On 15-02-17 15:19, Bowie Bailey wrote:
> On 2/14/2017 11:04 PM, Ian Zimmerman wrote:
>> Given a piece of horrible spam, on which RBL is the sending IP address
>> likely to appear first?
>>
>> I want to rationally decide which RBL/s to consult at SMTP time. Afraid
>> to use all of them, not just due to false positives, but also due to
>> negative caching in DNS, which could affect the result when the spam is
>> seen by SA a bit later.
>
> I find zen.spamhaus.org to be the most reliable RBL to use for
> blacklisting.
>
> I wouldn't worry too much about negative caching. It looks like the TTL
> for negative results with Spamhaus is 10 seconds.
>
Naturally, blocklists decide based on their data (f.i. removal times for
typical listings, the way they publish updates, etc) the best ttl for
their data. You should probably just use them.
Note that the period that you describe as 'seen by SA a bit later' is
typically less than a second. In the rare case that postfix sees other
values than spamassassin for the same delivery, many people on this list
will (on first sight) assume your setup is broken when you see
differences in that timeframe, in stead of 'very smart with RBLs and TTLs'.
Which RBLs to use, depends on the typical spam you receive, and the
policies that you wish to apply. IMHO, the trust you put in RBLs (and
their listing policies) should be more important in making decisions
than their typical response time to new (types of) spam and their TTLs.
Kind regards,
Tom
