On Tue, 13 Apr 2004, Marc Perkel wrote:
> I'm looking for a recommendation on what lists to add to my deny dnslist
> list. I want to avoid false positives so I only want the ones that are
> considered most accurate.
Well, of course everyone's going to have a different answer to that,
but what we're currently doing, beyond a couple of blacklists where we
feel confident enough to deny outright, is to group some of the lists
into two groups, roughly speaking categorised as:
a) those which indicate spam has in fact been seen,
b) those which indicate technical ability to relay/proxy,
or listed as involved in spam operations
If the sending IP hits one or more lists from *both* groups, we
reject. This approach seems to work rather well, and avoids false
positives on sites that accidentally show up in, say, Spamcop.
Of course, we also count spam rating points if they're in one or other
group, but you want to avoid too many transactions needing to be rated
by spamassassin, right?
I.e we have two dnslist clauses in sequence in the same "deny" stanza,
and the "deny" is only effective if both of them go sprong. At the
moment the first group contains bl.spamcop.net : spam.dnsbl.sorbs.net
The second group contains some or all of relays.ordb.org :
list.dsbl.org : dnsbl.ahbl.org and the following categories of
dnsbl.sorbs.net namely smtp, web, zombie, dul, and L1.spews
If you have a recent enough exim, you can do a query on
dnsbl.sorbs.net and get the answers as a list of values, which exim
then caches; so that it's essentially no additional cost to use any or
all of the individual values, in one way or another (I mean use some
for a straight deny, some in one of the above two groups, or for
various spam-rating purposes). (Somebody will pipe up if I'm
misrepresenting anything there, right?)
Note this technique for delivering the report (this is just sketched
out on the fly, with local details snipped out, so YMMV):
[...]
message = Your mail host $sender_host_address is blacklisted in \
$dnslist_domain=$dnslist_value as well as in $acl_m4
[...]
dnslists = bl.spamcop.net : spam.dnsbl.sorbs.net
set acl_m4 = $dnslist_domain
dnslists = relays.ordb.org : list.dsbl.org \
[...]
i.e saving details of the first match into acl_m4 so that it can be
reported after the second match has triggered.
Is that OK?
