[Exim] Re: RBL checking

Top Page
Delete this message
Reply to this message
Author: Suresh Ramasubramanian
Date:  
To: Alan J. Flavell
CC: Exim users list
Subject: [Exim] Re: RBL checking
+++ Alan J. Flavell [exim-users] <24/09/01 13:38 +0100>:
> I think that depends who you are. They demand some kind of
> contractual relationship (though it seems they _are_ willing to set up
> an agreement with a service provider, who in turn makes the lookups


That's right - you have to basically be running your own nameservers.

> available to their users, subject to agreed terms). (My reading of
> their terms was that some classes of user could get free access, as
> long as they agreed to the terms.)


This too - if you are a nonprofit org / hobbyist user (like "family and
friends on a small dsl line) then you get it free. .edu domains also get
substantial discounts.

They basically want huge ISPs and other high bandwidth users to pay for the
privilege ...

Personally, I find that using some of the blacklists at
http://relays.osirusoft.com (especially spews.relays.osirusoft.com) is a
fairly good idea - it seems to be providing results at a fairly fast pace ...
some totally blackhat ISPs (aitcom, ciberlynx etc) have started cleaning up
their antispam policies and booting spammers recently after a spews listing.

> There are numerous services which offer a function somewhat like ORBS
> was. However, I don't know any of them that's quite as reliable as
> MAPS in avoiding false-positives: there are numerous sites which are


We block based on spews (for instance) - and for open relays, we have an
extensive bank of spamtraps (and build a list of IPs / netblocks sending mail
in bulk quantities and that is clearly UCE)

> academic organisations, government departments, and _has_ on occasion
> included one of our funding agencies. So it would be unwise from our
> point of view to block unconditionally based on one of these entries.


We use - and also whitelist at the same time when we see that collateral
damage is too high (getting blocked from our network is noticed very fast by
the blocked IP's admin)

> On the other hand we've been on the receiving end of a number of
> notorious spam havens that aren't listed at MAPS, but _were_ cited by
> Osirusoft.


Those spamhavens have been cleaning up their act by large courtesy Spews.

> Speaking only as an interested user and having little knowledge of the
> internals or politics involved at those various sites: of the ones
> I've been watching, Osirusoft seems pretty good, but if one were to
> refuse mail from just any site listed at Osirusoft, there would be a
> distinct loss of genuine mail.


Osirusoft provides a wide variety of zones which you can use. I personally
prefer using the spews list to block known spam havens.

> Now, sure, some spam-merchants have adopted a sneaky line in hosting
> some innocuous mailing lists, so that users will clamour for these
> spam-havens to be excluded from the mailer's blocking rules.


Or even high profile and legitimate sites along with a whole lot of spammers
(such as Media III - which hosts peacefire.org - and had this lawsuit with
MAPS about it)

> We've had reasonable success recently with applying scoring in the
> system_filter; a listing in the Osirusoft or other open-relay list
> contributes to the score, but that alone does not cause the rejection


That's an excellent idea, building up a checksum.

> the exim configuration, and then testing for the resulting
> x-rbl-warning header in the system_filter - that seems satisfactory -
> any better ideas?).


It'd be a great idea - but wouldnt scale on our MXs unfortunately :(

    --suresh
-- 
Suresh Ramasubramanian  <---->  mallet <at> efn dot org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin