Mailing List SIMS@mail.stalker.com Message #14822
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Mulitple RBLs
Date: Mon, 29 Nov 2004 09:57:42 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 2:19 PM -0600 11/27/04, Ross Hunter  imposed structure on a stream of electrons, yielding:
On 21-nov-04, at 08.51, Bill Cole wrote:

At 1:34 PM -0500 11/18/04, Neil Herber  imposed structure on a stream of electrons, yielding:
How can you tell if something rejected by a blocklist was really spam? All you have to go on is an IP address. I have postmaster and abuse accounts and a web form for people to complain about bad rejects. I have had only 2 complaints in 2 years.

You cannot tell for sure, but I have a log scraper that sucks out all the rejection sessions for examination, and I see things that SIMS cannot check for but which are big red flags of wrongness, like prefacing the SMTP commands with a HTTP command and header stream suitable for a proxy, or HELOing as my IP address, or 6 different IP addresses in 6 different countries HELOing as the same bogus name within a minute.

The risk does exist with some blacklists (most prominently SPEWS and the SpamCop BL) for perfectly legitimate mail to be blocked. If you want that to not happen, you need to pick which ones you use carefully or be willing to define such rejections as non-problems for your site, i.e. affirm the economic disincentive justification for rejecting mail that comes from the same IP address or network as spam.

Bill

What are you using for a log scraper?


A really nasty bit of perl which works well enough that I haven't touched it in about 5 years except to port it from classic MacOS (i.e. MacPerl) to MacOS X. It basically scans the logs looking for SIMS sending SMTP error codes, then takes the identifying marks of each session that got an error and extracts all the associated log lines. It turns ~8MB of log into ~300KB of reject summaries (just the error lines) and ~6MB of detail with all the SMTP log lines from all of the bad sessions.

Obviously I'm not eyeballing all of the detail file on a regular basis, but I do plow through the summary file regularly looking for signs of bad rejects like machines that HELO accurately and with a name that looks like a real mail server, but get rejected by my very broad local blacklist. I don't much bother looking at things rejected by the Spamhaus lists because I've learned that they simply don't have bad rejects. The only blacklist I use with a real risk of rejecting non-spam mail is my local one.

--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster