On Thursday 20 August 2009 22:56:31 Olivier Nicole wrote:
> >     I'm running postfix, amavisd-new and spamassassin. Currently in my
> > postfix smtpd_recipient_restrictions right at the end last thing i have
> > some rbl checks. I'm wondering if that's the best place for them or
> > should i disable that and activate them in spamassassin? Suggestions
> > welcome.
>
> This is a difficult question.

I disagree.

First part I'd pick on is "some rbl checks". Know your DNSBL. Read
their policies. Subscribe to announce lists if they offer it. Many
HOWTOs you might find on the 'net show an assortment of DNSBLs being
queried, and beginners quite foolishly copy that assortment without
thought. Big mistake!

The only DNSBL I would recommend for widespread use is Zen,
http://www.spamhaus.org/zen/ . The "Caution" advised is easily
addressed in Postfix by putting restrictions to permit relaying ahead
of the reject_rbl_client lookup: precisely as Dave has it. But do note
that there's a risk in using a DNSBL in content inspection.

> Do you really 100% trust the rbl you are using to have no false
> positive (some were listing gmail.com recently)?

1. Again, know your DNSBL.
2. Gmail is not squeaky clean, it's no surprise that they end up in
   DNSBLs at times. I think this was SORBS. They also get into the
   automated Spamcop DNSBL. It's not a "false positive", because they
   were listed for actually relaying spam. (Most of the 419's I see
   tend to come from gmail.)
3. If Zen makes a mistake or gets too aggressive, I guarantee yours
   will not be the only site blocking mail from that sender. The
   sending site is going to have to resolve the issue.
4. Quite often the real mail blocked by Zen is XBL. That's typically
   important as a wake-up call to the administrator of the blocked
   site; perhaps they have a virus or 37 spewing. (BTDT, myself.)
5. A reject_rbl_client "false positive" results in the sender getting
   an immediate bounce. The sender knows the mail was not delivered.
   Rejection in a post-queue content_filter requires the difficult
   choice: do you bounce, and risk getting yourself listed as a
   backscatter source? Or, do you deliver to quarantine, and risk
   having real mail lost in the deluge? Or, do you just give it all
   to our friend Dave Null, and ensure that real mail will be lost
   sooner or later?

> If yes, the you can keep the rbl in postfix, it rejects the email
> at earlier stage.
>
> If no, you better test rbl in SA, as the rbl test only contributes
> to the final score.
>
> I personnally use the second.

And that's a misuse of a good RBL. Sure, some of them are more
appropriate in scoring. Don't use those with reject_rbl_client.

It's also a huge waste of bandwidth and resources. It varies from
site-to-site and even from user-to-user, but my rough unscientific
estimate is that about 90% of all SMTP traffic is abuse. What is the
point in filtering through all that garbage, only to make your mail
less safe and reliable than it would have been, if using the DNSBL
properly?

The choice is clear, to me.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Reply via email to