[Mimedefang] Selecting which RBLs to check mail against.
listuser at numbnuts.net
listuser at numbnuts.net
Wed May 14 14:47:01 EDT 2003
On Wed, 14 May 2003, Martin Ferguson wrote:
>
> Hi,
>
> I've been running mimedefang and spamassassin for a few months now with
> great success, some spam mails were however slipping through, to stop
> this I've recently installed Razor agents and enabled RBL lookups, by
> adding $SALocalTestsOnly = 0 to my filter.
>
> This reduced the amount of spam getting through to almost nothing,
> however I've have noticed a significant increase in the amount of false
> positives. I bounce mail at 15 and tag as ***SPAM*** between 5 and 15.
>
> Many of my companies clients are from South America, South East Asia,
> Russian, etc, basically spam land! Therefore many clients mails from
> these areas are receiving high spam scores because they or their ISPs
> are listed on rfc-ignorant.org or relays.osirusoft.com.
>
> Although I'd prefer to continue to check mail against these lists and
> help the fight against spam, many of my users are fed up having to dig
> these mails out of their spam filter folders.
>
> How do I select specific RBLs to check my mail against?
I can't answer the question about how to use specific DNSBLs but I can
recommend certain ones. IMHO you should flat out reject mail form
misconfigured machines. These include open relays, open proxies, SOCKS
boxes, and machines with a vulnerable formmail.cgi. I can't think of any
reason why mail from those machines should be rejected. No legitimate
mail admin will let their MTA be an open relay, or at the very least for
long. I'd recommend you block these with Sendmail and not bother scoring
them. Then I'd use SPEWS, RFC-Ignorant lists, Spamhaus, etc to score
mail (ie, the ones that point to spammers specifically, plus some
collateral damage in some cases). Lower the scores of SPEWS and the RFC
ignorant lists if you want to minimize collateral damage. A score of 1
for each should be fine. Spamhaus almost always targets the spamming IPs
only. On a rare occasion Steve will expand the list to include the IPs of
an ISP's corporate MTAs to get their attention. IIRC he did this to Verio
a while back with great success. Still I'd trust Spamhaus even with my
most critical mail. I use SPEWS. It's very effective. In fact I call
SPEWS from Sendmail itself and reject mail with it. It does rely on
collateral damage though. Score with it if you want to minimize FPs. I
usually recommend that people also score against foreign mail using the
blackholes.us lists. However since much of your mail comes from foreign
countries, this wouldn't be wise in your circumstances.
In short, flat out block misconfigured machines and score against DNSBLs
of spammers. Give lower scores to those DNSBLs that will generate too
many FPs for your installation.
FYI, relays.osirusoft.com is made up of numerous lists. Break it down
into multiple calls if you want to seperate the socks and other lists from
spews and spamhaus.
Justin
More information about the MIMEDefang
mailing list