Re: [exim] My DNS Spam and White Lists are Ready for Testing

Startseite
Nachricht löschen
Nachricht beantworten
Autor: W B Hacker
Datum:  
To: exim users
Betreff: Re: [exim] My DNS Spam and White Lists are Ready for Testing
Marc Perkel wrote:

> Ok - so here it is. Give it a try and tell me what you think. Here's the
> instructions on how to use my black list, white list, and yellow list.
>
> http://wiki.ctyme.com/index.php/Spam_DNS_Lists
>
> And - after you start using it I'm looking for a few good people to feed
> information back into the system to make it better. This is working for
> me. But - we will see if it works for anyone else.
>
> These lists can be the biggest breakthrough in email processing in
> years. The power of this system isn't just in the black list. The real
> power is in the white lists and it's ability to reduce false positives
> in your existing black lists.
>
> So - try it out and let me know.
>


Mixed results with your 'blacklist' so far, Marc

We've put your test pretty late in the process for testing, running more 'warn'
mode than deny so we can see what else is operative:

During the test period, 699 smtp connections were made, many of which were
rejected during the initial CONNECT phase.

Of connections that survived:

560 messages were offered (100% starting point)

457 were rejected before DATA phase (82%)

103 reached DATA phase (18%)

37 were discarded in DATA phase before SA invocation (7%)

7 were scanned by SA and diverted to user's quarantine folders (1%)

59 were scanned by SA and delivered normally (11%)

(SA scanned 12% of incoming traffic, ClamAV scanned 18%)

Of the 103 messages where the DATA phase 'warn' acl calling your RBL was
traversed, only 4 hits occurred,

All of these were already carrying fatal errors:

- First and third hits were for incoming that had already been nailed for
invalid DNS (failed forward/reverse lookup, rDNS, no PTR record), HELO by our
own IP, sender verify failure.

'cheap' fail here was HELO with our own IP

- Second hit was for an incoming that had been found on another RBL as a dynamic
IP, and on our local 'brownlist' as from a known-problematic Allocated Portable
IP block, sender verify failure.

'cheap' fail here was our local 'brownlist'.

- Third hit was for an incoming that had been nailed on DNS failures, but also
hit our local blacklist by HELO name, so no further testing done, but would have
failed several others.

'cheap' fail here our local regexp BL (fewer than 100 entries)

IOW - all could have been dumped w/o a remote callout.

Three of the four Perkel RBL hits were allowed to proceed to SA invocation (just
for testing) and generated scores of 8 or more points. For us, that is at least
a quarantine for even 'loose' user preferences, and an outright fail for most.

No Perkel-RBL 'black' false-positives, but this is a *very* small sample.

No point seen in looking at a 'yellow' list, of servers that sometimes send spam
and sometimes do not. By definition, that should be most of the world.

Likewise, I cannot be convinced that there is any value in Perkel-RBL 'white'.
Small sample, limited congruence with our environment.

Bottom Line: 'Pain' of 103 RBL calls. 'Gain' of zero unique information.

It's OK to try to teach your elders a better way to suck eggs, but you should
expect to invest more time feeding your chickens (testing) and shoveling
chicken-manure (perusing extended logs) than counting the chickens before they
hatch (boasting) - or choking chickens (Google that one... I ain't touching it).

;-)

Bill