[Mimedefang] Selecting which RBLs to check mail against.

Wed May 14 14:47:01 EDT 2003

On Wed, 14 May 2003, Martin Ferguson wrote:

> 
> Hi,
> 
> I've been running mimedefang and spamassassin for a few months now with
> great success, some spam mails were however slipping through, to stop
> this I've recently installed Razor agents and enabled RBL lookups, by
> adding $SALocalTestsOnly = 0 to my filter.
> 
> This reduced the amount of spam getting through to almost nothing,
> however I've have noticed a significant increase in the amount of false
> positives. I bounce mail at 15 and tag as ***SPAM*** between 5 and 15.
> 
> Many of my companies clients are from South America, South East Asia,
> Russian, etc, basically spam land! Therefore many clients mails from
> these areas are receiving high spam scores because they or their ISPs
> are listed on rfc-ignorant.org or relays.osirusoft.com.
> 
> Although I'd prefer to continue to check mail against these lists and
> help the fight against spam, many of my users are fed up having to dig
> these mails out of their spam filter folders. 
> 
> How do I select specific RBLs to check my mail against?

I can't answer the question about how to use specific DNSBLs but I can 
recommend certain ones.  IMHO you should flat out reject mail form 
misconfigured machines.  These include open relays, open proxies, SOCKS 
boxes, and machines with a vulnerable formmail.cgi.  I can't think of any 
reason why mail from those machines should be rejected.  No legitimate 
mail admin will let their MTA be an open relay, or at the very least for 
long.  I'd recommend you block these with Sendmail and not bother scoring 
them.  Then I'd use SPEWS, RFC-Ignorant lists, Spamhaus, etc to score 
mail (ie, the ones that point to spammers specifically, plus some 
collateral damage in some cases).  Lower the scores of SPEWS and the RFC 
ignorant lists if you want to minimize collateral damage.  A score of 1 
for each should be fine.  Spamhaus almost always targets the spamming IPs 
only.  On a rare occasion Steve will expand the list to include the IPs of 
an ISP's corporate MTAs to get their attention.  IIRC he did this to Verio 
a while back with great success.  Still I'd trust Spamhaus even with my 
most critical mail.  I use SPEWS.  It's very effective.  In fact I call 
SPEWS from Sendmail itself and reject mail with it.  It does rely on 
collateral damage though.  Score with it if you want to minimize FPs.  I 
usually recommend that people also score against foreign mail using the 
blackholes.us lists.  However since much of your mail comes from foreign 
countries, this wouldn't be wise in your circumstances.

In short, flat out block misconfigured machines and score against DNSBLs 
of spammers.  Give lower scores to those DNSBLs that will generate too 
many FPs for your installation.

FYI, relays.osirusoft.com is made up of numerous lists.  Break it down 
into multiple calls if you want to seperate the socks and other lists from 
spews and spamhaus.

Justin