On Fri, May 02, 2014 at 08:10:18PM -0400, Alex wrote: > On Fri, May 2, 2014 at 6:45 PM, Stan Hoeppner > <s...@hardwarefreak.com>wrote: > > On 5/2/2014 6:07 AM, Wietse Venema wrote: > > > Stan Hoeppner: > > >>> swl.spamhaus.org*-4 > > >>> list.dnswl.org=127.[0..255].[0..255].0*-2 > > >>> list.dnswl.org=127.[0..255].[0..255].1*-3 > > >>> list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > > >> > > >> Consolidate these last 3 to something like: > > >> list.dnswl.org=127.0.[2..14].[2..3]*-4 > > > > > > These three will result in one list.dnswl.org query, just like > > > the consolidated one. There is no performance difference. > > > > Correct. The reason for consolidating these is not to reduce > > queries. > > > > > However, there is a correctness difference. The consolidated > > > form has the same weight 4 for all results, while the original > > > form has different weights. > > > > The consolidated form gives no score to a 4th octet value of > > [0..1], but gives -4 to [2..3]. This is the key difference. > > > > Alex' form and weights are not correct. And that is why I posted > > the link to the return codes. The second 'octet' is always zero, > > not a range. The 3rd octet has a range of 2-15, and the 4th > > octet a range of 0-3. Specifying a range of 0-255 or 2-255 to > > cover "the future" may have the opposite effect, resulting in > > potential disaster, depending on how/if/when dnswl changes > > things. Such wildcards should not be used.
Good point. I thought of this, but did not bother to implement it that way. Eventually I will change it. > > A value of 15 in the 3rd octet means the sender is an Email > > Marketing Provider. Most people would never whitelist such > > senders. Alex currently does. Most people would give no > > preference to a 4th octet score of 0 which means "no trust". Well, I whitelist mildly. Do note that this is a whitelist, under management by people who, I suppose, don't like spam any more than you nor I. A DNSWL.org return of 127.0.15.0 means an email marketer who is nominally trying to limit spam (thus deserving a whitelist entry), but who might be doing that well. A -1 score makes sense. It's not enough to override Zen nor a grouping of other DNSBLs, but if that's the only result from postscreen_dnsbl_sites, it's enough to bypass the after-220 checks. > > Alex is giving -2. And he is giving -3 to a 4th octet score of > > 1, "low trust". The recommended scale is -0.1, -1.0, -10, -100, > > and this is how SpamAssassin handles dnswl scoring. Yes, I think -1, -2 and -4 make sense. I lump 4th octet 2 and 3 together because I'm a 2. :) Also, a -4 is going to override any borderline DNSBL score. If it doesn't, I expect something to give somewhere. In my studies, I found very little overlap between the DNSBLs and the DNSWLs. > > Using a 4 point scale instead of 100, a 4th octet value of > > 0 or 1 should be given NO whitelisting preference at all, > > which is what my consolidated example does. But I don't agree with that. Scoring at the content scanning stage differs from scoring in postscreen. DNSWL.org assumes that their trust level "none" sites are not actually making money from spam. I can't speak for Mathias, but I am pretty sure that he would delist ANY known spammer. > Somehow your first message to the list on this topic didn't make it > to me. Had to read it in the archives. Anyway, thanks so much. My > postscreen config was generated through a discussion on this list > with rob0 some time ago, as well as his postscreen config ( > http://rob0.nodns4.us/howto/postfix/main.cf). Perhaps if he's > reading, he can correct this. Hiya! Yes, I remember. BTW, the better link to share is the HTML page, http://rob0.nodns4.us/postscreen.html , which has all the explanations and warnings. > I can't believe I've been whitelisting mass mailers. That's far > from what I would want to be doing. In fact, I'm considering > figuring out some spamassassin rules to better identify them based > on the dnswl queries. If you want to be adventurous (and to violate the DNSWL.org spirit) nothing stops you from using 127.0.15.0 with a positive score in postscreen ... or even as a reject_rbl_client in smtpd! I figure these are at worst the gray hats. And why bother giving delays with the after-220 tests they will pass anyway? So yes, my policy here was considered and deliberate. But looking back, I'll agree that a -1 would make more sense than -2. Stan probably tends to be more aggressive than I am. There's no right/wrong to that, it's a choice. > Regarding your DNS caching comments, thanks for this too. I hadn't > realized there would be bandwidth savings by having one or two DNS > servers that are queried on the network versus having a local cache > on each mail server. I've always been a bind loyalist, but will > consider the powerDNS program if it doesn't improve. I've always been a BIND loyalist too. Now I'm paid to be a BIND loyalist. I have nothing against the competition, certainly I can't say anything bad about them. But I can assure you that if you know ways in which BIND needs to improve, ISC wants to hear from you. Bigger doesn't always mean better, this I grant (just look at Microsoft!) But in the case of BIND it means that an enormous worldwide userbase is assisting ISC in continually improving BIND. I don't mind questioning my loyalties from time to time, but I wouldn't blindly jump ship from software I know and trust unless there was a very good reason. > I've already made the postscreen changes on the systems, and > already noticing fewer DNS queries. > > I've also removed swl.spamhaus.org entirely, thanks to a > conversation with spamhaus and comments from Tom Hendrikx about > it being discontinued. Yep, I will be doing the same. Unfortunately I probably won't get around to updating my web page very soon. Note also that I used dnsbl.ahbl.org in postscreen; by the beginning of 2015 that will become disastrous, as they are planning to put a wildcard in the zone. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
