> > But I'm simply finding that some bellsouth and hotmail SMTP IP > addresses are > so "dirty" that they stand out separate from regular non-spammy IPs to the
Hotmail is one of the three largest email providers in the United States, if not the world. That being Hotmail, Yahoo, AOL. Now, there has always been a few RBLs (which will remain nameless) that have had a bug up their butt about large ISPs, period. The RBL owners just don't like them for multiple reasons. One reason they like to use is called "multi-hop opem relays". In reality, (from what I have seen) this usually means that an ISP user or company uses the smarthost of the ISP to deliver their email. Some RBL owners simply seem to dispise that configuration because they can not pin the spam down to a certain user. So the ISPs outgoing email servers get listed. There are multiple other reasons large ISPs get listed, but you get the idea. Now, even if Hotmail was breaking every rule ever invented as far as spam goes (and they are not) you, as a provider (if you are a provider), must let their email through because they are one of the big three. That being known, why would any RBL blacklist them knowing that their email is one of the big three that you just can't block unless they had political, or other reasons, for doing so? I can tell you that Hotmail and most very large providers don't give a hoot about most RBLs. They know you will have to whitelist them sooner or later. > extent that re-weighing the values places on these RBLs enough to > get these > bellsouth and hotmail SMTP IPs to "naturally" appear no trigger a block > would then significantly reduce the value that these RBLs provide in I would suggest that you are probably still using the wrong RBLs or you are giving way too much point values to poor RBLs (that you are using in SA for scoring) as I meantioned in my last email. > catching real spam... I don't want to go that far. You can not expect RBLs to be the make or break of deciding what is spam inside of SA. That is why they made SpamAssassin. The developers realized, you can't count on just one thing. You can find a few good RBLs that can be used at the front end before SA to do outright rejections, but these RBLs are few and far between. Some SA purists might not even do the RBL rejects at all in front of SA. I do this to save bandwidth and CPU. > For now, I may have to just whitelist at my DNS caching server on a > case-by-case basis as these things come up... but I'm still > hoping to find a > good list of frequently used official DNS server for large I assume you mean you are looking for outgoing IP addresses of large IPs and not their DNS servers? Anyway, this would probably be a waste of time IMO, because if the RBLs you are using make mistakes that you can see with large ISPs, then what about the smaller websites and ISPs that you don't even know about? Their false positives will be across the board. Compensating as you suggest, gives weight to well known providers (if you were able to find all their sending IPs) If you are looking for an RBL list of providers you might find something here: http://216.109.125.130/search/cache?p=blackholes.us&toggle=1&ei=UTF-8&u=publ ic.murl.com/redir%3Fm1000dd03e96e6c6f31m&d=dHUWw8p5LWZN&icp=1&.intl=us How you would use them for whitelisting instead of blacklisting, I do not know. Maybe someone else can help you with that, if that is what you are looking for. > established ISPs > (either in list form or as a DNS list) > > --Rob McEwen > Here are a few rock solid RBLs with extremely low false positives that you can probably use on your front end IMO. I use more, but this should get you started if you are looking for better RBLs. cbl.abuseat.org, sbl-xbl.spamhaus.org, list.dsbl.org Good luck.
