On 08/15/2017 12:46 PM, Shivram Krishnan wrote:
Thanks for the response Dianne.
Rule-based systems like spamassassin make room for false positives from
any one of the rules. For instance , a blacklist can have a false
positive, but there may be other rules which may not agree with the
blacklist. An ensemble of such rules allows make spamassassin to be more
accurate.
In case of non-rule based systems like firewall, an inaccurate blacklist
can prove costly when the firewall drops legitimate traffic based on
inaccurate blacklists. I was reading about graylists on cisco firewalls
<https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/fwbotnet.pdf>, where
the network operators could use the graylists to generate alerts to the
operator to act upon. A network operator can treat a third-party
blacklist as a graylist and generate alerts. Is this common?
Another issue you are going to find is that SpamAssassin can be
installed in many different ways and in many different "positions" of
the mail flow. Some will have SA secondary to blacklists done by the
MTA (Postfix, Sendmail, Exim, etc.). When done at the MTA level, each
MTA can use blacklists differently. For example, I use postscreen and
weighted RBLs to combine the results of about 25 blacklists and
whitelists to get an aggregate score. Some people might only use 2 to 5
blacklists in their MTA that outright block if there is a single hit.
This is the traditional method that I used years ago but is way to risky
compared to postscreen weighting of blacklists.
There are not many default blacklists and whitelists in SA. A mail
administrator has to manually add many extras to get it up to being
useful IMHO. This requires careful analysis of your mail flow as each
SA instance has varying requirements and unique characteristics. There
is a basic commonality to blocking spam but it's not as common as you
might think until you read this list for several years and see all of
the differences.
My style of spam blocking is heavy on the reputation side which includes
blacklists and whitelists. I define safe senders based on certain
whitelists and valid opt-out processing of approved senders based on
SPF, DKIM and DMARC. I suspect many on this list would not agree with
this tactic but that's OK. Each mail flow is different. The bottom
line is if you don't get any complaints from your customers, you are
doing something right.
If you tune everything correctly (which takes a lot of time and effort),
then you basically have to bypass blacklists for the major providers
like Office 365, Gmail, Yahoo, AOL, etc. and rely primarily on content
filtering in SA to block the spam. A few blacklists like Spamhaus and
Invaluement have figured this out and don't list these large mail
services providers but there are still many that don't which causes
problems.
Filtering outbound mail has different challenges than inbound mail. You
have to have some form of compromised account detection based on unusual
activity which has nothing to do with blacklists or whitelists. Plus
you need to carefully filter outbound mail using properly configured
last-external rules for blacklists so your own customer IPs are excluded
from blacklists but further hops back are evaluated against blacklists.
On Tue, Aug 15, 2017 at 12:24 PM, Dianne Skoll <d...@roaringpenguin.com
<mailto:d...@roaringpenguin.com>> wrote:
On Tue, 15 Aug 2017 12:02:23 -0500
Shivram Krishnan <rorryk...@gmail.com <mailto:rorryk...@gmail.com>>
wrote:
> Thanks for the response Bill. I have got a couple of responses from
> this group, which agree with what you are saying - they have their
> own custom techniques to prevent spam and reduce false positives. If
> thats the case, who uses third-party generated blacklists?
I think you'll find a lot of people use them. My instincts tell me the
userbase falls into three sets of administrators:
1) Admins of large organizations that can afford reputable lists
like Spamhaus,
etc. and use them.
2) Admins of tiny mail servers who are highly aggressive and use
blacklists like kids popping candy and who don't care overly-much
about false positives.
3) Admins of small to medium organizations who use commercial
anti-spam filters or commercial email hosts that make use of
blacklists by default, and who probably don't really understand the
ramifications of using blacklists.
My $0.02: Blacklists can be useful, but I would never reject based
solely
on an IP being blacklisted. Also, I don't use third-party
blacklists, though
I do use a set of DNSBLs that my company controls.
Regards,
Dianne.
--
David Jones
