dnsbl'S + bogofilter = spam barbecue

Tom Anderson tanderso at oac-design.com
Thu Nov 11 19:24:55 CET 2004 

From: "Chris Fortune" <cfortune at telus.net>
> a satisfying method.  Careful selection of DNSBLs is required, and I took 
> a long time to test and investigate.  Check out this
> highly recommended page:  http://www.scconsult.com/bill/dnsblhelp.html

Good article.

> I abandoned DNSBLs completely for several months because they were 
> unreliable as a single point of authority (for reasons...
> Ouch!  Disagree.  The tools are supposed to solve the problem, not create 
> new ones.  DNSBLs are famous for their poor management and
> innacuracy.

This would be true of subjective lists, for example, as the above link 
points out, SPEWS, Spambag, MAPS, SBL, and ORB.  However, other lists are 
purely objective, eg:

http.dnsbl.sorbs.net only lists open HTTP proxies
socks.dnsbl.sorbs.net only lists open SOCKS proxies
smtp.dnsbl.sorbs.net only lists open SMTP relays
web.dnsbl.sorbs.net only lists webservers with vulnerabilities abusable by 
spammers (formmail, etc)
list.dsbl.org only lists servers which specifically request they be listed 
(usually open relays/proxies)
xbl.spamhaus.org lists servers with exploits including open relays/proxies, 
worms, virii, spyware, etc.
dsn.rfc-ignorant.org lists servers which do not accept email bounces
postmaster.rfc-ignorant.org lists servers which don't have a working 
postmaster address
bogusmx.rfc-ignorant.org lists servers whose MX points to private, local, 
loopback, etc., IP space
whois.rfc-ignorant.org lists servers which have missing, incomplete, or 
incorrect whois data

The above are all directly testable and not at all subjective.  Anyone 
listed in those lists is either incompetently running an insecure system or 
maliciously spamming people.  The only possible false positives will occur 
when an IP address has changed ownership, and each of those lists has a 
mechanism to remove an address in such a case.  Moreover, if someone takes 
ownership of a previously blacklisted address, they can ask for a different 
one from their provider.  These lists are neither inaccurate nor poorly 
managed lists AFAICT.  In addition to the above, I'm using sbl.spamhaus.org 
because they specifically list their foremost goal as eliminating virtually 
all false positives even though they maintain a somewhat subjective list of 
well-known and verified spammers, and I've heard of no complaints against 
this list.  BTW, I've dropped relays.visi.com since it wasn't blocking 
anything that wasn't caught by sorbs first.  After several days now running 
these blocklists, I've eliminated about 80% of my spam, and I haven't had 
any false positives.  I still get nearly the same number of false negatives 
and about half as many unsure spams getting through bogofilter, which 
implies that the smarter spammers (the ones able to fool bogofilter) are 
staying off of the blocklists.  It sure does free up system resources 
though.

>> I'm interested in the MTA implementation in order to block spam at SMTP 
>> time
>> and never have to receive or process it with bogofilter.
>
> Yes, many a sysadmin of a large mail server has dreamed of this day.  For 
> now, a multi-level filtering approach is more advisable.

I'm using the above listed _objective_ dnsbls and rhsbls to reject outright 
with a descriptive bounce, coupled with bogofilter to classify the 
remainder.  Perhaps adding a step between the two to feed the _subjective_ 
dnsbls and rhsbls to bogofilter would be a good idea.

> This feedback mechanism looks like a good re-use of information resources, 
> provided that IP addresses are accurate!.  Somebody once
> posted a Linux recipe to this list that bans IPs at the kernel level using 
> `ipchains`.  Bogofilter was the filter of choice.  That's
> a nice way to do it: bogofilter decides bogosity (in concert with DNSBLs), 
> IP address is saved to a db and count is incremented,
> (optional - greylisting, or adding a factored count to bogosity score), 
> once a data row reaches a threshold count then it is no
> longer a vote but becomes a veto: ipchains is notified and the IP address 
> is also entered into a local blacklist for x hours.  Data
> rows are decremented every x hours to flush IP addresses out.

I wonder if I even have ipchains compiled in my kernel...  I think dnsbls 
seem to be the easiest solution.  I look forward to Jef posting his milter.

Tom

More information about the Bogofilter mailing list