Postfix has a NUMBER of tools for rejecting unwanted messages before they get in the door and waste your CPU time on deciding “hey this mail is spam”. Up until recently I’ve mostly used the relays.ordb.org check (which in the last couple months has now gone defunct.) When we started noticing problems with ordb.org’s responsiveness I planned to investigate other blacklisting options and found several. Obviously there are advantages and disadvantages to blacklisting. The first disadvantage is you have turned over control of blocking mail senders to an outside authority and you should familiarize yourself with THEIR policies for listing (and delisting) a server.
I’ve found a great way to research “which blacklists are effective at blocking which junk mail” is www.dnsstuff.com One of the options there is a blacklist lookup and they’ll run an ip through a LONG list of blacklist lookups and you can see where it’s detected. I spent a good amount of time sampling messages that were tagged as junk and running their IP’s through this to see what blacklists caught them.
In my postfix config (/etc/postfix/main.cf) I’ve managed to add the blacklists I’ve chosen…. I’m using the smtpd_client_restrictions for this….
smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist,permit_mynetworks,reject_rbl_client sbl-xbl.spamhaus.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client web.dnsbl.sorbs.net,reject_rbl_client block.dnsbl.sorbs.net,reject_rbl_client zombie.dnsbl.sorbs.net,reject_rbl_client smtp.dnsbl.sorbs.net,reject_rbl_client bl.spamcop.net,reject_rbl_client list.dsbl.org,reject_rbl_client combined.njabl.org,reject_rbl_client psbl.surriel.com
You might notice hash:/etc/postfix/whitelist listed…. this is for (obviously?) whitelisting hosts that get caught up in one of our blacklists that we want to receive mail from no matter what.
Our highest risk blacklist seems to be psbl.surriel.com which is a Passive blacklist…. they’ve essentially setup a spamtrap email address which is advertised on a web page or newsgroup that they don’t expect to get legit mail on EVER. They record where they receive junk in that account from and those machines are blacklisted. (And can be delisted from the web interface.) The only catch is if one of the servers on the list is your ISP and someone in your isp’s network is using their outbound servers to spam…. well you’ll see your isp’s server blacklisted, delisted, blacklisted, etc.etc.etc.
Instead of using the blacklist to reject, you may decide to just use it via Spamassassin to alter scoring of messages..
The sbl-xbl.spamhaus.org is by far the most effective of the blacklists (this is a combined search of the spam blacklist and the comprehensive blacklist… ) Here’s the SBL summary:
The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
Incorporates CBL data and NJABL proxy data
The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are:
– the CBL (Composite Block List) from cbl.abuseat.org
– the NJABL Open Proxy IPs list from www.njabl.org.
dul.dnsbl.sorbs.net essentially blocks dynamic IP addresses from sending mail directly (THEY need to route through their ISP anyway.) (Note: I know there are many who, like myself, once tried to run a linux mailserver from home DIRECTLY delivering to destination rather than smarthost delivery… it frustrated the heck out of me that some hosts would not accept mail. I started using smarthosts for that reason. The bottom line here is that the vast majority of junk comes directly from residential dynamic IP dsl or cable accounts. Yeah, it’s a pain, but use smarthosts.)
The various sorbs.net lists are exploitable web/mail servers or machines that appear to be zombiefied… the combined.njabl.org combines another dynamic ip list as well as an open relay/proxy list… etc.
Do not take these as “you should use these blacklists”. Every situation is different and you have to decide the cost/benefit of blacklisting outright versus accepting and then spamfiltering. One machine that I’ve administered now is blocking around ~1700 messages from being queued a day and the feedback has been very positive. There have been a few that I’ve needed to whitelist (all due to the passive blacklist.) But the average junk mail/day has gone from 30-50 per person or so down to about 6. (AND I should note that the ones that do slip through seem to be more successfully tagged as junk.)
We could probably start the whole “I don’t want to reject a single piece of mail” discussion, we’ll just use blacklists for spam tagging here and that’s fine. To each their own. I have learned that in some locations it’s against the law to delete/quarantine an email after it’s accepted for delivery. For that reason, rejecting outright suspect sender IP’s seems to be a good option. Certainly I would check the rules in your locality.
Related PostsRelated Posts
- Mail Server Rejecting all Messages - Check your Blacklists relays.ordb.org is listing the WORLD It's unusual for mail servers to suddenly start rejecting messages internally and from external sources. That's exactly what I saw though over the weekend. A mailserver running mdaemon on Windows 2000 was rejected ALMOST every message that was sent it's way whether it was an internal mail sender and recipient......
- Nugache the latest in bot-net technology... and why you should care about botnets... To show you where the threat with bot networks is going there's a story today on Nugache (Symantec summary) which is a bot that takes advantage of a number of clever tricks to avoid having the whole bot net shut down, allow command and control on an encrypted channel and......
- Postgrey and the power of Greylisting to fight Spam Wow.... Let me just say that I have typically been inundated with junk mail on my primary address. It's associated with this domain and has been hosted in an older sendmail setup for quite some time (not really by choice, but because that's what was installed on the old vps.)......
- 3 Steps For Money Making From Internet By Selling Domain Names Buying and selling domain names is one of the most profitable method of money making from Internet. Its not a complex process, it involves buying domain names which are demand in the market and selling for higher price. In general, the most creative and domain name with common keywords, are......
- X Files Of Online Marketing Erkan Meydanlioglu,Mr http://www.OnlineMarketingManager.org A traditional profile of online entrepreneurs as: 1)Young individuals with previous appearance and physique due to working hard or monitoring their competitives. 2)All the time busy minded to assume new and inventive marketing campaign concepts to extend gross sales and revenues. three)At all times wears black solar......
- Your List Building Project – Simple Mistakes That Can Destroy It For those of you who know a lot about marketing online, you are probably familiar with the saying “lists will get you cash”. Leading online marketers are always teaching their students that creating focused email lists of potential members is essential. And the fact is, yes this is the holy......
- Blacklists and rejecting mail with Sendmail
- Why? (Why couldn’t AT&T make sure their mail servers weren’t using old dialup IPs that are blacklisted….)
- More postfix spam blocking and Whitelisting….
- AT&T rbl block inquiry site
- Bellsouth/ AT&T mail problems