29 Jun
2006
29 Jun
'06
7:11 p.m.
Does anyone have a list of favorite RBL's (Real-time Spam Black Lists)? I'm
currently using the following and am looking for something a bit better.
RBLs: relays.orbs.org, sbl.spamhaus.org, relays.ordb.org,
bl.spamcop.net
Thanks,
Zane
29 Jun
29 Jun
7:34 p.m.
Zane H. Healy wrote:
Does anyone have a list of favorite RBL's
(Real-time Spam Black Lists)? I'm
currently using the following and am looking for something a bit better.
RBLs: relays.orbs.org, sbl.spamhaus.org, relays.ordb.org,
bl.spamcop.net
sbl-xbl.spamhaus.org. Blocks messages based on the ROKSO list (like the SBL),
but also blocks machines that are known to have been infected with viruses.
Problem is, it can be a little over-eager. If at all possible, set a few
whitelists based on the "To:" header for your mailing lists, and use something
like SpamAssassin to do scoring-based analysis. Don't waste your time with
Bogofilter. It doesn't work worth a damn. In my case, it had a false negative
rate of nearly 98%. And that's *after* I fed it about a thousand spams,
another thousand legitimate messages, and my classiccmp, PICList and TekScopes
mailing list archives.
I'm working on my own filter at the moment, tentatively nicknamed "HAMster".
It's written in C, and is intended to be "a faster SpamAssassin". I'm
working
on getting the code into a releasable state, then I'm going to set up a little
web site for it. I'm also open to suggestions of better names - one of my
friends suggested "SpamNinja" and "SpamSamurai", can anyone here do
better?
Reason I'm doing it is because I want to use my Linksys NSLU2 to block spam,
and SpamAssassin takes well over 30 seconds per message just for the text
filtering (with RBL lookups turned off).
--
Phil. | Kitsune: Acorn RiscPC SA202 64M+6G ViewFinder
philpem at dsl.pipex.com | Cheetah: Athlon64 3200+ A8VDeluxeV2 512M+100G
http://www.philpem.me.uk/ | Tiger: Toshiba SatPro4600 Celeron700 256M+40G
8:43 p.m.
friends suggested "SpamNinja" and
"SpamSamurai", can anyone here do better?
SpamSmack?
--
--------------------------------- personal: http://www.armory.com/~spectre/ ---
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser at floodgap.com
-- Use [Microsoft] IE and Passport and you can browse like it's 1984. -- /. ---
8:14 p.m.
Zane,
On Thursday 29 June 2006 12:11, Zane H. Healy wrote:
Does anyone have a list of favorite RBL's
(Real-time Spam Black Lists)?
I'm currently using the following and am looking for something a bit
better.
RBLs: relays.orbs.org, sbl.spamhaus.org, relays.ordb.org,
bl.spamcop.net
Here's all the RBL's I check using Spamassassin:
# ---------------------------------------------------------------------------
# NJABL
# URL: http://www.dnsbl.njabl.org/
header __RCVD_IN_NJABL eval:check_rbl('njabl', 'combined.njabl.org.')
describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
tflags __RCVD_IN_NJABL net
header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
tflags RCVD_IN_NJABL_RELAY net
header RCVD_IN_NJABL_DUL eval:check_rbl('njabl-notfirsthop',
'combined.njabl.org.', '127.0.0.3')
describe RCVD_IN_NJABL_DUL NJABL: dialup sender did non-local SMTP
tflags RCVD_IN_NJABL_DUL net
header RCVD_IN_NJABL_SPAM eval:check_rbl_sub('njabl', '127.0.0.4')
describe RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source
tflags RCVD_IN_NJABL_SPAM net
header RCVD_IN_NJABL_MULTI eval:check_rbl_sub('njabl', '127.0.0.5')
describe RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay
tflags RCVD_IN_NJABL_MULTI net
header RCVD_IN_NJABL_CGI eval:check_rbl_sub('njabl', '127.0.0.8')
describe RCVD_IN_NJABL_CGI NJABL: sender is an open formmail
tflags RCVD_IN_NJABL_CGI net
header RCVD_IN_NJABL_PROXY eval:check_rbl_sub('njabl', '127.0.0.9')
describe RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy
tflags RCVD_IN_NJABL_PROXY net
# ---------------------------------------------------------------------------
# SORBS
# transfers: both axfr and ixfr available
# URL: http://www.dnsbl.sorbs.net/
# pay-to-use: no
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request
header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
tflags __RCVD_IN_SORBS net
header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP net
header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3')
describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
tflags RCVD_IN_SORBS_SOCKS net
header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4')
describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
tflags RCVD_IN_SORBS_MISC net
header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5')
describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
tflags RCVD_IN_SORBS_SMTP net
# delist: $50 fee
#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6')
#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source
#tflags RCVD_IN_SORBS_SPAM net
header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7')
describe RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server
tflags RCVD_IN_SORBS_WEB net
header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8')
describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
tflags RCVD_IN_SORBS_BLOCK net
header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9')
describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
tflags RCVD_IN_SORBS_ZOMBIE net
header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-notfirsthop',
'dnsbl.sorbs.net.', '127.0.0.10')
describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address
tflags RCVD_IN_SORBS_DUL net
# ---------------------------------------------------------------------------
# Spamhaus SBL+XBL
#
# Spamhaus XBL contains both the Abuseat CBL (cbl.abuseat.org) and Blitzed
# OPM (opm.blitzed.org) lists so it's not necessary to query those as well.
header __RCVD_IN_SBL_XBL eval:check_rbl('sblxbl',
'sbl-xbl.spamhaus.org.')
describe __RCVD_IN_SBL_XBL Received via a relay in Spamhaus SBL+XBL
tflags __RCVD_IN_SBL_XBL net
# SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
header RCVD_IN_SBL eval:check_rbl_sub('sblxbl', '127.0.0.2')
describe RCVD_IN_SBL Received via a relay in Spamhaus SBL
tflags RCVD_IN_SBL net
# XBL is the Exploits Block List: http://www.spamhaus.org/xbl/
header RCVD_IN_XBL eval:check_rbl('sblxbl-notfirsthop',
'sbl-xbl.spamhaus.org.', '127.0.0.[456]')
describe RCVD_IN_XBL Received via a relay in Spamhaus XBL
tflags RCVD_IN_XBL net
# ---------------------------------------------------------------------------
# RFC-Ignorant blacklists (both name and IP based)
header __RFC_IGNORANT_ENVFROM eval:check_rbl_envfrom('rfci_envfrom',
'fulldom.rfc-ignorant.org.')
tflags __RFC_IGNORANT_ENVFROM net
header DNS_FROM_RFC_DSN eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
describe DNS_FROM_RFC_DSN Envelope sender in dsn.rfc-ignorant.org
tflags DNS_FROM_RFC_DSN net
header DNS_FROM_RFC_POST eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
describe DNS_FROM_RFC_POST Envelope sender in postmaster.rfc-ignorant.org
tflags DNS_FROM_RFC_POST net
header DNS_FROM_RFC_ABUSE eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
describe DNS_FROM_RFC_ABUSE Envelope sender in abuse.rfc-ignorant.org
tflags DNS_FROM_RFC_ABUSE net
header DNS_FROM_RFC_WHOIS eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
describe DNS_FROM_RFC_WHOIS Envelope sender in whois.rfc-ignorant.org
tflags DNS_FROM_RFC_WHOIS net
Cheers,
Lyle
--
Lyle Bickley
Bickley Consulting West Inc.
Mountain View, CA
http://bickleywest.com
"Black holes are where God is dividing by zero"
8:41 p.m.
# SORBS
I don't like spam.sorbs for mail with a high(er) signal:noise ratio. They've
listed yahoogroups a couple times, for example, and it's hard to get off their
lists when on there accidentally. I only use it on boxes where the spam level
is high and false positives are unlikely. spews.sorbs is more acceptable,
being just a retread of SPEWS data.
I use ORBS, sbl-xbl, DSBL and AHBL. I also have some custom sendmail rules
(yes, I confess: I can write sendmail rules, I feel so dirty) for various
other high-reliability triggers.
--
--------------------------------- personal: http://www.armory.com/~spectre/ ---
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser at floodgap.com
-- Specialization is for insects. -- Robert Heinlein --------------------------
9:28 p.m.
It was written....
Does anyone have a list of favorite RBL's
(Real-time Spam Black Lists)?
I'm
currently using the following and am looking for something a bit better.
RBLs: relays.orbs.org, sbl.spamhaus.org, relays.ordb.org,
bl.spamcop.net
This is better posted on the spamassassin or sendmail lists, not classiccmp.
Jay
6757
days inactive
6757
days old
5 comments
5 participants
participants (5)
-
healyzh@aracnet.com -
jwest@classiccmp.org -
lbickley@bickleywest.com -
philpem@dsl.pipex.com -
spectre@floodgap.com