Re: [Exim] more on RBL's

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Ron McKeating
CC: Exim-Users (E-mail)
Subject: Re: [Exim] more on RBL's
On Thu, 17 Apr 2003, Ron McKeating wrote:

> rbl-plus.mail-abuse.ja.net
>
> Sadly however there were another 18 spams without this header. One hit
> out of 18 does not bode well for me. So can anybody advise me.


For what it's worth, our mailer's current log (on a quick grep and wc)
rejected a total of about 1400 items on RBL grounds, of which about
400 were rejected on rbl-plus.mail-abuse.ja.net (and the rest,
obviously, on some other RBL).

So the JANET (MAPS) one is doing _some_ good at least, though - as
it's the first one that we check - it might be that some of the ones
that we rejected on MAPS would have been rejected on one of the others
anyway.

> Is it
> just that the free RBL service from JANET is not really very good,


IMHO it's very good of its kind, in the sense that it reliably lists
sites according to its published policy, and rarely results in false
positives. However, the spammers have moved on, and now ply their
dispreputable trade by other kinds of misuse than qualify for the
MAPS lists. Also, many many new dialups etc. keep appearing and don't
get registered in the DUL.

> and if so (I am happy to pay real money if it works) which are the
> best black lists to use.


We don't pay any money ourselves, so I can't comment on that. But on
the basis of the available free RBL registers, I'd say that a
graduated approach is best.

I don't think that putting on record one specific configuration is
particularly useful - we've switched around as things have developed.
I might just mention that some combination of
spews.relays.osirusoft.com, proxies.relays.monkeys.com and
relays.osirusoft.com=127.0.0.9 could be useful for outright rejection
just now, and others for spam-rating (more on that in a moment).

But you have to be aware that some RBLs (e.g spamcop), although
definitely useful, _will_ give a proportion of false positives, and
the fact that a host is technically an open relay is no proof that it
doesn't have bona fide users nor that it can or will be used for
spamming - its sysadmin might at this very moment be beavering away to
correct the problem.

If you use some kind of rating scheme (e.g spamassassin) then it's
surely worth cooking-in some rating points for an entry in spamcop
(i.e "spam has been reported"), and also for technical open relays and
proxies (i.e "this could be used for forwarding spam, even if we
haven't actually seen any yet") such as the relevant lists at wirehub,
blitzed, ORDB...). We do that by cutting an extra header with (exim
v4) "warn" with "message = X-RBL-Warning: ... $dnslist_domain", and
then rating the headers in spamassassin.

You might consider that an entry in both kinds of list is strong
enough to rate an outright rejection (we do).

You can get overviews of available blacklists at
http://www.sdsc.edu/~jeff/spam/cbc.html and
http://www.declude.com/junkmail/support/ip4r.htm as well as
a summary of blacklistings for a particular address at
http://openrbl.org/

hope that helps.