dnsbl'S + bogofilter = spam barbecue

[Tom Anderson]

On Thu, 2004-11-11 at 18:56, Chris Fortune wrote:
> Objective?  You have to be very careful.  There are a lot of considerations before you hand over blocking to DNSBLs.  For example I
> do NOT use the dnsbl.sorbs.net Aggregate zone.  Here's why:
> - block.dnsbl.sorbs.net - List of hosts demanding that they never be tested by SORBS.
> - dul.dnsbl.sorbs.net - Dynamic IP Address ranges

Indeed. I already warned against using the aggregate sorbs list and
suggested only the four objective lists which directly test for
relaying.

> xbl.spamhaus.org at one time listed Dynamic IP Addresses, but then later dropped them.  Will they list them again in the future?
> How would you know?  They got in hot water for it the last time, maybe they won't bother to print it on their website the next time.

I've only seen high praise for spamhaus.  Their website specifically
says that their number one priority is eliminating false positives.

> rfc-ignorant.org lists servers that are misconfigured but running.  But is that good judgement to block mail?  For example does all
> mail coming from a small rural server run by a non-English speaking computer student deserve to be blocked just because it isn't set
> up perfectly?

Yes.  Spammers use misconfigured servers to spoof and prevent legitimate
complaints.  The bounce message should tell the "computer student"
precisely what the problem is (eg. no postmaster address), which should
be fixable with ease.

> This is a spam war we are in, but like soldiers, it's our duty to reduce "collateral damage".  That is, innocent civilians shouldn't
> be gunned down.  There should be a lot of evidence to justify blocking, and that's why I don't block mail outright unless the IP is
> listed in at least three non-overlapping DNSBL databases, and let bogofilter + network tests + heuristic filters + user filters deal
> with the rest.  It's expensive, but the results are worth it: no false positives.

With objective lists, I'm confident enough in the false positive rate. 
Moreover, the bounces are descriptive, they aren't just dropped. 
Therefore, not only is collateral damage virtually nil, but if there is
any damage, it is a minor inconvenience, not fatal.  The expense of an
overloaded SMTP server on the other hand may be fatal, which is why I
prefer to bounce at SMTP time those addresses with the absolute highest
probability of being spam (open relays/proxies, worms, virii, etc).


> > I wonder if I even have ipchains compiled in my kernel...  I think dnsbls
> > seem to be the easiest solution.  I look forward to Jef posting his milter.
> >
> ipchains demands very low! resource usage, and heartily recommended for busy servers, but is not easy to set up.   Go Jef!  I
> already customized ASSP (written in perl) to include bogofilter at SMTP time, and it gives me a warm bogo-glow every time I check my
> mail log!   Works amazingly well, but resource heavy - Unix fork() helped a lot!

Would you mind posting this script?

Tom