Re: [exim] require_verify = sender + RBLs - clarification on…

Top Page
Delete this message
Reply to this message
Author: Alon
Date:  
To: exim users
Subject: Re: [exim] require_verify = sender + RBLs - clarification on the How-to
Alas, someone picked up on this part of the question :))

OK.. thankfully,. I don't think I'm at the break even point. I have only
200+ domains with 500 mailboxes and even at
extreme spam time I can't imagine reaching more than 1,000 emails per mail
box per day,. so provided that the
threshold is above the 1 million, I'm "safe" for the time being.

Obviously, following your explanation, there is no need to setup an rsync
version of a local mailing. That is really something
I was hoping not to engage and based on your explanation, I'm saved from
that pain :).

As for the listing of the RBLs, I found this service to be of great help to
identify if an IP is listed or not,. and it kinda gave me
a directions on who to add to the RBL filters:

http://openrbl.org/client/

It makes it easy to identify which lists are more effective in terms that
"if you see it more that few times... you might want
to add it to your deny list".

With the exception of BLARS which seem to hit almost on every spam, I've
seen lots of spam captured in combined.njabl and xbl-xbl.spamhause

dnslists = sbl-xbl.spamhaus.org
dnslists = relays.ordb.org
dnslists = dnsbl.sorbs.net=127.0.0.5
dnslists = bl.spamcop.net
dnslists = combined.njabl.org
dnslists = blackholes.njabl.org
dnslists = blackholes.five-ten-sg.com
dnslists = dnsbl-2.uceprotect.net
dnslists = psbl.surriel.com
dnslists = cbl.abuseat.org
dnslists = dnsbl.sorbs.net!=127.0.0.6
dnslists = rhsbl.sorbs.net/$sender_address_domain


Just to clarify.. you indicated: "Not all DNSBLs are available for free
rsync of course ",. I'm assuming (a dangerous word I know)
that, this isn't a problem with just adding them as filters and using them
to filter out spam.

My only concern is,. how do I SAFELY whitelist specific domains. I can't use
whitelist_domains as this is a big no-no as it
allows for open relay and of course that is the last thing I want to have.

Is there a way to add specific domains to an ACL group so that I can still
allow traffic for specific domains? Perhaps with extra
checks to minimize exposure?


If this help in any way. .this is a code bit from a different user:


# host name based !


drop message = Forged Microsoft, connection denied!
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
delay = 20s


#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s



AND, this is how I have my filters setup:


# deny using .spamhaus
  deny message = Email blocked by SPAMHAUS SBL+XBL- to unblock see 
http://www.myserver.com/spamlistschecker.html
       # only for domains that do want to be tested against RBLs
       domains = +use_rbl_domains
       dnslists = sbl-xbl.spamhaus.org



# deny using ordb
  deny message = Email blocked by ORDB - to unblock see 
http://www.myserver.com/spamlistschecker.html
       # only for domains that do want to be tested against RBLs
       domains = +use_rbl_domains
       dnslists = relays.ordb.org



and on and on with each and every filter.


Thanks,

- Alon
js@???


----- Original Message -----
From: "Andrew - Supernews" <andrew@???>
To: "exim users" <exim-users@???>
Sent: Monday, October 23, 2006 12:27 AM
Subject: Re: [exim] require_verify = sender + RBLs - clarification on the
How-to


>>>>>> "Alon" == Alon <js@???> writes:
>
> Alon> RBLs (hey,. it's in the subject line!):
>
> Since no-one else seems to have responded...
>
> Alon> I can use RBLs like the following:
> [snip]
>
> Alon> but my concern is that at one point if I get lots of emails,
> Alon> I'll be actually considered as a "hostile" checker and get
> Alon> blacklisted for excessive checks.
>
> Alon> Is that likely to happen?
>
> No, providing you're staying within whatever terms and conditions
> apply to the specific DNSBLs you're using, and provided you're not
> deliberately breaking DNS caching.
>
> DNS queries are (from the publishing server's point of view) a pretty
> lightweight and efficient way to distribute the data. For a blacklist
> that lists individual IPs, updates frequently and is large enough to
> be useful, the break-even point for the blacklist publisher as to
> whether DNS queries or rsync is most efficient is typically somewhere
> between 1 million and 5 million queries per day.
>
> Not all DNSBLs are available for free rsync of course (Spamhaus
> certainly is not, haven't checked on the others you mentioned). For
> the ones that are, maintaining your own mirror is usually unwise
> unless you know _exactly_ what you're doing - you're more likely to
> have problems caused by your own setup breaking. The reduced latency
> for lookups isn't likely to be a significant benefit _unless_ you're
> out in the weeds somewhere with a slow or congested pipe.
>
> --
> Andrew, Supernews
> http://www.supernews.com
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>