>> DNS is very effective to block at the MTA level. I setup my own private >> RBL on the DNS servers my SA boxes point to. Dump your IPs into a >> rbldnsd formatted zone file and setup your private RBL zone (doesn't >> have to be a real zone on the Internet) to forward to rbldnsd. Rbldnsd >> will detect changes to it's zone files and reload them automatically to >> keep current.
>Do you have some kind of whitelist that includes gmail, yahoo, etc? Yes. My database query excludes FREEMAIL hits. I also use/parse SPF records of many of the large FREEMAIL domains to allow these in before RBL checks. You also have to whitelist many of these from greylisting too and let SA score them. >I'm not looking to compete with spamhaus, just compliment it, but >rejecting outright at the SMTP level for IPs reaching my honeypots >could be dangerous if not checked. I don't have any honeypots so I can't speak from experience but I would think you would need to filter these differently -- much more relaxed than real user domains and mailboxes. If your honeypot addresses are on a different domain, send them through a different MTA config that doesn't have all of these RBL checks. >I've now got rbldnsd implemented. I've also known for a while it's >faster/better than bind, but bind has always been in place. >I have rbldnsd running on port 530, alongside bind on 53. How do I >specify a urirhsbl in spamassassin to query the DNS server running on >530 instead of 53? You setup BIND to forward that zone of your own RBL to localhost:530. http://www.surbl.org/setup-local-rbl-mirror (toward the bottom) rbldnsd only has to be listening on 127.0.0.1:530 >> In a related note, I have found that using the senderscore.org score combined >> with postscreen's weighting is very effective in quickly catching new >> spammers. >> >> postscreen_dnsbl_sites = >> score.senderscore.com=127.0.4.[60..69]*2 >> score.senderscore.com=127.0.4.[50..59]*4 >> score.senderscore.com=127.0.4.[30..49]*6 >> score.senderscore.com=127.0.4.[0..29]*8 >> score.senderscore.com=127.0.4.[90..100]*-6 >> score.senderscore.com=127.0.4.[80..89]*-4 >> score.senderscore.com=127.0.4.[70..79]*-2 >> >> You should monitor your own outbound IPs for their sender score. If your >> IP goes below 90, it's a good indication that you have been sending spam >> and that your users are going to start experiencing delivery issues to the >> Internet. >Do you use this on inbound mail as well? Yes. Definitely use this primarily on inbound email. I also use some RBLs on outbound email to help detect compromised accounts but make sure you have your internal_networks and trusted_networks properly so SA will work with external IPs properly. >How does it fit with the other postscreen dnsbls? I already have at >least six various dnsbls with varying weights... I have more than a dozen in addition to the ones above. You simply list as many RBLs as you want with the proper weighting you think based on their reliability/trustworthiness for your environment. Negative numbers are used for reliable RBLs that show a good reputation for the sending mail server IP. Positive numbers go higher toward the threshold number (I use 8 like many examples I have seen). Set your own private RBL at or slightly above your threshold along with other trustworthy RBLs like zen.spamhaus.org. Only use negative number weighting for those RBLs that you have confirmed to be good sources for good reputation.
