In my experience, the right combination of DNSBLs are extremely effective, typically well into the 90% of delivery attempts can be rejected before the DATA command (and therefore before SpamAssassin) with a combination of DNSBLs, RFC validations (greet pause of 11 seconds, early talkers rejected), rDNS validation, EHLO validation (rejecting localhost, your own hostname and domain names, etc). I tend to use a hair-trigger on each of these and trigger greylisting which allows fast-acting DNSBLs to have another 30 minutes to detect and list new spammers. But ultimately DNSBLs alone are very very effective, a significant part of pre-DATA filtering.
On Sat, Jan 26, 2019, at 14:02, Ian Evans wrote: > Background: I run a small postfix/dovecot server on my site server. > Just a handful of careful users. My spam folder would only have about > 10-30 messages a day marked as spam by spamassassin. Server's running > denyhosts to help block bad actors.> > Recently checked my logs and noticed that the rbl checks in postfix or > SA were sometimes getting blocked. So I finally installed a caching > DNS server.> > Suddenly the spam that gets to my spam folder is down to five or so a > day. Seems postfix is dropping a lot of connections due to RBL checks > before they even get to SA.> > Are the RBLs that good? Is it crazy to worry that not enough spam is > getting to my spam folder? :-)