Greetings from Wyoming --
Just a real quick question for the folks on the Nanog list:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl)
DSBL
NJABL (dynablock)
Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks,
Brandon
Are there any other good lists out there that you folks have had good
experience with? Any that we might want to consider taking a look at?
Thanks,
Have you look at graylisting, temp failing mail with a sender/receiver/IP
you have not seen before?
<>
Nathan Stratton CTO, Co-Founder
nathan at robotics.net BroadVoice, Inc.
http://www.robotics.net http://www.broadvoice.com
Of the ones above, I only use spamhaus, combined with opm.blitzed.org & relays.visi.com
Also, I like sender verification, but that's me.
I don't know what the prevailing attitude is, but it seems to me
that 451ing unknown senders is a good way to get on the bad side of
sysadmins who have to deal with the backlog until your server decides to
accept them.
I would think if you're willing to spend other's resources on reducing
your spam load you would be willing to spend your own and implement SMTP
callback, SPF or the like.
I tried implementing SPF which actually caught a fair # of forged senders
until I noticed that ticketmaster had invalid SPF records and we were
rejecting their emails.
-S
> Just a real quick question for the folks on the Nanog list:
> We are using the following RBL's on our MTA right now:
> Spamhaus (sbl-xbl)
> DSBL
> NJABL (dynablock)
Of the ones above, I only use spamhaus, combined with opm.blitzed.org &
relays.visi.com
i use the same ones as Patrick, but i also use the cbl (a component of the
spamhaus xbl, perhaps the only one at the present time, but that could change.)
one thing i do is use opm.blitzed.org and cbl.abuseat.org at connect time.
hosts on these lists are pretty much guaranteed to be open proxies or
compromised hosts, so listening to them at all is a waste of time. no need
to wait until after RCPT TO: to 5xx, i just drop the connection.
Also, I like sender verification, but that's me.
i used it for some time, and reluctantly shut it down. blocked a lot of email
abuse, but too many false positives for my taste.
richard
> Have you look at graylisting, temp failing mail with a sender/receiver/IP
> you have not seen before?I don't know what the prevailing attitude is, but it seems to me
that 451ing unknown senders is a good way to get on the bad side of
sysadmins who have to deal with the backlog until your server decides to
accept them.
Well every valid to/from/ip gets thrown in mysql any new message with that
same to/from/ip would never be delayed again. Also I temp fail before the
DATA phase so body is not sent twice and I only temp fail for 5 min.
<>
Nathan Stratton CTO, Co-Founder
nathan at robotics.net BroadVoice, Inc.
http://www.robotics.net http://www.broadvoice.com
Of the ones above, I only use spamhaus, combined with opm.blitzed.org &
relays.visi.comi use the same ones as Patrick, but i also use the cbl (a component of the
spamhaus xbl, perhaps the only one at the present time, but that could change.)
Mind if I ask why you don't use the sbl-xbl?
BTW: I also use haebeas & bogons, but not really sure you would call haebeas a blacklist. 
one thing i do is use opm.blitzed.org and cbl.abuseat.org at connect time.
hosts on these lists are pretty much guaranteed to be open proxies or
compromised hosts, so listening to them at all is a waste of time. no need
to wait until after RCPT TO: to 5xx, i just drop the connection.
I love opm.blitzed. I haven't tried cbl.abuseat.org. I'll have to check it out.
Also, I like sender verification, but that's me.
i used it for some time, and reluctantly shut it down. blocked a lot of email
abuse, but too many false positives for my taste.
Could you go into more detail?
I've only been using it a couple months, but I have a whole 1 false positive, and I'm not sure I'd call it a false positive. (Web page which sent e-mail and allowed anything in "from" address, but was password protected internal thing, so they were not doing sanity checking thinking it was guaranteed good e-mail.)
Maybe I have others I just don't know about? How many people send legit e-mail with return addresses which are bogus?
[I know it is not spam-l, but I still am interested. :-]
>> Of the ones above, I only use spamhaus, combined with opm.blitzed.org
>> &
>> relays.visi.com
> i use the same ones as Patrick, but i also use the cbl (a component of
> the
> spamhaus xbl, perhaps the only one at the present time, but that could
> change.)
Mind if I ask why you don't use the sbl-xbl?
keep in mind that the sbl is the combination of "sbl classic"
with the xbl, where the xbl is currently a feed of the cbl that may
at a later date incorporate additional lists or data.
i use the original sbl at RCPT TO: time. by separating them, i
can use the cbl portion at connect time. it's a bit of flexibility
that i like.
at some future date, when the xbl diverges from the cbl i'll look
at the differences and decide what to do about it.
BTW: I also use haebeas & bogons, but not really sure you would call
haebeas a blacklist.
i've used habeas in the past, but don't at the present time.
> one thing i do is use opm.blitzed.org and cbl.abuseat.org at connect
> time.
> hosts on these lists are pretty much guaranteed to be open proxies or
> compromised hosts, so listening to them at all is a waste of time. no
> need
> to wait until after RCPT TO: to 5xx, i just drop the connection.
I love opm.blitzed. I haven't tried cbl.abuseat.org. I'll have to
check it out.
well, given that you use the sbl-xbl, you already are using
the cbl. high rejection from abusive hosts, vanishingly small
false positives. i love it. i like doing at connect time even
better, fewer of my resources consumed by abusive hosts
that way.
>> Also, I like sender verification, but that's me.
> i used it for some time, and reluctantly shut it down. blocked a lot
> of email
> abuse, but too many false positives for my taste.
Could you go into more detail?
...
Maybe I have others I just don't know about? How many people send
legit e-mail with return addresses which are bogus?
the main problem is systems where the admin has foolishly started
rejecting MAIL FROM:<> to cut down spam. i tried to whitelist
such systems, but couldn't keep up. when i did finally drop sender
verify, a suprising number of my mailing list subscribers came forward,
relieved that they could send mail to the lists again. (the system that
i set up with sender verify handles a number of confirmed opt-in
mailing lists, mostly about cars).
once i realized that the false positive problem was so much higher
than i expected, i decided not to turn it back on. there are other
cogent arguments against sender verify, but it was the false
positive problem that drove my own decision.
richard
From Richard Welty, received 3/3/04, 19:36 -0500 (GMT):
Mind if I ask why you don't use the sbl-xbl?
keep in mind that the sbl is the combination of "sbl classic"
with the xbl, where the xbl is currently a feed of the cbl that may
at a later date incorporate additional lists or data.
I trust you mean sbl-xbl is the combination...
sbl.spamhaus.org (direct spam sources & spam outfits)
xbl.spamhaus.org (3rd party exploits/trojans/proxies/etc.)
sbl-xbl.spamhaus.org (combination of the two)
brandons@wyoming.com ("Brandon Shiers") writes:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl)
DSBL
NJABL (dynablock)Are there any other good lists out there that you folks have had good
experience with? Any that we might want to consider taking a look at?
Thanks,
1. here's a chunk of my personal /usr/local/etc/postfix/main.cf file:
smtpd_recipient_restrictions =
...
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client nonconfirm.mail-abuse.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client http.dnsbl.sorbs.net,
reject_rbl_client socks.dnsbl.sorbs.net,
reject_rbl_client misc.dnsbl.sorbs.net,
reject_rbl_client web.dnsbl.sorbs.net,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client dynablock.easynet.nl,
reject_rbl_client proxies.easynet.nl
2. but the most effective list i have is one i build from the apache log,
grepping for worm spoor. most spam is sent through proxies left behind
by worms, so if you autoblackhole worm-infected hosts you'll stop a HUGE
amount of spam in the hours and days that follow. (spammers are now
writing and releasing worms just to create proxy nets, and are also paying
malfeasants to write and release worms just to create proxy nets.)
3. furthermore, DCC (see www.rhyolite.com/dcc) is hereby highly recommended.
FYI, easynet.nl stopped hosting their DNSBLs in December.
http://groups.google.com/groups?selm=q60srv0prtpgqobe9icdlk4birg0t61v77%40thor.wirehub.nl