which blacklist should i use?

Discussions on webmail and the Professional version.
merk
Posts: 418
Joined: Sun Oct 12, 2003 2:50 pm

which blacklist should i use?

Post by merk » Tue Oct 21, 2003 9:09 pm

I'd like to try some of the blacklisting services to filter out the spam. But i do not want one that unreliable.

I cant remember which blacklist it was, but i know my friend had his server blacklisted for a VERY long time and couldnt get it removed, even though his server had been secure for 2-3 years at least.

Ian

merk
Posts: 418
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Wed Oct 29, 2003 10:17 am

BUMP

Anyone?

webfeat
Posts: 26
Joined: Wed Aug 20, 2003 10:01 am

Post by webfeat » Thu Oct 30, 2003 10:45 am

I would also like some suggestions for this.
Webfeat

Webfeat Reserves the right to be profoundly wrong in any instance.

Alyson_J
Posts: 40
Joined: Sat Jun 15, 2002 9:44 pm
Location: United Kingdom
Contact:

Post by Alyson_J » Thu Oct 30, 2003 2:12 pm

There isn't a simple answer. You really need to establish which list you trust.

I personally take a hard line and use:

SBL - Spamhaus Blocklist
SPEWS - Spam Prevention Early Warning System
Spamcop
DSBL - Distributed Server Blocklist (basically open servers)
ORDB - blocks Open Relays

I also block the following countries by using zone files from blackholes.us

China
Korea
Taiwan
Russia
Argentina
Brazil

In all the time i've used the RDNS lookups i've had 3 false positives which has therefore proved to me that these are effective.

I review my log files daily. If you choose to implement a list make sure you understand what they block, some are private lists that block every IP on the planet.

Also check out http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html
Aly

merk
Posts: 418
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Fri Oct 31, 2003 12:25 am

I dont want to take a hard line approach since i do not want any legit email being blocked since there will be email for other people going through this server.

I'd be happy if it 90% of the spam was cut down. and i definitely cant block a whole country ... even though i wish i could since i know that the percentage of legit email coming from those countries is close to zero, if not actually zero.

We get a few thousand spam messages a day. So if i could cut out 80 or 90 percent, that would be a big improvement. Not to mention it would cut down on a big chunk of the bandwidth being used.

Alyson_J
Posts: 40
Joined: Sat Jun 15, 2002 9:44 pm
Location: United Kingdom
Contact:

Post by Alyson_J » Fri Oct 31, 2003 4:20 pm

Of the blocklists I look up I prefer the SBL (http://www.spamhaus.org) - maintained by Steve Linford, highly respected in the anti-spam world. Spamhaus is also the home of ROKSO (register of known spam orgainisations).

Spamcop is pretty good and their lists are built based on reports, though the quality of people reporting to spamcop can be hit or miss.

Blocking open relays is a pretty good idea as these machines are raped by spammers to spew their rubbish all over the net.

I host only two domains of my own on our servers, the rest are other peoples sites. We aren't a large outfit by any means at the moment and can afford to block countries like those I've chosen. They were chosen as in 18 months of running the servers everything we have received from them has been unsolicited commercial email.

We tell people before they host with us that we use RDNS Blacklisting and advise up front which countries we block. Not one minded in the slightest. I do of course appreciate the larger the interest the harder it is to be so tough.

The addition of whitelisting in the latest version is a help as we have had to whitelist one server.
Last edited by Alyson_J on Sun Nov 23, 2003 11:19 am, edited 1 time in total.
Aly

merk
Posts: 418
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Sun Nov 23, 2003 9:38 am

just finally now switched a live domain that gets spammed onto the ME server. I enabled the two that were suggested (spamhaus and spamcop),

quick question though ... what do the various options under 'DNS path' and 'record type to check for' mean?

I'll also look into that SNIMTA plugin since i've seen several people mention using that with success.

Alyson_J
Posts: 40
Joined: Sat Jun 15, 2002 9:44 pm
Location: United Kingdom
Contact:

Post by Alyson_J » Sun Nov 23, 2003 11:16 am

DNS Path

This allows you to define whether you wish to refer your lookup request to the service providers DNS Zone or to simply query a DNS Host for an entry. Most implementations of DNS Blacklists require a Zone lookup.

Zone Lookup

This is the name of the DNS Zone or the IP Address of the DNS host that should be queried.

Record Type to Check

When the remote host or zone is queried, it may return one or more DNS Record types. Most implementations return an A record, but other implementations may return NS, PTR or MX records.

Spamhause Blocklist(SBL)
DNS Path: Zone Lookup

Zone: sbl.spamhaus.org

Record Type to check: Address (A)

Spamcop

DNS Path: Zone Lookup

Zone: bl.spamcop.net

Record Type to check: Address (A)

Basically I follow this for all the blocklists I use.

Hope that helps.

Regards
Aly

merk
Posts: 418
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Sun Nov 23, 2003 2:10 pm

ok, thanks. Those are the settings i left it at. I'll let it run like that and see if they notice any decrease in the amount of spam.

most of the spam we seem to get though doesnt seem to go through any email server. It appears as though the spammer is sending it directly. It also looks like as though we got bombed with spam the last few days. There was a HUGE increase in the spam over the last 2-3 days. most of it all seemed to be just random emails ... people just generating random email addresses for the domains hoping some of them were valid. And all of them appeared to be sent directly ... i didnt notice any smtp server in the headers. (although i didnt look too closely since i was just annnoyed at how much of my time and server resources these spammers waste).

Alyson_J
Posts: 40
Joined: Sat Jun 15, 2002 9:44 pm
Location: United Kingdom
Contact:

Post by Alyson_J » Sun Nov 23, 2003 4:58 pm

Be interesting to see what your stats are. Spam hitting my server and not getting through is currently 70% of the total volume on a daily basis!

Wait till you see how much resource they continue to try and use despite being blocked. Most of them completely ignore any bounces and try banging on the closed door for ages. Often it gets to the point when I null route them at the firewall.

Spammers are vermin, theives and liars, they don't care about our resources or the time it takes us to protect our users against their incessant spewing of spam.

Sadly for mail admins this is only going to get worse since the CAN SPAM Act went through basically legalising "Good Spam" and adopting an opt out policy. Madness, simply Madness.
Aly

merk
Posts: 418
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Mon Nov 24, 2003 1:06 am

hehe you a preaching to the choir here. I'd love to see the worst spammers lined up and shot. They are scumbags.

I havent really measured our stats ... mainly because the program i'm using now doesnt have an easy way of doing that. But i think we usually get maybe 2000 messages a day total ... and i'd saying 98% of it is spam.

But the other day our server was getting thousdands of emails in the space of an hour. I'd delete a thousand of them from the outbound queue and in a few minutes there were a thousand more. and all of them were to totally random email addresses just hoping that some of them were valid. And all of them seemed to be coming from random IP's ... i didnt notice any smtp server in the headers. It almost looked like a spam worm attack ... i wouldnt be surprised if the scumbag spammers started doing that sometime.

g_attrill
Posts: 10
Joined: Mon Dec 01, 2003 9:09 pm

Post by g_attrill » Mon Dec 01, 2003 9:10 pm

A domain hosted on my server had an attack - they were using "a_random_name@victimsdomain.co.uk" as the sender's address.

I had a catchall set up on the domain but luckily noticed the attack early and switched it off! Last time I looked (a week ago, about a week afterwards) it was still getting 60/hr, mostly AOL bounces and spam blocks being bounced by the open relay they were using.

Gareth

merk
Posts: 418
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Tue Dec 02, 2003 3:13 am

60/hr would be normal or even a little below normal traffic for me. But the main problem when i was getting bombed was the spam didnt seem to be coming from any smtp server. it looked like it was being sent directly from someone's pc.

i didnt pay too much attention really since i was busy cleaning up all the junk emails that accumulated.

BlueRocket
Posts: 49
Joined: Wed Oct 29, 2003 3:25 am

Post by BlueRocket » Mon Dec 08, 2003 2:36 am

Alyson_J wrote:
Basically I follow this for all the blocklists I use.

Hope that helps.

Regards
What do you set the Response field to??
"I have no special talents, I am only passionately curious" - Albert Einstein

BlueRocket
Posts: 49
Joined: Wed Oct 29, 2003 3:25 am

Post by BlueRocket » Mon Dec 08, 2003 2:48 am

Alyson_J wrote: I also block the following countries by using zone files from blackholes.us

China
Korea
Taiwan
Russia
Argentina
Brazil
How do you use these zone files? I know SNIMTA allows a Banned Address list, but not IP's. Is this something you put on your firewall?? Or is there a way of inputing this into MailEnable?
"I have no special talents, I am only passionately curious" - Albert Einstein

Post Reply