Whilst this subject is of some interest to many or most Postfix users, it has departed from being fully on topic here. It would fit better on a list like SDLU: <http://spammers.dontlike.us>
[Disclaimer: I am a list moderator at SDLU.) On Sat, Aug 17, 2013 at 10:39:25AM -0700, Grant wrote: > > [attribution of quotes reconstructed] rob0: > > On Sat, Aug 17, 2013 at 12:54:44AM -0700, Grant wrote: > >> Do you mean there aren't any legitimate servers listed in > >> zen.spamhaus.org? > > > > Zen is a composite list, and indeed it is intended to be safe > > for widespread use. > > > > SBL (Spamhaus Block List) lists IP addresses which are known > > to be under the control of spammers. > > > > XBL (Exploits Block List) lists IP addresses which are actively > > spewing bot spam. Legitimate servers are occasionally listed in > > XBL, because they meet that condition. Some short time after they > > stop their abuse, they are delisted. Typically this is less than > > a day. > > > > PBL (Policy Block List) lists IP addresses which, according to > > the netblock owners, should not normally be sending legitimate > > email. Exceptions can be made for hosts with custom PTR upon > > request. Many colocation providers submit their networks for PBL, > > but removal is easy. > > > >> When I switched servers a while back, the new IP > >> I received was listed on several blacklists and it was a hassle > >> to get them removed. > > > > Far better that you go through that step than the Internet be > > exposed to more spam. > > I agree, but the fact is that not everyone will go through that > step. You didn't understand. Those who do NOT get delisted from Zen *will* face widespread delivery problems. No hard facts exist (nor could valid statistics be collected), and it would vary by that site's chosen set of sites they wish to send mail to, but in general I bet they're going to have delivery problems for >75% of their mail. This is speaking from my own experience when moving a server to a PBL-listed IP address. Before getting the removal approved, my logs were clogged with rejections. It was embarrassing. When I discovered the problem I rerouted mail through a nonlisted relayhost until delisted. I have also seen this at exploited sites where I have been called in to do the cleanup. Let them be lazy. If they want to participate in Internet mail, they're going to take the time to get removed from PBL. None of the anti-DNSBL zealots can dispute this fact. In fact, this is one of the things they so despise about Spamhaus: they have been granted "too much power" by many email administrators, large and small. (I apologise to the "anti-DNSBL zealots" for the name calling. I'm a pro-DNSBL and pro-Spamhaus zealot myself. I accept the same label. Spamhaus and other DNSBL services have all but eliminated my spam problem. I am grateful for that.) Why have we (TINW) given Spamhaus this power? Do they abuse it? What would happen if they did? Mail administrators support Spamhaus because they have been careful and responsible in the exercise of that power. They make our job in trying to keep the abuse out of users' mailboxes much easier. Also, pre-DATA filtering is safer and more accurate than content-based approaches. There have indeed been suggestions of abuse of power by Spamhaus. Many of these suggestions were put forth by spammers and spam supporters (providers who are willing to sell service to spammers, turning a blind eye or making excuses in response to abuse reports.) I'd say those constitute the majority of complaints, in fact. But to be fair, there are other complaints. One I am aware of is the Austrian national NIC (dot-AT registry.) Austrian law is demonstrably spam-friendly regarding domain registrations. (I don't care about Austrian law. To a large extent I don't even care about laws where I live and where my server is situated. Spam is crime, and such crime is not excused by ignorant laws. Any valid law which is going to require me to accept and handle spam will also reimburse my costs in doing so. None of them do. So I block spam, including some CAN-SPAM compliant hosts on my US-based server. The You-Can-Spam law doesn't pay to accept spam.) To answer my final question above, if Spamhaus went overboard and became like a SORBS, blocking mail providers who have occasional issues with spam, well, I'd relegate them to the same status I did SORBS. I consider SORBS' opinion on a client useful, but not enough to consider the mail to be spam and worthy of blocking. I am sure that Spamhaus administrators know this. Thus they are careful and responsible. > > Here's my example postscreen configuration which is intended > > to be safe and reasonable for most uses: > > http://rob0.nodns4.us/postscreen.html > > Do you use that config on a commercial mail server? I don't mean > to say that you shouldn't, I'm just wondering if you do. In a Not much. The majority of traffic is from and to a free software project. I have, however, set up mail services for SMBs using these policies or similar. (But I am not involved in the day-to-day management of those sites.) My only commercial users are individual consultancies such as myself. > commercial environment, the penalty for a false positive is a > customer unable to reach the company behind the server which just > isn't tolerable. "Commercial" is an arbitrary distinction. Many commercial sites say things like this: "Our userbase, our customers, and our suppliers are all in the USA, so we will block everything coming from outside the USA." It might even work for some of them. It certainly would NOT be acceptable for a free software project, with contributors and users from all over the world, including Russia, Nigeria, China, and Korea. "False positive" is also an arbitrary concept. If a sending client listed on Zen comes to me, I reject it. That is a positive, nothing "false" about it. Okay, that is splitting hairs. I know what you mean by "false positive": you mean "non-spam which is rejected." The sending client gives its user a DSN informing said user of the rejection. They can contact me and provide the information therein. It's in my log, and I can see it was a Zen-listed host. I can give them the same URL that my rejection notice did[1] and advise them to fix whatever problem caused the listing. (I can even offer to fix it for them, if they want to hire me. ;) ) The whole point is this, again: the Zen-listed host is having these problems ALL OVER. I'm surely not the only site that rejected their mail. Far more effective for them, rather than complaining to me, is to get off the Zen list. If they're on SBL, stop spamming! I don't even want non-UBE from known spammers. If they think they're not spamming, let them make their case with the folks at Spamhaus, who, I can guarantee, would love to talk to them about it. If they're on XBL, stop the exploit! Their site is being actively used for the benefit of a spammer. Fix that! If they're on PBL, follow the removal procedure. If they can't get removed, such as for lack of custom PTR, find real hosting where they're allowed to run a mail server. [1] That's only true of hosts which get through postscreen to smtpd. Postscreen does not provide the DNSBL's TXT record. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
