Re[2]: [Exim] How to use RBL / postal subscription essential…

Top Page
Delete this message
Reply to this message
Author: Richard Welty
Date:  
To: Exim-Users (E-mail)
Subject: Re[2]: [Exim] How to use RBL / postal subscription essential???
On Mon, 6 Jan 2003 10:26:06 +0200 Thomas Kinghorn <thomask@???> wrote:

> as far as I am aware, you need to pay for using the maps services.
>
> I have set up the blacklisting using the following
>
> dnslists           =    spews.relays.osirusoft.com:\
>                         blackholes.mail-abuse.org :\
>                         relays.mail-abuse.org :\
>                         bl.spamcop.net :\
>                         relays.ordb.org or.orbl.org :\


some cautions about DNSBL usage:

0) blackholes.mailabuse.org and relays.mail-abuse.org are MAPS lists
that you have to pay for now

1) understand each list that you are using, it's pros and cons. BLs are
very different from each other, and some may be inconsistent your
goals. you need to think about what you are trying to do (is it "kill
the spammers" or is it "facilitate business communication"? they're
two different things, and lead to different DNSBL selections.)
me, i'm a consultant with a number of business customers who use
email as an integral part of their businesses (no, they're not
spammers). therefore, i'm biased towards zero false positives
and keeping inboxes reasonably useful, and not towards punitive
expeditions.

2) to that end, bl.spamcop.net has the pro that it is very quick and
responsive. it has the con that it is very agressive, which combined
with some algorithmic deficiences leads to blacklisting of innocent
victims at times. note also that on the web site, there is a clear
warning that it is experimental and not to be used (not that this
stops anyone) [see note 1 below for examples of algorithmic issues
in the spamcop code]

3) spews is run by folks who believe that collateral damage is a good
thing. they expand blocks intentionally to catch innocent victims
who are parked next to spammers. there are quite a few people who
agree that this is a good thing. if you agree, by all means use
spews.

4) the "children of orbs" lists are based on active relay scanning.
some regard this sort of scanning as network abuse in and of itself.
others are all for it. having said that, ordb has an excellent rep
for accuracy, which is not something that orbs or its children all
have in common.

5) two good ones you left out:

   opm.blitzed.org   -- open proxies (mostly insecure squid proxies
                         and cacheflow servers)
   sbl.spamhaus.org  -- the spamhaus blocking list, an excellent,
                         reliable, well documented liste of spammers
                         of fixed address


6) note that at osirusoft, Joe Jared has aggregated a multitude of
different DNSBLs. it may be worth some time to walk through them and
understand the differences.

richard

[note 1]

the spamcop bl is based on conversion of the existing spamcop
database into an automated bl. there is no human interaction unless issues
come up with active listings. this, combined with various algorithmic
issues, means that "things happen". many of these have been discussed with
Julian, and he seems uninterested in changing them.

examples:

spamcop header parsing is still unreliable. this means, for example, that
sometimes folks who are using smarthosting or a tool like fetchmail or
getmail will find themselves blocked from their own servers, when their
complaint gets their server listed.

sample sizes for spamcop's decision making process are tiny, way short of
anything that a "real" statistician would consider valid. this can result
in, say, two complaints causing a bl entry. given that some folks will
complain about legitimate mail when they don't want it anymore (it's easier
than remembering how to unsubscribe), this means a certain number of
inappropriate lists are essentially guaranteed. Julian considers this a
feature, he wants spamcop's bl to be hair trigger. YMMV.

spamcop now has esclation to /24 cidr blocks automated. given that
assignments are often now down in the /27 to /29 range for DSL lines and T1
customers, this leads to much collateral damage. Julian says he hasn't seen
this happening much, and wants hair trigger escalation so that spammers
moving about in a block get preempted. i have customers with /27 to /29
assignments who would get nailed if they had the bad luck to be next to a
spammer that Julian is after, so needless to say, i'm a little to cool to
this escalation process.

in spamcop's defense, its hair trigger approach has been effective at
chopping spam runs in mid operation, and spammers hate it. i'm just not a
fan of the collateral damage from quasi-broken processes and algorithms.
--
Richard Welty                                         rwelty@???
Averill Park Networking                                         518-573-7592
              Unix, Linux, IP Network Engineering, Security