Choosing a Good DNSBL

stry_cat submitted a story about selecting a good DNSBL. It talks about some of the problems with DNS blacklists and the sorts of things that you should be looking for. Things like Speed, Selection Criteria, and Goals make the list. And of course not requiring payment to be removed from the blacklist.

Al Iverson is your FRIEND.

[seebs]

http://stats.dnsbl.com/ [dnsbl.com]

Or, for commentary:

http://www.dnsbl.com/ [dnsbl.com]

Absolutely the best resource on the topic.

These work well for me

[SCHecklerX]

@rbl = relay_is_blacklisted_multi_list($ip, 8, 0,
                [
                'zen.spamhaus.org',
                'combined-HIB.dnsiplists.completewhois.com',
                'list.dsbl.org'
                ]
        );

I reject on these in mimedefang's filter_sender routine, since they provide straightforward methods for removal. For other lists, spamassassin will raise score accordingly, and will raise score based on any blacklisted stuff in the headers (not just the server handing off to you) which is nice.

Greylisting kills a lot of stuff too.

Re:

[SCHecklerX]

People on dynamic ranges should probably smart-relay through their ISP's mail server anyway. The last 2 I'ved been able to host my own mail server with didn't allow outbound SMTP forcing me to do that anyway. I eventually just spent the money on a business class line to avoid any problems.

Re:

[dodobh]

And you want to run a outbound SMTP client off a dynamic IP exactly why? How does the recipient ISP distinguish between your host and the swarms of neighbouring botted Windows hosts?

Just pay for a smarthost instead.

Re:

[SCHecklerX]

So what is so hard about, uh, using your own mail server configured securely with auth and TLS...that server then forwards to your ISP's server? If you are smart enough to host your own server, and you understand the problem of your 'roaming laptop', it's not too hard to solve. Not trivial, but not incredibly difficult. Or you could just set up a VPN to your home network. There are many ways to solve this particular problem. Businesses do it every day.

I use IMAPS too so that I can easily wander around

Re:

[dodobh]

Colocate a host, get a static IP, lease a box, or a virtual server ...

Re:

[dodobh]

Smarthost through a provider hosted outside the US.

Keep in mind that recipients are under no obligation to accept your email. If I can't distinguish between your email and stuff sent by zombies at the SMTP envelope, you fall into the same category. The only trustworthy factor in that decision is the IP address of the SMTP client.

If you aren't willing to pay for the privilege of communicating with my mailfarm, feel free to send mail by registered post.

Spamhaus and Spamcop

[flyingfsck]

Those are the only two that work for me (located in North America).

DNSBL for comment spammers?

[_xeno_]

This seems like as good a place to ask as any. Can mostly email-based DNSBLs be used to try and block comment spammers? I'd love to reduce the load I get from comment spammers trying to spam my website.

I've been contemplating using an existing DNSBL, but all the well-known ones are focused on email spam. I expect that comment spambots and email spambots mostly overlap, but I'm not sure how effective such a measure would be.

Re:

[multipartmixed]

Try stuffing something into your website that relies on a calculation (or other action) done in dynamically-generated javascript. Then validate that on the back end.

I have yet to have anybody add code to their spam engine to incorporate a javascript interpreter. They just move on to the next target. Even clicking a checkbox with javascript has been enough.

Re:

[_xeno_]

I've added code that is essentially my own version of the "lameness filter." This has been enough to stop almost all the spammers. It may annoy some legitimate posters, but it works, and legit posters can still post (unless they want to post about Levitra, Cialis, or Viagra). It doesn't require JavaScript, which is a plus, since as a NoScript user I would be kind of annoyed if it did. (And, yes, I'm pretty sure I never whitelisted my own domain.)

But I'd still like to block spammers before I get to the poi

Re:

[G-funk]

Add a field named "address" or whatever to your form, and give it an id="notshown" or whatever. Add in your stylesheet "#notshown { display:none }" and if you get a submission with that field filled in, it's spam.

Re:

[sg_oneill]

I'm starting to see even that one used.

And yeah, the javascript trick works well. I call it the 'browser turing test'. Its like a captcha for your browser to fill in, metaphorically speaking.

But I've even seen that damn thing work well.

Of course Akismet is the web spam filter that always works the best for me.

Re:DNSBL for comment spammers?

[wytcld]

Had a bunch of robot spam going through a home-grown PHP comment form - all of it from Russia. So I got the the Russia CIDR list from here [ipdeny.com] and added this:

$testip = $_SERVER['REMOTE_ADDR'];
function ipCheck ($IP, $CIDR) {
  list ($net, $mask) = split ("/", $CIDR);
  $ip_net = ip2long ($net);
  $ip_mask = ~((1 << (32 - $mask)) - 1);
  $ip_ip = ip2long ($IP);
  $ip_ip_net = $ip_ip & $ip_mask;
  return ($ip_ip_net == $ip_net);
}
$CIDRs = file ("/path/to/ru.zone.file");
foreach ($CIDRs as $CIDR) {
  if (ipCheck ($testip, $CIDR)) {
    $act = "view"; // switches to viewing old comments rather than posting new one
    break;
  }
}

It's fast, and when comment spam shows up from other countries I don't care about, I'll block them too.

Project Honey Pot's Http:BL

[InvisiBill]

http://www.projecthoneypot.org/httpbl.php [projecthoneypot.org]

What Is http:BL [bl]?

Http:BL is a system that allows website administrators to take advantage of the data generated by Project Honey Pot in order to keep suspicious and malicious web robots off their sites. Project Honey Pot tracks harvesters, comment spammers, and other suspicious visitors to websites. Http:BL makes this data available to any member of Project Honey Pot in an easy and efficient way.

There are plugins for WordPress, phpBB, and many others. Use http://www.projecthoneypot.org?rf=32167 [projecthoneypot.org] if you want to give me some credit when you register. Or not, whatever.

Re:

[porneL]

Project Honeypot's http:BL [bl] isn't handling dynamic IPs in any special way, so you have to be careful about these (combine with SORBS DUL and take into account age/threat that http:BL [bl] reports).

Re:

[CFrankBernard]

http://akismet.com/ [akismet.com]

Re:

[Intron]

Many blog sites would be interested in a solution to comment spam. You might try letting them know that you're working on it. In fact, you should post a note on a few thousand blog sites letting them know about your website!

Requiring payment for delisting

[dbolger]

I used to work in the abuse department of an ISP which had been blacklisted by SORBS. SORBS require a "donation" to get your IP range off their list, and since we refused to hand over extortion money to these gangsters, there was no way for us to deal with them. Despite our best efforts, we also found that there was no way to get in contact with them, and as such no way to help our customers.

Doing a Google search for information about this lot brought up so many horror stories that I can't fathom how so many people ended up using their "service". It got to the stage where if we had a customer having trouble with SORBS blocking their mail, the only advice we could give was to contact their recipient via other means and ask them to stop using these thugs to filter mail.

Re:

[CopaceticOpus]

Amen! I have run up against SORBS blocking as well, and we refused to pay them. Unfortunately, their blacklisting service is used by a major U.S. supplier of email addresses. (I can't remember which one at the moment.)

Just say NO to SORBS!

Re:

[Akatosh]

I guess whatever provider that was stopped, because I havn't heard a thing out of my users about Sorbs for a long time. They're irrelevant now, moreso since Sorbs shut their spam list down a few weeks ago after the founder had a breakdown. Did anyone even notice? That's how irrelevant they are.

Re:

[naChoZ]

We noticed. We were using their dynamic ip range list so we started noticing it pretty quickly.

As for the extortion fee for getting off their list, we never had to pay it. We would explain the problem, note that we took steps to correct the issue, and they'd remove us with no fee. On one occasion where it really was our fault for fat fingering something and they really wanted to charge us the extortion fee, we just whimpered and cried and bowed and scraped a little bit and they took us off anyway wit

Re:

[ciscoguy01]

SORBS require a "donation" to get your IP range off their list, and since we refused to hand over extortion money to these gangsters, there was no way for us to deal with them.
Which stinks to high heaven. I wish Matthew Sullivan wouldn't do that.

There are many reasons someone who is not an actual wrongdoer could become listed as a spam source. I have little doubt the parent's organization was such a spam source and did not properly address the issue. They deserved it.
It's not what problems you ha

Re:

[Zedrick]

I have little doubt the parent's organization was such a spam source and did not properly address the issue. They deserved it.

And what are you basing this belief on?

As long as a site addresses the spam problem and gets results, reads their abuse mail and acts like a good net neighbor I have no problems with them. They should be delisted as soon as possible.

Right. I work for a big webhost, which is blacklisted by SORBS from time to time. The problem is that they do not send abuse reports. (I handle abuse

Re:

[ciscoguy01]

Right. I work for a big webhost, which is blacklisted by SORBS from time to time. The problem is that they do not send abuse reports. (I handle abuse@mycompany and I do not miss or ignore one any mails). They blacklist, and expect you to pay. ...Which makes me think they're interested in the money, not preventing spam.

That is wrong, then. They should send abuse reports.
Are you sure there are no abuse reports?
It's unlikely they would be *From: SORBS*.
They might be anonymous, like the ones SPEWS rep

Re:

[dmpyron]

If the true goal is to go after the spammers, how does a DNSBL help this? You aren't going after the spammers, you're blocking the spam. I send out emails to about 300 members of my professional association. I get bounces saying some have been blocked by blacklist, but don't say who. How am I supposed to get off the blacklist? We never get an email from any blacklister. If we ever get blacklisted by SORBS or any other extortionist and they ask for money, we'll probably sue and/or file a criminal compl

Re:

[ciscoguy01]

If the true goal is to go after the spammers, how does a DNSBL help this?

ISPs have customers, customers who want their mail to go through. Customers like you. If an ISP has lax abuse policies (or no abuse policies, or is a willing spam host) and you are a legitimate customer of that ISP, your mail may be blocked with the other legitimate customers of the ISP.
You are not being listed, your ISP is.

The DNSBL hopes you will call your ISP, and as a valuable customer demand they cure their spam problem

Re:

[D'Arque Bishop]

If an ISP's customer is spamming me all I can do is complain, and they can ignore me. You are their customer, you are influential and you want your mail to go through, so you are completely within your rights to demand they get rid of their spammers that are causing you problems. Your ISP can make a choice, either deal with spammers and all their legitimate customers go elsewhere or sue them, or get rid of the spammers and have you, legitimate customers.

It makes perfect sense, doesn't it?

The problem I have

Re:

[ciscoguy01]

The problem I have with your argument is the fact that it assumes that 100% of the people who are on the list deserve to be on there. It does not take into account human error in placing the address into the blocklist, or the fact that maybe the ISP caught the spammers themselves without being notified first and still got blacklisted.

I never said *100%* of the people that might find themselves blacklisted deserved to be there, but different blacklists have different goals. Some, like CBL are purely for

Re:

[a_nonamiss]

I agree with the goals of SORBS, but I had an experience recently which proved to me that they are utterly and completely worthless.

A girl who works for a company that I support has never engaged in spamming in any way. Their corporate network is secure. Their mail is hosted by some company. They don't know the details, but their email usually "just works"
She tries to send an email to a perspective client, and it gets bounced due to SORBS
She calls her boss
Her boss calls me, the company consultant.
Cha

Re:

[fm6]

Persuade the webhost to switch ISP's. Not likely.

Especially when the ISP is also the colo provider. Which is usually the case. Nobody is going to move their servers to a new data center without a lot of motivation. Like a meteor headed towards the old data center.

I'm amazed that we're still talking about black lists at this late date. On top of all the nonsense with punishing innocent folks, screwing up legitimate email, increasing user costs, and accusations of extortion, there's one little detail everyo

Re:

[a_nonamiss]

Like a meteor headed towards the old data center.

Webhost: "How big did you say this meteor is?... Oh, that big. Hmmm. I see... Is it going to take out the whole datacenter, or just part of it?... Ah. Ok... What kind of downtime are we talking about here?...

Re:

[a_nonamiss]

So there's a reasonable chance that you're just a troll, but in case you really are that ignorant, and since you didn't post AC, allow me to swallow your flamebait.

Nowhere in my post did I say anything about not knowing the owner of the address block. I knew who it was in the first 5 minutes. Of course, since SORBS runs the blacklist, they were my first point of contact. At the time, I didn't know how unreasonable their policies were. From there, I assume you are actually suggesting that I call up Qwest

Re:

[mvdwege]

So why the cock-and-bull story about how it took so long to track down the netblock owner responsible? You were just racking up billable hours, weren't you?

If your customer was listed on one of the actual spam blacklists, the problem should have been lower in the hierarchy. I'm guessing your customer got on the DUHL. Well, guess what, that could have been prevented. I have two words for you: due diligence. It's not as if Qwest has a spotless reputation when it comes to spam.

Now, it may not have been you t

Re:

[a_nonamiss]

My story had nothing to do with finding the block owner. Read it again. It had to do with trying to get the issue resolved. If you order a cheeseburger, and the cheese on it makes you sick, you don't just immediately run over to the local dairy farm and start throwing a tantrum. You start with the people that you purchased the cheeseburger from.

It sounds like you're real problem here is that you don't feel my services are worth the money by boss charges for them. I, by the way, don't make anywhere near $

Re:

[a_nonamiss]

Marty, I've put enough effort into this futile flame-war. Unfortunately, in order to have a conversation with someone, you need to be on similar intellectual levels, and clearly, we are not. You fail to include any meaningful information in your replies. You avoid answering points directly, and try to refute points I don't make. I'll let this thread stand on its own, and the people reading it can draw their own conclusions. I wish you the best of luck in life.

Re:

[dodobh]

*shrug*. If you have a good working relationship with SORBS, you get unlisted very fast. That implies terminating spammers really quickly. If you are doing that, and consistently doing it, you might want to give SORBS a heads up on unlisting you (yes, they do it).

Re:

[ciscoguy01]

Uh, based on the belief that hardly anyone is actually rabid. I don't think SORBS is rabid. I doubt Matthew Sullivan is listing innocent people out of spite, though it was established that there habe been some DNSBL compilers who have actually done that.
It's pretty much counterproductive, listing people who are innocent, out of spite.
You just get false positives that way. The way a DNSBL becomes "influential" is by getting people to use it. If no one uses a DNSBL because it interferes with legitimate

Re:

[nuzak]

> But understand he has been sued and he does likely have some legal expenses

I bet he incurs even more liability by having an apparent financial interest. By the way, has anyone ever told you that overuse of boldface is really annoying?

Re:

[keeboo]

Well, we do use SORBS, but not the default filter they provide (which is way too agressive).
You may choose one more to your liking, as described here [sorbs.net]
I believe the best is to pick "safe" things like open relays, ADSL IPs and only the recently added hosts.

Yeah, I'm aware of all the horror histories on SORBS, but you know what? We maintain a public university mail server, the e-mail addresses are readily available everywhere (also, the users don't help either) AND we have a severe lack of techni

Re:

[Vellmont]

and since we refused to hand over extortion money to these gangsters, there was no way for us to deal with them

Extortion is a good word for it, but I'd say protection racketeering [wikipedia.org] is a better one.

-1, Bullshit

[mvdwege]

I see the spammers are out in force to day, to see this modded up to +5.

SORBS does not ask for donations for a mere delisting. All you have to do is submit a request to their automated request system, and you will be delisted. I have actually done this for a customer of ours who got a false positive listing. 48 hours later, listing gone, and most of that was propagation delay.

Mart

Re:

[Lost Race]

Even when ISPs do pay to get off the list, SORBS doesn't get any of the money. What a racket!

Local Whitelisting!

[HitekHobo]

Choosing a good DNSBL (or three!) is definitely important, but IMHO, you should NEVER run DNSBL's without building a local override into the system. We run our own DNSWL (dns whitelist) which is consulted before hitting on BLs... if a customer has had problems with one of their contacts being blacklisted, we can selectively add their IP to the list.

Unrelated to the above, I would also recommend looking at ironport systems if this is a commercial project with a decent sized budget. (I am not affiliated, just a happy customer).

Re:

[More Trouble]

Choosing a good DNSBL (or three!) is definitely important, but IMHO, you should NEVER run DNSBL's without building a local override into the system.

Having a whitelist is definitely important, but how you use the blacklist is even more important. The staff time required to simply maintain a whitelist of all the mistakes found in various blacklists is simply a waste. Better to use the blacklists in a mostly advisory capacity.

:wes

There is no such thing as a good DNSBL

[deviator]

They all have issues; all of them create headaches for administrators of legitimate e-mail servers at one time or another.

Re:

[seebs]

Of course they do. That doesn't mean they're not good; it means they're not perfect.

The fact is, without DNSBLs, the headaches would be worse. LOTS worse. Centralized blocking gives you some kind of theoretical hope of getting unblocked once you've fixed the problem. Decentralized blocking leaves you no chance at all. Furthermore, without tools like DNSBLs, administrators would be far too busy to even get to the point where they could have these headaches.

I'd rather live in a world with a number of rea

Re:

[deviator]

I think server-side and user-side spam filtering software would get a lot better more quickly if there were no DNSBLs. :)

Re:

[seebs]

I don't think so. The thing you need is the ability to determine whether or not other people are getting substantively identical messages, and frankly, just blocking the bad networks is an order of magnitude more efficient.

No, that's not right.

It's at least three or four orders of magnitude more efficient.

DNSBLs to feed other tools

[billstewart]

Most DNSBLs have problems, and there are few that I'd trust absolutely, though Spamhaus runs a tight enough shop that I'd trust it. But DNSBLs can be used effectively to augment other tools:

• SpamAssassin weights - most of the DNSBLs are worth a couple of points of SpamAssassin weight; even rabid ones like SORBS can give you some information, and the country-specific ones are also useful here (e.g. mail from China had better not look spammy at all.)
• Greylist Augmentation - The big value of DNSBLs is that yo

Re:

[MadMidnightBomber]

Bollocks. I used to run email for a university with around 50,000 students (and around 500,000 deliverable email addresses - don't ask). We had one issue during 2 years which was a local college had got itself listed in one of the spamcop zones, because it had turned into a spam relay. So the DNSBL was working as desired. We whitelisted them as they had fixed the problem, but the listing expired around the same time anyway.

During that period we were dumping about 50% of inbound mail thanks to DNSBLs, with

Re:

[deviator]

Good spam filtering software can accomplish the same thing.

We work with lots of customers who absolutely rely on e-mail for business correspondence: occasionally they are unwittingly listed in some RBL and removing them is a pain in the ass. Who made Joe of JOESCRAPPYDNSBL God, telling our customers' customers not to receive e-mail from them?

Unfortunately there are alot of very bad examples of DNSBLs, and there are a lot of very bad examples of e-mail admins out there - putting the two together just causes

NEVER use a DNSBL as an absolute block

[ebunga]

DNSBLs are subject to the whims of some of the most unreliable and whiny schmucks on the face of the planet. NEVER under any circumstances use a single DNSBL as an absolute block. Use it to increment a score along the lines of Spam Assassin that will eventually hit a threshold, preferably with a minimal content-based component. Don't even think about using multiple hits on multiple lists as a gauge of spam-worthiness. The amount of inbreeding and sharing among lists is disgustingly high. Not even the Spamhaus aggregate is trustworthy these days.

Spammers can get around blacklists anyways. They're about as effective as locking a door made of tissue paper. The number of false positives is high. The amount of spam blocked is negligible. My suggestion is to abandon the idea altogether.

Re:NEVER use a DNSBL as an absolute block

[Shaman]

Sounds good, except it's not true. I was just on one of our spam systems (Barracuda 400) and the stats look something like this:

20,000,000 blocked e-mails
480,000 tagged e-mails
90,000 viruses found
135,000 quarantined messages (user choice to quarantine or not)
610,000 delivered/approved mail

To nobody's surprise, some spam is still getting through. This is in less than two weeks, and there are two servers to handle the load, the other one is more or less as bad.

So what were you saying about not using blacklists?

Re:

[ion++]

how many of your 20,000,000 blocked emails are false positives? aka legit email.

I would so much agree that using a DNSBL as a absolute block is a bad idea. I have experienced being caught up in them, and that is annoying. Even if the mailserver is removed some days later. Later is not soon enough, i want my email to arrive now.

I would much rather suggest running some sort of spamassassin while the SMTP connection is still open, and if it looks like spam i would reject it. This can be parallized if needed.

I

Re:

[ion++]

yes i know. But arent those usually called .vcf files? which i already said i would allow though.
If not you could recognize the vCards by extracting the attachment and run some tool to recognize a vCard. And then allow it all through.

Re:

[ion++]

and if this blocking of attachments forces spammers to send small text emails first and then send the .pdf or .jpg attachment 5 minutes later, you could further require that you have reply to this or other messages comming from the same email address or the same domain (carefull with hotmail). Hopefully this approach could render attachment spam more useless.

Re:

[ion++]

I already wrote in my original statement that i would allow .vcf files. The small logo's might become a problem because alot of spammers also send small .jpg's, but then you could look at the rest of the email, the headers, lookup the MX records for the domain, ask if the MX servers wants to accept email to the sender, and possibly check if there is a website for the domain. But ... maybe companies should try to avoid sending the same kind of attachments that spammers does to distinguish themselves from spa

Re:

[ion++]

No i am not a spammer, but i have been burned by DNSBL more than once.

I have tried to send legit email to someone i had sent to before. But just because the local ISP that i sent through was in a DNSBL then i could not get my email through and i had to wait days before i could continue the emailing. That was annoying. Other times one of my customers called and complained because one of their customers ISP was in a DNSBL.

I didnt particular setup the usage of DNSBL, i just used default postfix configuration

Re:

[Pontiac]

Sounds like your block numbers are about the same as ours..

We run a 2 layer system with a cluster of St Bernard Eprism 2000 appliances and a software filter on the mailbox servers.

Right now we reject 10 million a week on RBL
Another 4.5 million in spam filters
We pass about 400,000 as legitimate mail..
Our virus rate is only 400 but the firewall is also doing AV filtering so I don't see what it's catching.

The false positive rate is very low with the Borderware RBL list the Eprism devices use..

I have more false

Re:

[Pontiac]

I forgot a few points..

Every new Block list you add adds another DNS lookup for each message you receive.

You can configure a linux box running RBLDNSD to sync multiple block lists and perform a single lookup against all those lists on a singe Query..

The down side to that is you won't know what list did the blocking but it's great for taking some load off the DNS server.

NEVER use a DNSBL as an absolute block...

[HitekHobo]

...unless you have to.

There is a lot of truth to the OP's statements. However, unless you have the budget for a commercial spam filtering application, there are not a lot of good solutions.

Spamassassin is great for what it does, but in high volume environments, you will be throwing so much hardware, bandwidth and electricity at the problem that you'll either give up on filtering at all or break down and buy a commercial solution.

DNSBL's give you a bit of breathing room between the two extremes. Our environm

Re:

[ebunga]

At work, we don't use spamassassin. There are better, albeit more expensive tools that provide everything spamassassin does and more at a fraction of the cpu usage. You're doing about four times what my mail system handles on average. Our filtering system alone uses seven machines. Out of our entire load, less than 100,000 legitimate messages are received each day. The amount of legitimate mail is statistically insignificant. It's easier to say we receive 100% spam.

Rather than subjecting ourselves to

Re:

[TheRaven64]

The nice thing about a DNSBL is that it lets you reject with an error while the SMTP connection is still open. This means that even if you drop some emails, the sender is guaranteed to find out about it, and if it's important they can try again from (or to) another address or contact you some other way. This is preferable, in my mind, to having an email shuffled off into a spam folder by something like Spamassassin, where neither the sender nor recipient will find out about it for a long time.

I prefer to

Greylist to save CPU before using DNSBLs, SpamAss

[billstewart]

SpamAssassin and commercial solutions use a lot of CPU, but there are other low-CPU ways to defend yourself besides DNSBLs. Greylists are a popular one - mail from unknown mailserver addresses gets told to go away and try again in 5 minutes or an hour or whatever. They're currently effective against most zombies, and inherently effective against some of the stolen-address-space attacks, and because they're not permanently blocking mail, false positives aren't a problem. It works at the SMTP-header level,

Re:

[GReaper]

Couldn't agree more with this.

I use several DNSBLs at SMTP level, however instead of blocking any blacklisted IP they get greylisted. The majority of zombie machines never bother trying to resend the mail, so it cuts out a large amount of spam. Any blacklisted IP address which does successfully resend gets added to the whitelist so they don't have to bother with the greylist.

For our users it works perfectly. Users from non-blacklisted IPs get their mail sent immediately, those who are blacklisted get a s

Re:

[KC7GR]

"Spammers can get around blacklists anyways. They're about as effective as locking a door made of tissue paper. The number of false positives is high. The amount of spam blocked is negligible. My suggestion is to abandon the idea altogether..."

Thank you for your suggestion. It will be duly ignored, laughed at, or similarly ridiculed by those of us who actually run our own mail systems, or are responsible for such at work.

In my case, I'm self-hosted. Authoritative DNS for my domains, mail, web, Usenet, the w

Wrong: A good RBL is worth its weight in gold.

[chathamhouse]

I would suggest that you are uninformed, and do not run a high volume mail system.

I'm responsible for a mid-sized mail system that receives an average of 10,000,000 connection requests per day. A good RBL is worth a lot to my employer.

We use Spamhaus xbl-sbl, and Trend Micro's Network Reputation Service - which is a combination of the more static RBL+ (of MAPS fame) and the highly dynamic QIL list.

Together, they drop approximately 92% of inbound connections to the SMTP server farm. This is a lot cheaper,

Re:

[Bronster]

I was going to see who you are (since I'm a sysadmin for an Australian email provider as well) but your website links to a photo which links to a redirection to an HTTPS SVN repository that tells me to get fucked in no uncertain terms. Hmm.

Unnecessary acronym

[nightsweat]

DNS BL? DNS blacklist. Same number of syllables. DNS makes sense since it is only three syllables instead of "do-main name ser-vice (or Sys-tem)" which is 5 syllables.
But BL for Blacklist? Nah.

This has a score of two?!

[Anonymous Coward]

Greetings, sir,

Allow me to introduce myself. I'm a representative of the Consortium of Common Sense. I've noticed you recently posted to an Internet-based conversation, complaining about the reduction of a nine-letter word to two letters via acronym. Your post referenced such things as numbers of syllables.

Please look at your desk now, and slam your head down as hard as you can on it. Do you feel those weird little indentations in your forehead?

THEY'RE CALLED KEYS - DID YOU NOT REALIZE THAT THINGS ARE TYPED, NOT SPOKEN, ON THE INTERNET?

Thank you. Please let us know if you have any other ridiculous complaints.

- Consortium for Common Sense

Speed, Selection Criteria and Goals make the list?

[jsse]

No...

It's how quick the maintainers of this particular DNSBL responding to your request to remove your ass from the list when they choose to blacklist you.

We've multiple MTAs for a single mail domain, because when an attacker found some way to relay or bounce-back one of our MTA and cause it to be backlisted by major DNSBL on earth, we still have other MTAs take up the job.

Then we could spend the rest of the week to ask for removing that MTA from their DNSBL, by email, or worse, by forum.

Trust me, i

Use as many as you can get your hands on.

[syntax]

I seldom trust the results of a single RBL. The best technique, and what SpamAssassin does, is to check against a ton of them. I myself have gotten my own server listed on a handful of blacklists, but not from sending out email. I just happened to be in the same Class C block as another server that had been a relay over a year ago. This became a problem with mail servers that would block your mail off of a single BL hit. I gave up trying to negotiate with the BL and my SP (Rackspace) and just changed t

Whole countries

[DogDude]

I don't bother with blacklists. It's easier to just eliminate all traffic from whole countries. I get a spam from China. I look up the ISP. I block all traffic to/from that entire ISP's block. Done. Same thing for former Soviet states, and other such places. It works amazingly well. Of course, this doesn't help with zombified PC's, but neither does a DNS black list.

Dynamic IPs / Zombies

[HitekHobo]

Actually, using a blacklist that is purely dynamic IP's works quite well for zombies. I won't recommend one in particular, but there are several lists with just this purpose.

Re:

[Jeffrey Baker]

Except the blacklists which are supposedly dynamic IPs contain tons of other shit. There is one which contains any IP which reverses to a name containing the letters "dsl". This is pretty stupid since a lot of business DSL lines have static IPs and because Speakeasy business T1 lines also reverse to whatever.city.dsl.speakeasy.net. Other ISPs have the same scheme, and they don't all delegate reverse DNS. I have a business MX hosted on a T1 line that's blocked by some blacklist that Earthlink uses. So I

missing rDNS?

[fl!ptop]

no one has (yet) mentioned using the missing rDNS sendmail hack. [niu.edu] i block about 100,000 messages and servers per week using a combination of send_pause, blacklists, spamcop, iptables and the rDNS hack. rDNS routinely accounts for more than 50% of the spam that never makes it to my server.

any mail server that doesn't have an rDNS lookup, in this day and age, is imho not worth accepting messages from.

Ouch.

[Deagol]

I used to use this under postfix at a department of a large university, and, later, at a small software company. I was constantly *amazed* at the lack of "correct" DNS configuration out there. Rejecting SMTP connections based on the lack of rDNS does indeed block a TON of spam, but also results in much gnashing of teeth and pulling of hair for the admin who uses it.

For a site with low, static email traffic, this is a great method. Otherwise, I wouldn't wish the resulting pain on anyone.

Now... if I co

Re:

[fl!ptop]

I was constantly *amazed* at the lack of "correct" DNS configuration out there

i guess i should clarify - any rejected email is not simply sent to /dev/null, but is returned with an explanation that's unique to the tool used to reject it. the rDNS hack has 3 standard return error statements. wouldn't any reputable sysadmin would *want* to know that his/her mail server does not have a properly configured zone file?

Re:

[Deagol]

You would think people would act rationally and try to figure out things, but that's not usually the case. Usually the sender would simply see an error message, often repeated after a few attempts to email the same person, then contact the recipient by other means to tell them there was a problem on our end. They rarely (if ever) actually read the error message itself, which, though terse, should have been enough to clue them in that it was on their end. The sender rarely consulted w/ their own sysadmin/

Re:

[Akatosh]

Checking for reverse dns is alright, checking to see if the forward dns works for said reverse dns makes admins cry because sooooo many people have 'reverse dns' that resolves to a hostname that points somewhere else, or doesn't exist, etc. In the sendmail hack given, you have three conditions near the bottom, FAIL, TEMP and FORGED. It's FORGED that causes the headaches (this verifies matching reverse/forward dns). Just remove that line and it will only verify that reverse dns exists.

Re:

[macdaddy]

Lovely. So you're one of "those" people that interpret the standards as you see fit. Nice. So what you're saying here is that you're actually blocking all mail from people who's DNS is broken when you make your query. Or for people who's have complete in-addr.arpa zones but the single UDP reply packet got lost along the way. That's rather expected considering UDP is of course "best effort" and "unreliable". I have no doubt that you're blocking a large amount of spam. That's a given. I also have no d

Re:

[Mr. Roadkill]

any mail server that doesn't have an rDNS lookup, in this day and age, is imho not worth accepting messages from.

Oh, I agree wholeheartedly. So do AOL. So do a whole lot of other places.

The problem is, I work for a University. I can't do it. There are too many stupid admins out there, and they're ALL working for sites that are considered important "offshore partners". Hell, I have enough trouble dealing with offshore agents whose outbound mailservers are in dynamic dial-up ranges - I kid you not. I'd d

Spamhaus and abuseat.org

[AaronW]

I have had very good luck using Spamhaus and cbl.abuseat.org. I use it to outright block spam and have never had a problem with legitimate email. I go one step further, however, and block several countries. I don't know anybody in those countries, like China, Russia and Nigeria, so I just block them entirely. That has also made a huge difference.

-Aaron

Re:

[Bandman]

Seconded. I use cbl.abuseat.org, and it dropped my spam-in-inbox a huge amount. It's hard to quantify exactly, since people have their own spam filters as well, but everyone in my organization has remarked on its success.

I don't block, but I still use DNSBL

[TechwoIf]

I use the list to score how long e-mail is greylisted and scoring in spamassassam. DNSBL are notorious for being political and having false positives. So a scoring system works better. Low scores for the worst offenders and higher spam scores for the better DNSBL.

DNSBLs as Greylist, TMDA Parameters

[billstewart]

DNSBLs are a really good combination with greylisting - some of the sites you don't want to hear from are running real SMTP servers, but many of them are running zombieware or tuned-for-speed spamware, and setting your greylists to discourage them for a couple of hours instead of just five minutes can help. Also, while greylisting can block legitimate mail from dialup users, it's no problem for DSL/cable users, so you can use those DNSBLs to keep longer greylist times on those, which will also discourage z

Re:

[cpghost]

I'm a huge fan of TMDA, but I've dropped it a few months ago, because greylisting, DNSBLs and very stringent checks at SMTP level managed to drop the amount of spam to less than 0.5% of all legit mail, while keeping the amount of false positives to a bare minimum. Almost all mails that TMDA autoresponded to were legitimate anyway after all the previous combing. Basically, there was no need to use TMDA anymore.

Actually, I was lucky, because shortly after I've stopped TMDA, my domain was hit by a huge tidal

Fake MX Records any good?

[rufo]

Anyone have any experience with fake MX records [apache.org]?

I find the idea sort of intriguing, but I have doubts that it'll work for long in the ever-escalating arms race of spam...

I like a multi-layer approach myself

[bconway]

Checking the logs from my domain last night...

Spam blocking by site:
zen.spamhaus.org: 314
dnsbl.sorbs.net: 28
bl.spamcop.net: 40
psbl.surriel.com: 24

Not bad a for a single-user domain.

Re:

[gad_zuki!]

>dnsbl.sorbs.net: 28

Yeah, and those 28 will never be removed ,regardless of false positives. SORBS wants 50 dollars per delisting. How this is different from a criminal protection racket is beyond me.

Use the right type

[91degrees]

There are two reasons for a blacklist. Reason 1 is simply to identify probable spam sources. Reason 2 is political. It's a boycott of certain organisations whose policies the maintainer decides are reprehensible. Make sure you use the right sort. If you agree with the political motivations of the maintainer, use the second type by all means but make sure you know the reason things are being blocked.

The problem with several DNSBLs is that they are the second type masquerading as the first type. Sinc

The list I currently use

[Phroggy]

FEATURE(`dnsbl', `sbl-xbl.spamhaus.org', `"550 Rejected: Your IP address has been used to send spam. " $&{client_addr} " listed at sbl-xbl.spamhaus.org"')
FEATURE(`dnsbl', `list.dsbl.org', `"550 Rejected: Your IP address has been used to send spam. " $&{client_addr} " listed at list.dsbl.org"')
FEATURE(`dnsbl', `cn.ascc.dnsbl.bit.nl', `"550 Rejected: Due to a high volume of spam we do not accept mail from China. " $&{client_addr} " listed at cn.ascc.dnsbl.bit.nl"')
FEATURE(`dnsbl'

Re:

[Phroggy]

You may want to replace:

sbl-xbl.spamhaus.org

with:

zen.spamhaus.org

Nope, I got too many false positives with that.

No Blocking

[rawg]

I have found that my customers don't want me to block spam. I would get complaints from customers not getting their mail from hosts that are being blocked. So I use Spamassassin to tag the spam and filters on my clients to delete it. Yep, I have to process all that spam and yep the customers have to download all that spam, but I don't get any phone calls anymore.

Re:

[The Cisco Kid]

And doing so is entirely your choice, and no one other than your boss (unless you are the boss) has any business telling you to do otherwise.

I am curious though, if you (or your boss) are happy with the loss of profits involved due to increased bandwidth and server resource costs that go with that choice (Or, if you've raised your prices to offset that, if your customers are happy with that).

To truly make blacklists useful...

[IGnatius T Foobar]

To truly make blacklists useful, you've got to filter not only mail coming from IP addresses listed within them, but also mail containing URL's that resolve to IP addresses listed within them. Once you implement this, you will see a *dramatic* drop in spam. Spammers can move their delivery systems from place to place, but at some point they've got to advertise a web site. Yes, the stock spam will still get through, as well as some others, but over the years I've spent administering (and developing) email systems, this was the single most effective thing I've ever seen.

Happily, these tests are already present in SpamAssassin; they're just not scored highly enough. Here's a nice easy way to fix that. Edit your /etc/mail/spamassassin/local.cf and add these lines:

# High score for URL's whose IP addresses are in rbl
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_SBL 10
score URIBL_SC_SURBL 10
score URIBL_WS_SURBL 10

Restart spamd, and you will immediately see a large drop in spam.

RBL == censorship

[mike_sucks]

Using an RBL lets an untrustworthy third party censor email being sent to your users.

Do not use one. /Mike

Re:

[91degrees]

Actually, I don't think APEWS really know what they are. The proponents seem to be unable to decide whether its punative or simply a blocking list, but remember, most of the children on NANAE have nothing to do with it. The official statement is just that it's a list to use as you wish.

Re:

[The Cisco Kid]

Why is MCI not the problem? If MCI continues to provide Internet connectivity to known spammers, then yes, MCI *is* part of the problem. The object of a list like APEWS (and before them, SPEWS) is to remove the spammers from the Internet, not just to play whack-a-mole with individual IP blocks. I'll even take it one step further - if you knowingly and intentionally continue to pay an ISP that knowingly and intentionally providers spammers Internet connectivity, then you too are part of the problem, and I wo