On Mon, 13 Oct 2008, Aaron Wolfe wrote:
On Mon, Oct 13, 2008 at 6:05 PM, Justin Piszcz <[EMAIL PROTECTED]> wrote:
On Mon, 13 Oct 2008, Joey wrote:
-----Original Message-----
From: Justin Piszcz [mailto:[EMAIL PROTECTED]
Sent: Monday, October 13, 2008 5:37 PM
To: Joey
Subject: RE: Finally blocking some spam
What anti-spam measurements do you currently use?
What does your main.cf look like?
(Snip)
reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client
psbl.surriel.com, reject_rbl_client ix.dnsbl.manitu.net,
check_recipient_access hash:/etc/postfix/filtered_domains
smtpd_restriction_classes = from_freemail_host
soft_bounce = no
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport,
hash:/etc/postfix/transport_bounce
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
1. You are not using rhsbls, which can be HIGHLY valuable, at the helo,
sender
and client level.
Which are still working and accurate enough to block with? I had kind
of given up on these for blocking and moved them all into SA scoring
rules. I'm interested to know anyone's recent experiences.
I have done some extensive testing with all of the RHSBLs I could find that
still work (39):
abuse.rfc-ignorant.org
adv.rhs.mailpolice.com
badconf.rhsbl.sorbs.net
ban.zebl.zoneedit.com
bl.deadbeef.com
block.rhs.mailpolice.com
bl.open-whois.org
bogusmx.rfc-ignorant.org
bulk.rhs.mailpolice.com
cart00ney.surriel.com
dnsbl.antispam.or.id
dnsbl.cyberlogic.net
dnsbl.isoc.bg
dnsrbl.swinog.ch
dnswl.isoc.bg
dnsbl.othello.ch
dob.sibl.support-intelligence.net ** bad (.org issue)
dsn.rfc-ignorant.org
dynamic.rhs.mailpolice.com
endn.dnsbl.net.au
ex.dnsbl.org
fraud.rhs.mailpolice.com
in.dnsbl.org
jwrh.dnsbl.net.au
l1.apews.org
multi.surbl.org
multi.uribl.com
nomail.rhsbl.sorbs.net
orid.dnsbl.net.au
porn.rhs.mailpolice.com
postmaster.rfc-ignorant.org
rddn.dnsbl.net.au
rhsbl.ahbl.org
rhsbl.sorbs.net
spamdomain.block.transip.nl
uribl.swinog.ch
webmail.rhs.mailpolice.com
whois.rfc-ignorant.org
zebl.zoneedit.com
--
The best, most useful and safe are as follows:
black.uribl.com
multi.surbl.org
multi.uribl.com
rhsbl.ahbl.org
These are the top four I have come across, while some may experience false
positives, I have yet to notice any with these.
reject_rhsbl_helo black.uribl.com,
reject_rhsbl_sender black.uribl.com,
reject_rhsbl_client black.uribl.com,
reject_rhsbl_helo multi.surbl.org,
reject_rhsbl_sender multi.surbl.org,
reject_rhsbl_client multi.surbl.org,
reject_rhsbl_helo multi.uribl.com,
reject_rhsbl_sender multi.uribl.com,
reject_rhsbl_client multi.uribl.com,
reject_rhsbl_helo rhsbl.ahbl.org,
reject_rhsbl_sender rhsbl.ahbl.org,
reject_rhsbl_client rhsbl.ahbl.org
For more agressive checks on other domains, I may use:
reject_rhsbl_client bogusmx.rfc-ignorant.org,
reject_rhsbl_helo bogusmx.rfc-ignorant.org,
reject_rhsbl_sender bogusmx.rfc-ignorant.org,
reject_rhsbl_client dsn.rfc-ignorant.org,
reject_rhsbl_helo dsn.rfc-ignorant.org,
reject_rhsbl_sender dsn.rfc-ignorant.org
Or to be extremely agressive:
reject_rhsbl_client bl.open-whois.org,
reject_rhsbl_helo bl.open-whois.org,
reject_rhsbl_sender bl.open-whois.org,
reject_rhsbl_client uribl.swinog.ch,
reject_rhsbl_helo uribl.swinog.ch,
reject_rhsbl_sender uribl.swinog.ch,
reject_rhsbl_helo dnsbl.othello.ch,
reject_rhsbl_sender dnsbl.othello.ch,
reject_rhsbl_client dnsbl.othello.ch
Justin.
