Mailing List SIMS@mail.stalker.com Message #14809
From: Bill Cole <listbill@scconsult.com>
Subject: Re: SIMS and RBLs
Date: Mon, 22 Nov 2004 08:50:43 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 9:50 AM +0100 11/22/04, Alexandre Lollini  imposed structure on a stream of electrons, yielding:
on 11/18/04 11:54 PM, David C King <dck@the-wire.com> wrote:

 Interesting ... I didn't know that you could add a 'rejected' comment
 to the RBLs. Thanks for that.

I do not recommend the use of 'rejected' comment as it :

1- waste a lot of upward bandwidth, and swiching time

Not really. SIMS sends a message no matter what, and you

2- it tells the spammer that its mail hit something

They already will know that they hit something because they get a 5xx response code. If they actually paid attention to that, they might stop trying to spam from listed space. There's not really any indication that they do pay any attention to the content of error messages, and many ignore the fact that they get any error message at all and just plow on as if everything is fine.

On the other side, many blacklists include addresses that are used by non-spammers, either nearby spammers or making legitimate use of cracked machines. If you


With rejected information I would sent 1000's outbound email
I do not whant my computer to overheat for spam.

I use only 3 main rbls which scores (yesterday 22 nov 2004) :

dnsbl.sorbs.net    1095 catch
relays.ordb.org     102 catch
rhsbl.sorbs.net       1 catch
combined.njabl.org  261 catch

SIMS offers no support for the RHSBL model, so if rhsbl.sorbs.net is blocking any mail for you, it is a result of something being very broken.

(maybe I can re-order them but how ?)

I don't see a strong reason to re-order, but you are missing the most effective and least risky lists, Spamhaus' SBL and XBL. They are usable as a combination under sbl-xbl.spamhaus.org or individually as sbl.spamhaus.org and xbl.spamhaus.org. The SBL is address space used for no mail but spam, mostly space in direct control of identified professional spammers. The XBL is an aggregate of the Blitzed OPM list and the CBL, both of which carry addresses seen to be used abusively in ways matching the behavior of compromised machines.  The XBL alone often catches 60%+ of my email volume (that's after the blocking I do at the network layer) and never has caught a single piece of non-spam.


Other blocked :

Bad return path    1080 catch
Spamtraped !       5654 catch my favorite :-)

Total line in the log 45567

In my case (I have only 2 valid email addresses on my server)
The most effective way of antispam was to change old email for new ones,
then turn old email into spamtraps, with 3 month test period to ensure
everybody now use the new email.

About 'rejected' comments I had a trial period of 4 month to see if someone
was receiving these and created a webpage for this and also a mailbox
mailproblem@espacelollini.com for that.
I received 0 mail here, so I turned off the auto answers.

The rbls I use are pretty loose, I get some spam anyway.
But  I want to be sure not to miss a good mail.

If you are worried about rejecting legitimate mail, the lists you are using are not good choices. You definitely would get better coverage and better safety from the Spamhaus lists perhaps selecting a few of the sub-zones for SORBS and NJABL instead of the combined ones. ORDB is also risky because even at this late date there are otherwise legitimate mail systems out there operating as open relays.

I fear country specific rbls because I have customers really from all over
the work, including china, cz, etc. which are heavy spammer country.
If you have advice to improve my already not bad settings do not hesitate to
send.

One of the best tools I have for making sure that legitimate mail gets in while keeping out the flood of garbage is tagged addresses. SIMS does not have automatic support for tagging, but it is easy to set up in the router, like this:

<realaddress-*@blacklisted> = realaddress-*
<realaddress-badtag1> = spamtrap
<realaddress-badtag2> = spamtrap
<realaddress-*> = realaddress

If you give out addresses with tags, mail to them gets past blacklisting, but if specific tags get compromised you can turn them into spamtraps. I've used the same 2 base addresses for a decade on publicly posted stuff, but for the past few years I've been only giving out tagged addresses to specific business and personal contacts. This way, I can be sure that their mail evades the blacklists I use AND if those specific tagged addresses get spread to spammers, I can know where it came from and cease  dealing with whoever is handing my address out.


--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster