On Wed, May 14, 2014 at 11:35:59AM -0400, D'Arcy J.M. Cain wrote: > On Wed, 14 May 2014 10:09:19 -0500 > Noel Jones <njo...@megan.vbhcs.org> wrote: > > On 5/14/2014 9:59 AM, D'Arcy J.M. Cain wrote: > > > It looks like hotmail is on two DNSBLs and postscreen is > > > blocking them. I would like to offer my users a way to > > > whitelist individual addresses but it looks like I can > > > only whitelist CIDR blocks. Is that the case or do I > > > have another option? > > > > The only postscreen whitelisting possible is by IP. Postscreen > > will never (and cannot) see a hostname nor an email address. > > Yah, that's what I was afraid of. > > > Your choices are:
> > - remove the offending DNSBL. Postscreen is not appropriate > > for a DNSBL that intentionally lists hosts sending a mixture > > of good and bad mail, such as hotmail, AOL, etc. > > I know that SORBS, one of the listing DNSBLs, shouldn't be > used but in my case it is spamcop that is blocking the mails. > I thought that they were generally considered a good source. Yikes, no. See, Spamcop is fully automated. A lot of large email providers classify their outbound. Stuff that their filters consider suspect, but they are afraid to block because of complaints, goes out a certain set of outbound servers. That's why hotmail, gmail, and others are regularly seen on Spamcop, and why it's usually the same set of IP addresses. They ARE sending spam, and SORBS and Spamcop thus list them. (SORBS deliberately, Spamcop automatically.) An aggressive site might be fine with taking the risk, but me, I'd never trust SORBS nor Spamcop for blocking, even if they both were agreed about a host. I use each of them as one point where the threshold is three. And also as Noel suggests, I use DNSWL.org with negative scores. As a matter of fact, most spam I see in my personal mailbox originated from providers of this kind. I don't usually bother to look them up in my logs, but I know I have seen this scenario before: listed on SORBS, Spamcop and DNSWL. > > - move the offending DNSBL to the regular smtpd_*_access > > checks, where whitelisting is possible. > > Sounds like my best option here. Disagree. Better scoring solves the problem nicely. Your content filtering will probably catch the ones your postscreen allows through. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
