> [attribution of quotes reconstructed] > On Sat, Aug 17, 2013 at 12:54:44AM -0700, Grant wrote: > Noel: >> > However, I wonder why you don't have any dns blacklists such >> > as zen.spamhaus.org defined there. The ability of postscreen >> > to reject known bad sites without using precious smtpd >> > processes is one of its key features. > Grant: >> > I would just rather have a false negative than a false positive. >> > I get a pretty small amount of spam at this point so I don't >> > think reducing it further is worth increasing the chances of a >> > false positive. > Charles: >> > From what (little) I know about how postscreen works, rejecting >> > the known bad sites doesn't really have any (substantive) chance >> > of false positives, but it provides much more than just >> > protection from spam - it protects you from the botnets/zombies >> > hammering your server needlessly. >> >> Do you mean there aren't any legitimate servers listed in >> zen.spamhaus.org? > > Zen is a composite list, and indeed it is intended to be safe for > widespread use. > > SBL (Spamhaus Block List) lists IP addresses which are known to be > under the control of spammers. > > XBL (Exploits Block List) lists IP addresses which are actively > spewing bot spam. Legitimate servers are occasionally listed in XBL, > because they meet that condition. Some short time after they stop > their abuse, they are delisted. Typically this is less than a day. > > PBL (Policy Block List) lists IP addresses which, according to the > netblock owners, should not normally be sending legitimate email. > Exceptions can be made for hosts with custom PTR upon request. Many > colocation providers submit their networks for PBL, but removal is > easy. > >> When I switched servers a while back, the new IP >> I received was listed on several blacklists and it was a hassle >> to get them removed. > > Far better that you go through that step than the Internet be exposed > to more spam.
I agree, but the fact is that not everyone will go through that step. > All that said, to address a point from Charles above, sure, it is > possible for an over-eager person to make a postscreen which will > block non-spam. Here's my example postscreen configuration which is > intended to be safe and reasonable for most uses: > http://rob0.nodns4.us/postscreen.html Do you use that config on a commercial mail server? I don't mean to say that you shouldn't, I'm just wondering if you do. In a commercial environment, the penalty for a false positive is a customer unable to reach the company behind the server which just isn't tolerable. - Grant
