[Mimedefang] RBL suggestions

Damrose, Mark mdamrose at elgin.edu
Wed Dec 8 14:57:58 EST 2004 

> -----Original Message-----
> From: WBrown at e1b.org [mailto:WBrown at e1b.org]
 
> I am looking to start using an RBL.  In the past, a colegue did some 
> testing of RBLs and got a lot of false positives. 

With RBLs you have to use a different definition of false positives.
Various RBLs have different listing criteria.  A false positive on
an RBL is a blocked mail from a source that doesn't match the criteria
of the list.  You have to decide if the criteria of the list matches
your criteria.

For example - a while back it was discussed that RoaringPenguin was
listed on RFC-ignorant.org.  RFC-ignorant.org does not list spam 
sources, but those who don't obey RFCs.  David argued that his
policies do not violate RFCs, RFC-ignorant claimed they did.  I
don't remember who won - don't really care, I've never used that
list.
 
> I am looking for recommendations for a high quality RBL 
> (preferably free, 
> we're a K-12 educational organization) that is very low on false 
> positives.

I've been very happy with spamhaus.  They run 2 lists - one that lists
known, persistent spam sources - one that lists abusable machines.

I also use dsbl.org and some of sorbs.net's lists.  These mostly list
misconfigured and abusable hosts.  There have been a couple of IPs 
on both dsbl.org and sorbs.net that I've had to manually whitelist,
but for the most part are very good.  Even the two I had to whitelist
were "legitimate" - one had been an open relay in that past, but 
couldn't get past dsbl's de-listing policy (read postmaster mail, and
click on a link) - the other was running their mail server temporarily
on a consumer DSL connection.

> Also, is there a way for a milter to detect a black listed 
> host and tell 
> sendmail to close the TCP connection on the spam sending server?

There are 3 basic ways to use an RBL.
1 - configure sendmail to use them, which rejects the connection 
before MimeDefang is even called.
2 - use the RBL function in MimeDefang.
Use the results to do whatever you want - reject, discard, quarantine,
add headers, etc.
3 - enable net tests in SpamAssassin which will check all IPs in the
received headers, with several RBLs and add points to the SpamAssassin
score.

I like to use the MimeDefang functions and quarantine but still deliver
any hits.  After a week or two of watching it, I'll either move the
test to sendmail, or decide this list doesn't work and remove it.

More information about the MIMEDefang mailing list