My clients have been using list.dsbl.org, and either bl.spamcop.net or sbl.spamhaus.org as a secondary. Unless you actually keep a local server for the zone, checking more than 2 (or at most 3) DNSBL's in global DNS is asking for potentially long delays on MTA connections. Checking all of the DNSBLs that SpamAssassin checks by default at the MTA level can time out your connections before you clear all the DNSBLs.Subject: Re: [SAtalk] RE: *.easynet.nl DNSBL's ceasing on Dec 1, 2003 [OT] From: "Gary Carr" <[EMAIL PROTECTED]> Date: Fri, 21 Nov 2003 15:06:31 -0500 To: <[EMAIL PROTECTED]>
This is a shame. The guy should do it for a fee and make it a small business. They are the most affective RBLs we have used to date.
Gary
The easynet blacklists/spamfilters (blackholes.easynet.nl, proxies.blackholes.easynet.nl, dynablock.easynet.nl, spamdomains.blackholes.easynet.nl, and the easynet spamlists) will be discontinued starting Dec 1 2003.
So I guess I get to ask the monthly reoccurance of the question? What are people using for blacklists at the MTA level these days? I have
sbl.spamhaus.org, list.dsbl.org, relays.visi.com, dnsbl.njabl.org, relays.ordb.org, blackholes.easynet.nl, #not for long dynablock.easynet.nl, #not for long dun.dnsrbl.net, spam.dnsrbl.net, opm.blitzed.org,
Mike
I have actually been comparing a new e-mail security service that I'm developing to a number of existing DNSBL's and it's very interesting comparing them.
I haven't been comparing my service to bl.spamcop.net, but I have compared it to several other lists that you mentioned. From what I can tell, for my e-mail and e-mail to a couple of customers who are beta testing my new service, list.dsbl.org seems to hit the most, followed by cbl.abuseat.org. For the past few hours, here's the statistics I have. This is being used by a couple of smaller businesses (60 to 200 mail accounts on their own mail servers) and my own 2 person operation, so the volume isn't that high and it might not be a representative sample of anybody else's e-mail. The statistics are for the past 4 hours or so.
82 new IP addresses added to my database. (note that this doesn't include many more IP addresses that were already in my database and had current information, it's just ones I've never seen, or ones that the information was so old I discarded the former entries).
26 of those 82 IP addresses were added as whitelist entries. That means that my service won't stop mail from those. 13 of those did appear on at least one other blacklist at the time I reported them clear as valid sources for mail. The breakdown on which DNSBL's had entries for the 13 that I missed are:
I missed, but in dnsbl.njabl.org: 6 I missed, but in dnsbl.sorbs.net: 6 I missed, but in cbl.abuseat.org: 4 I missed, but in sbl.spamhaus.org: 7 I missed, but in list.dsbl.org: 5 I missed, but in dynablock.easynet.nl: 3
My experience observing results from these DNSBL's for the past few weeks shows that cbl.abuseat.org and list.dsbl.org seem to have the fewest "false positives", so I probably actually missed 5 to 9 of these that I should have blocked, and the others might be somewhat questionable. I know I've seen false positives on dnsbl.sorbs.net and sbl.spamhaus.org.
On the other side, the blacklisted side of my service, I blacklisted 82 IP addresses in that same period. Immediately after blacklisting those addresses, I have a script running on another machine that watches the logs and looks up each new blacklist entry in several different DNSBL's. The other DNSBL's listed some of those 82 addresses at the time I blacklisted them. Here's how they compared:
also in list.dsbl.org: 66 also in cbl.abuseat.org: 59 also in dynablock.easynet.nl: 46 also in dsnbl.sorbs.net: 32 also in dnsbl.njabl.org: 21 also in ipwhois.rfcignorant.org: 13 also in opm.blitzed.org: 2 also in sbl.spamhaus.org: 3
There were 4 hosts that I blacklisted on my service that weren't in any other blacklist. One of those was known to be offering valid e-mail when I blacklisted it, though I can't absolutely call that a false positive until we hear back from the sender organization about the full status of their mail server. It's possible that they actually had a problem that needed to be addressed and my blacklist entry is actually valid. Two of the others were definitely good hits for me, and the last one needs a bit more research to determine if blacklisting that IP address was valid.
Someone was asking about cbl.abuseat.org earlier. That's one of the most interesting of the DNSBL's. Their methodology is unique and quite different from the other DNSBL's, and that's why I think there is so much interest in them. They don't search for open proxies, and they don't do any content analysis at all (at least that's what I've heard). They do have a few very large spamtraps. They have the old domains that were left behind when several very large companies switched domain names. I'm told one of those domains has tens of thousands of formerly valid e-mail addresses in it, and that overall they are getting a few _million_ smtp connections a day. They analyze those connections and look for odd/aggressive SMTP behavior. Things like bad HELO info, lack of message ID's, and other bad behavior, and that's one of the major criteria for listing in the CBL.
This also brings me to my questions.
My service presents its data in a DNSBL format, so I can work with MTA's or with SpamAssassin, but I really haven't tried it with SpamAssassin yet. I'm thinking about doing that on my own e-mail domain so that I can examine some of the messages from sources I am blacklisting.
One of the problems that I see is that some of my return values are "gray" values. Basically, those are not blacklist entries, but they are not all clear flags either. MTA's can generate a temporary error like "451 Service temporary unavailable, try again later" from the gray value. Valid mailers will try again, and within one or two of the sender's queueing cycles, my DNSBL will have better information to make a good connection or a hard bounce with a permanent error.
How would I have SpamAssassin score different numbers of points depending on the A record returned from my DNSBL? For example, for 127.0.0.2, 127.0.0.3, 127.0.0.4, 127.0.0.6 and 127.0.0.7 (all of which are blacklist entries) I might want to score a relatively high number of points. For 127.0.0.128 and 127.0.0.129 (both gray values) I might want to score something very close to Zero points. How do I accomplish that? Can I also add the address record returned from my DNSBL as a custom SMTP header? How would I do that?
The next question (and this might be totally impossible) can SpamAssassin somehow put messages in a "holding area" and reprocess them again later? The "gray values" are really temporary values. Like I said, MTA's should only return a temporary error code for the gray entries (or they can just accept mail from gray sources), and gray entries should never be blocked with a hard bounce. However, after 5 to 20 minutes , the gray entries change to either a hard blacklist entry or clear completely (leaving no entry in my DNSBL and effectively "whitelisting" the IP).
It would be really handy to recheck anything that had a 127.0.0.128 entry in my DNSBL again 30 minutes later to see whether it cleared or changed to a blacklist entry, and move the message to the ham or spam area based on the updated information. Can this be done automagically using SpamAssassin? Can it be handled with some procmail incantations?
Finally does anyone use SpamAssassin with Visnetic Mail Server in a Windows environment? I hear that Visnetic's MailPermit product includes SpamAssassin, but the documentation for that is really spotty. I have a potential customer/beta tester who is running Visnetic Mail Server. I'm wondering if he can use my service and my DNSBL data with SpamAssassin on his Visnetic setup. Will that work?
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk