Absolutely not. do not enable a blacklist by default
On Tue, Mar 15, 2016 at 10:52 AM, Michael McConville <[email protected]> wrote: > Stuart Henderson wrote: >> On 2016/03/15 12:55, Craig Skinner wrote: >> > There are a few more paid rsync lists here: >> > http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists >> >> Ah that is a useful page. Maybe we could list it, e.g. >> >> Index: spamd.conf >> =================================================================== >> RCS file: /cvs/src/etc/mail/spamd.conf,v >> retrieving revision 1.5 >> diff -u -p -r1.5 spamd.conf >> --- spamd.conf 14 Mar 2016 21:36:52 -0000 1.5 >> +++ spamd.conf 15 Mar 2016 13:27:04 -0000 >> @@ -13,8 +13,10 @@ >> # Lists specified with the :white: capability apply to the previous >> # list with a :black: capability. >> # >> -# As of November 2004, a place to search for blacklists is >> -# http://spamlinks.net/filter-bl.htm >> +# As of March 2016, a place to search for blacklists is >> +# http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists >> +# - most of these are DNS-based only and cannot be used with spamd(8), >> +# but some of the lists also provide access to text files via rsync. >> >> all:\ >> :uatraps:nixspam: > > ok mmcc@ > >> > Generally, everything has changed from file feeds to DNS. >> >> Yep, because for the more actively maintained ones 1) new entries show >> up more quickly than any sane rsync interval, this is quite important >> for good blocking these days 2) DNS is less resource intensive and more >> easily distributed than rsync, and 3) importantly for the rbl providers, >> it gives additional input to them about new mail sources (if an rbl >> suddenly starts seeing queries from all over the world for a previously >> unseen address, it's probably worth investigation - I am sure this is >> why some of the commercial antispam operators provide free DNS-based >> lookups for smaller orgs). >> >> A more flexible approach would be to skip the PF table integration >> completely and do DNS lookups in spamd (or, uh, relayd, or something >> new) and based on that it could choose whether to tarpit, greylist or >> transparent-forward the connection to the real mail server. This >> would also give a way to use dnswl.org's whitelist to avoid greylisting >> for those hosts where it just doesn't work well (gmail, office365 etc). > > Interesting, I didn't even know that rsync blacklists existed. That was > the cause for confusion about Spamhaus's price earlier. > > Would it make sense to enable a blacklist or two by default in spamd? > They seem to be an effectively necessary part of a sane mail server > configuration these days. >
