On Thu, 24 Mar 2005, Paul Dekkers wrote:
> Alan J. Flavell wrote:
>
> > Indeed. That's why we use the two separate groups of DNSbl in this test,
> > and only reject if both of them return "true".
> >
> I like the idea of it, do you have an example where you check - say - with
> both spamcop and an open relay rbl to see if it is listed or not?
I was afraid someone would ask that. See, this posting is going to be
in the mailing list archive for years from now - but the settings that
we're currently using seemed to be reasonable when we last set them
(that'd be a few months ago), but things will doubtless change again
before many months have elapsed. Might even have changed already - I
haven't had enough Round Tuits recently to do the sums.
> Any recommendations about the combinations?
Well, absolutely contingent on the comments I made above, I can tell
you what our current settings are. I can also predict they'll be
suboptimal for anyone else! So you might want to use appropriate
"warn" stanzas to write log messages for all the dnsRBLs that
you're considering using, and do your own assessment of the results.
But if you insist on specifics, currently the operative lines of the
stanza look like this -
deny [...]
message = Your mail host $sender_host_address is blacklisted in \
$dnslist_domain=$dnslist_value as well as in $ACL_BLACKLIST.
dnslists = SORBS_SPAM : bl.spamcop.net
set ACL_BLACKLIST = $dnslist_domain
dnslists = l1.spews.dnsbl.sorbs.net : \
list.dsbl.org : \
SORBS_DUL
where:
SORBS_SPAM = dnsbl.sorbs.net=127.0.0.6
SORBS_DUL = dnsbl.sorbs.net=127.0.0.10
and:
ACL_BLACKLIST=acl_m7
which produces messages like:
2005-03-24 20:28:53 H=(126.com) [219.130.177.209] F=<trade930@???>
rejected RCPT <flavell@???>: Your mail host 219.130.177.209
is blacklisted in dnsbl.sorbs.net=127.0.0.10 as well as in
bl.spamcop.net.
And indeed a lookup of 219.130.177.209 at (e.g) OpenRBL.org
shows enough justification for rejecting this - but no single RBL
would have been strong enough to justify rejection on its own.
I should perhaps stress that we have some Chinese visiting academics,
as well as staff who have active contacts with Chinese academics, so
we can't take the rather obvious step of blocking Chinese IP addresses
on sight.
> Currently I'm very positive about spamhaus, but still not using it
> in real life because I am afraid for false positives.
Some of the DNSrbls quite deliberately set out to inconvenience also
the otherwise-bona-fide customers of spam-supporting (pink) ISPs. As
long as you understand their policy, and can get your users on-board
to support that policy, then you'd be doing a public service (you
might even persuade tiscali to stop hosting 419 scams - but perhaps
that's just wishful thinking). But many of us can't afford to take
such a draconian attitude (unfortunately).
h t h
