?
> >>
> >> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
> >> zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
> >> zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
> >> psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
> >
> > I just learned of manitu.net RBL is it helpful?
> 
> Obviously I find it so...
> 
> > Bill you don't use things like barracuda.net, spamcop, 
> whatever that 
> > monkey one is, mailspike.
> 
> Not in postscreen (for the reasons previously cited) nor in 
> smtpd. I do 
> use the DNSBLs that SpamAssassin supports by default, but with score 
> adjustments.
> 
> > Is manitu a good replacement for all those?
> 
> No. It IS a good source of spam sources targeting primarily but not 
> exclusively European mailboxes, many of which show up on the 
> manitu list 
> (a.k.a. "NiX Spam") hours before they appear in Zen.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
> 
> 

Re: manitu.net RBL, opinions? Re: postwhite? (why not?)

[Bill Cole]

On 6 Mar 2018, at 1:26, MRob wrote:


On 2018-03-05 18:05, Bill Cole wrote:
Would you mind sharing which RBLs you recommend to use in 
postscreen?


postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1


I just learned of manitu.net RBL is it helpful?


Obviously I find it so...

Bill you don't use things like barracuda.net, spamcop, whatever that 
monkey one is, mailspike.


Not in postscreen (for the reasons previously cited) nor in smtpd. I do 
use the DNSBLs that SpamAssassin supports by default, but with score 
adjustments.



Is manitu a good replacement for all those?


No. It IS a good source of spam sources targeting primarily but not 
exclusively European mailboxes, many of which show up on the manitu list 
(a.k.a. "NiX Spam") hours before they appear in Zen.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: spamhaus zen response codes in postscreen Re: postwhite? (why not?)

[Bill Cole]

On 6 Mar 2018, at 1:18, MRob wrote:


On 2018-03-05 18:05, Bill Cole wrote:
Would you mind sharing which RBLs you recommend to use in 
postscreen?


postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2


Why list all these, are there zen response codes that you don't want 
to blacklist?


.5 and .6 were formerly used for XBL components with significant 
mixed-source listings. The .5-.7 responses are not currently in use BUT 
are reserved for possible future use in the XBL, which is currently all 
CBL listings. I don't want to be surprised by their deployment for 
mixed-source listings.


Tangential note: Since you apparently can't honor my Reply-To header, I 
have acted locally to simulate basic courtesy.

Re: manitu.net RBL, opinions? Re: postwhite? (why not?)

[li...@lazygranch.com]

On Tue, 06 Mar 2018 06:26:49 +
MRob  wrote:

> On 2018-03-05 18:05, Bill Cole wrote:
> >> Would you mind sharing which RBLs you recommend to use in
> >> postscreen?  
> > 
> > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
> > zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
> > zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
> > psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1  
> 
> I just learned of manitu.net RBL is it helpful? Bill you don't use 
> things like barracuda.net, spamcop, whatever that monkey one is, 
> mailspike. Is manitu a good replacement for all those?

Just a FYI, my experience is manitu periodically blocks hostgator email.
I had to remove it from my list. 

If you want to check your logs to see if you receive email from
hostgator, all my email from hostgator has come from websitewelcome.com,
but here is the official documentation:
http://support.hostgator.com/articles/what-are-private-name-servers

FWIW, I use barracuda.net.

manitu.net RBL, opinions? Re: postwhite? (why not?)

[MRob]

On 2018-03-05 18:05, Bill Cole wrote:

Would you mind sharing which RBLs you recommend to use in postscreen?


postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1


I just learned of manitu.net RBL is it helpful? Bill you don't use 
things like barracuda.net, spamcop, whatever that monkey one is, 
mailspike. Is manitu a good replacement for all those?

spamhaus zen response codes in postscreen Re: postwhite? (why not?)

[MRob]

On 2018-03-05 18:05, Bill Cole wrote:

Would you mind sharing which RBLs you recommend to use in postscreen?


postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2


Why list all these, are there zen response codes that you don't want to 
blacklist?

Re: FQRDNS blacklist why not? Re: postwhite? (why not?)

[Bill Cole]

On 5 Mar 2018, at 16:38, MRob wrote:


Bill Cole said:

The postscreen DNSBL
configuration should be designed to only block IPs that *only* send
spam.


So why, I like to ask is fqrdns list not recommended for use in 
postscreen?


Did you see "DNSBL" in that sentence? The "fqrdns" list is not a DNSBL.

With that said, I don't use it because:

1. I find it generally superfluous given my other defenses.
2. I would never want to use it in postscreen because it is not designed 
to identify only known spam-only sources.
3. I don't believe it is possible to use it in postscreen because it 
relies on domain names, while postscreen_access_list only looks up the 
client IP.

Re: FQRDNS blacklist why not? Re: postwhite? (why not?)

[Benny Pedersen]

MRob skrev den 2018-03-05 22:38:

Bill Cole said:

The postscreen DNSBL
configuration should be designed to only block IPs that *only* send
spam.


So why, I like to ask is fqrdns list not recommended for use in 
postscreen?

https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre


too much fp


Its maintained by same person as postwhite so I guess that means he
knows good reason why not to outright blacklist the clients in that
list.


postscreen is not ment for testing that data

Re: FQRDNS blacklist why not? Re: postwhite? (why not?)

[Noel Jones]

On 3/5/2018 3:38 PM, MRob wrote:
> Bill Cole said:
>> The postscreen DNSBL
>> configuration should be designed to only block IPs that *only* send
>> spam.
> 
> So why, I like to ask is fqrdns list not recommended for use in
> postscreen?
> https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
> 
> Its maintained by same person as postwhite so I guess that means he
> knows good reason why not to outright blacklist the clients in that
> list.


By design, postscreen operates on the client IP only, and the rDNS
hostname is not available.  This is intentional to keep performance
high and latency low.

The fqrdns.pcre operates on the rDNS hostname of the connecting
client, which isn't available in postscreen.

Consequently, by design the fcrdns.pcre cannot work in postscreen,
and should not be used there.




  -- Noel Jones

FQRDNS blacklist why not? Re: postwhite? (why not?)

[MRob]

Bill Cole said:

The postscreen DNSBL
configuration should be designed to only block IPs that *only* send
spam.


So why, I like to ask is fqrdns list not recommended for use in 
postscreen?

https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre

Its maintained by same person as postwhite so I guess that means he 
knows good reason why not to outright blacklist the clients in that 
list.

Re: postwhite? (why not?)

[Bill Cole]

On 5 Mar 2018, at 3:59, Karol Augustin wrote:


On 2018-03-05 6:39, Bill Cole wrote:

On 3 Mar 2018, at 14:25, J Doe wrote:

Should I then continue to use postscreen for the zombie detection 
but then move my DNSRBL entries to smtpd restrictions ?


Apologies for belabouring the point - I’m just not understanding.


Not all DNSBLs are equivalent. SOME are suited for use in postscreen
as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
configuration should be designed to only block IPs that *only* send
spam. There are DNSBLs designed to be hyper-sensitive, to not give 
any

sender a free pass, and to generate occasional collateral damage.
There are DNSBLs designed to be used in complex anti-spam systems and
NOT as a unilateral basis for blocking. Those sorts of DNSBL should
not be used in postscreen with a score at or above
postscreen_dnsbl_threshold.


Hi Bill,

Would you mind sharing which RBLs you recommend to use in postscreen?


postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
postscreen_dnsbl_threshold = 2

For my own system I also use 2 local DNSBLs scored at 1 (both are full 
of non-spam sources by design) and reuse all of those and more in smtpd, 
with whitelisting of various sorts to protect mail that needs 
protecting. That's a bespoke config that isn't suitable for most sites. 
(And those local DNSBLs tell intentional lies to the outside world 
anyway.)

Re: postwhite? (why not?)

[Matus UHLAR - fantomas]

On 3 Mar 2018, at 14:25, J Doe wrote:

Should I then continue to use postscreen for the zombie detection but then move 
my DNSRBL entries to smtpd restrictions ?


I forgot to add: when you use dnsbl entries at postscreen level, you
apparently won't need them in other postfix restrictions.

if you use spam filter e.g. spamassassin, leave the rest on it.


On 2018-03-05 6:39, Bill Cole wrote:

Not all DNSBLs are equivalent. SOME are suited for use in postscreen
as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
configuration should be designed to only block IPs that *only* send
spam. There are DNSBLs designed to be hyper-sensitive, to not give any
sender a free pass, and to generate occasional collateral damage.
There are DNSBLs designed to be used in complex anti-spam systems and
NOT as a unilateral basis for blocking. Those sorts of DNSBL should
not be used in postscreen with a score at or above
postscreen_dnsbl_threshold.


On 05.03.18 08:59, Karol Augustin wrote:

Would you mind sharing which RBLs you recommend to use in postscreen?


On 05.03.18 16:54, Matus UHLAR - fantomas wrote:

I don't see problems having spamhaus, sorbs and spamcop at postscreen level,
especially when someone adds e.g. dnswl weighing -1 too.

veri simple example:
postscreen_dnsbl_sites = zen.spamhaus.org, dnsbl.sorbs.net, bl.spamcop.net, 
list.dnswl.org*-1

you can play with weighing blacklists and whitelists, and/or tuning
postscreen_dnsbl_threshold


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states. 

Re: postwhite? (why not?)

[Matus UHLAR - fantomas]

On 3 Mar 2018, at 14:25, J Doe wrote:

Should I then continue to use postscreen for the zombie detection but then move 
my DNSRBL entries to smtpd restrictions ?

Apologies for belabouring the point - I’m just not understanding.



On 2018-03-05 6:39, Bill Cole wrote:

Not all DNSBLs are equivalent. SOME are suited for use in postscreen
as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
configuration should be designed to only block IPs that *only* send
spam. There are DNSBLs designed to be hyper-sensitive, to not give any
sender a free pass, and to generate occasional collateral damage.
There are DNSBLs designed to be used in complex anti-spam systems and
NOT as a unilateral basis for blocking. Those sorts of DNSBL should
not be used in postscreen with a score at or above
postscreen_dnsbl_threshold.


On 05.03.18 08:59, Karol Augustin wrote:

Would you mind sharing which RBLs you recommend to use in postscreen?


I don't see problems having spamhaus, sorbs and spamcop at postscreen level,
especially when someone adds e.g. dnswl weighing -1 too.

veri simple example:
postscreen_dnsbl_sites = zen.spamhaus.org, dnsbl.sorbs.net, bl.spamcop.net, 
list.dnswl.org*-1

you can play with weighing blacklists and whitelists, and/or tuning
postscreen_dnsbl_threshold

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends? 

Re: postwhite? (why not?)

[Karol Augustin]

On 2018-03-05 6:39, Bill Cole wrote:
> On 3 Mar 2018, at 14:25, J Doe wrote:
> 
>> Should I then continue to use postscreen for the zombie detection but then 
>> move my DNSRBL entries to smtpd restrictions ?
>>
>> Apologies for belabouring the point - I’m just not understanding.
> 
> Not all DNSBLs are equivalent. SOME are suited for use in postscreen
> as absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL
> configuration should be designed to only block IPs that *only* send
> spam. There are DNSBLs designed to be hyper-sensitive, to not give any
> sender a free pass, and to generate occasional collateral damage.
> There are DNSBLs designed to be used in complex anti-spam systems and
> NOT as a unilateral basis for blocking. Those sorts of DNSBL should
> not be used in postscreen with a score at or above
> postscreen_dnsbl_threshold.

Hi Bill,

Would you mind sharing which RBLs you recommend to use in postscreen?

k.

-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: postwhite? (why not?)

[Bill Cole]

On 3 Mar 2018, at 14:25, J Doe wrote:

Should I then continue to use postscreen for the zombie detection but 
then move my DNSRBL entries to smtpd restrictions ?


Apologies for belabouring the point - I’m just not understanding.


Not all DNSBLs are equivalent. SOME are suited for use in postscreen as 
absolute bans, e.g. Spamhaus Zen. The postscreen DNSBL configuration 
should be designed to only block IPs that *only* send spam. There are 
DNSBLs designed to be hyper-sensitive, to not give any sender a free 
pass, and to generate occasional collateral damage. There are DNSBLs 
designed to be used in complex anti-spam systems and NOT as a unilateral 
basis for blocking. Those sorts of DNSBL should not be used in 
postscreen with a score at or above postscreen_dnsbl_threshold.

Re: postwhite? (why not?)

[Wietse Venema]

J Doe:
> Hi Wietse,
> 
> > On Mar 2, 2018, at 1:49 PM, Wietse Venema  wrote:
> > 
> > Postscreen blocks sites based on:
> > 
> > - Their reputation that hey don't send legitimate mail.
> >  zen.spamhaus.org and bl.spamcop.net are examples of that.
> > 
> > - Their behavior. The postscreen pregreet test is an example of that.
> > 
> >Wietse
> 
> Ok.  I am definitely making use of the zombie detection (pre-greeting,
> etc.), but I also use the DNSRBL?s on postscreen.  I was under the
> possibly mistaken impression that this was a bit more efficient
> instead of having a spam source connect, possibly negotiate STARTTLS
> and then start a SMTP transaction and then have it rejected based
> on smtpd restrictions.
>
> Should I then continue to use postscreen for the zombie detection
> but then move my DNSRBL entries to smtpd restrictions ?

postscreen handles multiple sessions in parallel. Only clients that
"PASS" are allowed to talk to an SMTP daemon process. In a word
where most email comes from spambots, this is more efficient than
always spending one SMTP daemon process on every client.

wietse

Re: postwhite? (why not?)

[J Doe]

Hi Wietse,

> On Mar 2, 2018, at 1:49 PM, Wietse Venema  wrote:
> 
> Postscreen blocks sites based on:
> 
> - Their reputation that hey don't send legitimate mail.
>  zen.spamhaus.org and bl.spamcop.net are examples of that.
> 
> - Their behavior. The postscreen pregreet test is an example of that.
> 
>Wietse

Ok.  I am definitely making use of the zombie detection (pre-greeting, etc.), 
but I also use the DNSRBL’s on postscreen.  I was under the possibly mistaken 
impression that this was a bit more efficient instead of having a spam source 
connect, possibly negotiate STARTTLS and then start a SMTP transaction and then 
have it rejected based on smtpd restrictions.

Should I then continue to use postscreen for the zombie detection but then move 
my DNSRBL entries to smtpd restrictions ?

Apologies for belabouring the point - I’m just not understanding.

Thanks,

- J

Re: postwhite? (why not?)

[Karol Augustin]

On 2018-03-03 5:06, MRob wrote:
> On 2018-03-02 13:46, Karol Augustin wrote:
>> I also added some hosts to my list from banks, Amazon SES etc. I have
>> about 800 lines in the generated file, which is reasonable. I have about
>> 60-75% passing connections whitelisted now.
> 
> Would you share those you've added?

custom_hosts="ulsterbank.com amazonses.com nodeping.com
spamassassin.apache.org outages.org paypal.com allegro.pl"

k.


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: postwhite? (why not?)

[MRob]

On 2018-03-02 13:46, Karol Augustin wrote:

On 2018-03-02 12:09, MRob wrote:

Asking for opinions about postwhite.
https://github.com/stevejenkins/postwhite

Below is the default whitelist domains. It's nice idea, but what about
the time when spammers got hold of 10.000 hotmail accounts?

OTOH this is only for postscreen and not whitelisted your antispam
engine so seems like a good idea. Really like to know arguments
against using this, please speak up.



webmail_hosts="aol.com google.com microsoft.com outlook.com
hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com
fastmail.com"

social_hosts="facebook.com facebookmail.com twitter.com pinterest.com
instagram.com tumblr.com reddit.com linkedin.com"

commerce_hosts="craigslist.org amazon.com ebay.com paypal.com"

bulk_hosts="sendgrid.com sendgrid.net mailchimp.com exacttarget.com
cust-spf.exacttarget.com constantcontact.com icontact.com mailgun.com
fishbowl.com fbmta.com mailjet.com sparkpost.com sparkpostmail.com"

misc_hosts="zendesk.com github.com"


I also added some hosts to my list from banks, Amazon SES etc. I have
about 800 lines in the generated file, which is reasonable. I have 
about

60-75% passing connections whitelisted now.


Would you share those you've added?

Re: postwhite? (why not?)

[Wietse Venema]

J Doe:
> Hi Wietse,
> 
> > On Mar 2, 2018, at 10:15 AM, Wietse Venema  wrote:
> > 
> > Perhaps it is time to repeat what postscreen is and is not.
> > 
> > Don't use postscreen to block spam. Use postscreen to block spambots.
> > Those who misunderstand the difference will be disappointed.

For example, all blacksmiths are black, therefore all black people
are blacksmiths.

> > In particular, hotmail is not a spambot, therefore it should not
> > be blocked by postscreen.
> 
> I have been using the following in my /etc/postfix/main.cf:
> 
> postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org
> postscreen_dnsbl_action = drop
> 
> While this weeds out spambots I imagine it is weeding out spam
> sources as well

Postscreen blocks sites based on:

- Their reputation that hey don't send legitimate mail.
  zen.spamhaus.org and bl.spamcop.net are examples of that.

- Their behavior. The postscreen pregreet test is an example of that.

Wietse

Re: postwhite? (why not?)

[J Doe]

Hi Wietse,

> On Mar 2, 2018, at 10:15 AM, Wietse Venema  wrote:
> 
> Perhaps it is time to repeat what postscreen is and is not.
> 
> Don't use postscreen to block spam. Use postscreen to block spambots.
> Those who misunderstand the difference will be disappointed.
> 
> In particular, hotmail is not a spambot, therefore it should not
> be blocked by postscreen.
> 
>Wietse

I have been using the following in my /etc/postfix/main.cf:

postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org   

postscreen_dnsbl_action = drop

While this weeds out spambots I imagine it is weeding out spam sources as well. 
 As a point of clarification, should I list DNSBL sites specifically for 
spambots here and then have a separate list of DNSBL for just spam on the smtpd 
restrictions ?

Thanks,

- J

Re: postwhite? (why not?)

[Wietse Venema]

MRob:
> Asking for opinions about postwhite.
> https://github.com/stevejenkins/postwhite
> 
> Below is the default whitelist domains. It's nice idea, but what about 
> the time when spammers got hold of 10.000 hotmail accounts?

Perhaps it is time to repeat what postscreen is and is not.

Don't use postscreen to block spam. Use postscreen to block spambots.
Those who misunderstand the difference will be disappointed.

In particular, hotmail is not a spambot, therefore it should not
be blocked by postscreen.

Wietse

Re: postwhite? (why not?)

[Karol Augustin]

On 2018-03-02 12:09, MRob wrote:
> Asking for opinions about postwhite.
> https://github.com/stevejenkins/postwhite
> 
> Below is the default whitelist domains. It's nice idea, but what about
> the time when spammers got hold of 10.000 hotmail accounts?
> 
> OTOH this is only for postscreen and not whitelisted your antispam
> engine so seems like a good idea. Really like to know arguments
> against using this, please speak up.
> 
> 
> 
> webmail_hosts="aol.com google.com microsoft.com outlook.com
> hotmail.com gmx.com icloud.com mail.com inbox.com zoho.com
> fastmail.com"
> 
> social_hosts="facebook.com facebookmail.com twitter.com pinterest.com
> instagram.com tumblr.com reddit.com linkedin.com"
> 
> commerce_hosts="craigslist.org amazon.com ebay.com paypal.com"
> 
> bulk_hosts="sendgrid.com sendgrid.net mailchimp.com exacttarget.com
> cust-spf.exacttarget.com constantcontact.com icontact.com mailgun.com
> fishbowl.com fbmta.com mailjet.com sparkpost.com sparkpostmail.com"
> 
> misc_hosts="zendesk.com github.com"

Hi,

Can't really say anything against using postwhite. So these are my
experienses:

I have started using it some time ago. I have noticed that some provides
use some kind of SPF rotation daily (???) and rotate between IPv6
subnets. So it is important to run it periodically to update the file.
It might be good to implement rounding to the nearest /64 or even /56
for efficiency, but I didn't have a chance to look into that.

Other than that, I am using the generated list to whitelist postscreen
and some custom filtering that forces greylisting and honeypot checks as
well.

My main observation is that senders included in the default list you
posted will pass postscreen anyway and additional benefit is to exclude
them from RBL checks because vast majority of users would like to still
allow them, even if they hit some RBLs from time to time.

The additional benefit is huge saving on DNS queries and (for me)
avoiding greylisting if some otherwise good server finds it's way to
RBL.

I also added some hosts to my list from banks, Amazon SES etc. I have
about 800 lines in the generated file, which is reasonable. I have about
60-75% passing connections whitelisted now.

Karol




-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312