On Mon, Jun 01, 2015 at 06:08:40PM -0700, Steve Jenkins wrote:
>
> This is expanding a bit on Elijah's OP, but here are my current
> restrictions that I've been running for a while:
>
> smtpd_recipient_restrictions =
> [...]
> reject_rbl_client zen.spamhaus.org,
> reject_rhsbl_client dbl.spamhaus.org,
> reject_rhsbl_sender dbl.spamhaus.org,
> reject_rhsbl_helo dbl.spamhaus.org,
> [...]
> Sanity checks welcome. :)
Their recommended setting is
reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]
Return codes above 127.0.1.100 are the "abused legit" codes,
referring to good domains that were hacked by spammers,
typically to host bad contents on the web site.
So you apply the whole of DBL on content scanning, but limit
yourself to the real bad domains on the SMTP checks,
otherwise you increase the risk of false positives with
probably little benefit.
Also, it is always a good idea to include a range check
for the return code, so also zen.spamhaus.org=127.0.0.[2..255]
won't hurt.
furio
