On 8/29/2016 8:45 AM, Bryan Vest wrote:
We have built a very complex outbound mail verification system but we cant stop 100% of the spam 100% of the time so some does slip out.
Good for you that you are working hard to prevent outbound spam. In addition to using RBLs, here are a couple of other suggestions (that you may already be doing):
(1) consider also doing checks on the domains found in the clickable links of outbound messages, checking them against various URI/domain blacklists (SURBL, etc). (the "etc" is key here as certain URI lists are often much faster-reacting than SURBL, for some spams campaigns) If such content filtering is too resource-intensive, then consider doing random sampling checks.
(2) rate limit (or otherwise limit) outbound messages per each SMTP-authenticated account--so one account can't suddenly go from averaging 12 outbound message per day, to >500... stuff like that is OFTEN a sign of a compromised mail account
(3) CAREFUL--remember that some shared IPs are going to see a combination of (a) non-authenticated botnet-sent spams sent (from a viruses on some infected workstation) -AND- (b) smtp-authenticated legit mail sent from some person's Outlook or Thunderbird mail client. In that situation, going too hard on a sender due to an RBL could cause too much collateral damage--therefore, for THAT scenario, the smtp-authenticated outbound mail should be allowed, while the non-authenticated inbound messages should be blocked. Then again... this might conflict with strategies that use RBLs to limit smtp-authenticated outbound spam sent from compromised accounts?
I know there are some system vendors that have a set of RBL's built into their system's but what are the default RBL's, how many admin's would even know how to figure out?
"default RBL's" is subjective. But one place you might want to look at... is to see what RBLs are currently the default RBLs in SpamAssassin. But keep in mind that those won't include any commercial RBLs... do it isn't a comprehensive list... and even some of those are most appropriate for a scoring system, and shouldn't be used for outright blocking (or there would be too many FPs). You can get an idea from how high SA scores each particular RBL.
There have been some good articles written recently about the better RBLs. Do a search engine lookup on "best spam blacklists" (or similar searches) to find them. (look for articles written within the past couple of years--older reviews often have horrible outdated information)
I hope this helps! -- Rob McEwen _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
