Hello again, On Sun, 10 Feb 2019, Gene Heskett wrote:
most of what gets my attention comes from local to the US servers
Well the USA _is_ the world's number one spam source. :(
, like earthlink.
In addition to DNSBL stuff I operate ten local blacklists - see my blacklist list below. Earthlink is explicitly listed here in the list which rejects on the client server's 'HELO' greeting but certain ASNs, network blocks and individual IPs also get the boot. Where possible local blacklists are consulted before going out to DNS-based block lists like Spamhaus, as it's much more efficient and will also work for new spam sources which the DNS based lists haven't yet had enough reports about to consider listing. For the avoidance of doubt, _all_ connections from _all_ earthlink servers are rejected by our servers. On Sun, 10 Feb 2019, J.R. wrote:
Trying not to get too far off topic ...
Until someone persuades me otherwise, IMO anything which tends to make the use of ClamAV more efficient and/or more effective is on topic for this list. :)
... if you reject based on the hostname of the mail server ... ... red flags ...
+1, and you can also look for other red flags at each stage of the SMTP conversation, including mail headers. Here are my blacklists at the moment: xm_connect_blacklist (some hostnames, domains and even TLDs are dire) xm_country_blacklist (some countries send me nothing but spam) xm_whois_blacklist (even some registrars are dire) xm_ASN_blacklist (some ASNs are especiall dire) xm_helo_blacklist (full/partial domain names, TLDs e.g. 'local' here) xm_envfrom_blacklist (full or partial address/domain name/TLD) xm_SPF_blacklist (see if the sender's SPF record contains red flags) xm_RP_blacklist (see if the sender's Responsible Party flags up red) xm_rcpt_blacklist (I have numerous spam trap addresses etc.) xm_header_blacklist (spam software often writes red flag headers) There's also a list of DNS-based block lists like Spamhaus. Anyone is welcome to all these lists, although they're very much personalised to our situation. In any case to use some of them effectively might take quite a bit of work. I don't have at my fingertips much in the way of useful statistics for the relative effectiveness of the various blacklists, but if anyone is interested I can process the logs for the last couple of years and come up with some rough numbers like the 1.3% that I mentioned earlier (that is effectively what's left after mail has been run past the blacklists). -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
