Relay Blacklist Optimization

heutger

Famous Member
Apr 25, 2018
893
259
108
Fulda, Hessen, Germany
www.heutger.net
First need to say, I'm from Germany, so my set would not fit all as my selection fits best to spam seen in Germany. Looking at e.g. importing spam to quick-start bayesian filter, I just realized, that "my spam" is not "others spam", so I don't recommend to import "foreign" spam to quick-start bayesian filter. I also don't really recommend (although the idea is interesting) catch-all (worst) or self-placed (better, but still different) spam honeypots to learn the bayesian filter, maybe could be used to setup a blacklist, but for bayes it's still different to learn stupid spam waves instead of spam directly sent to an user.

So best spam protection is spam, which is already rejected on connection, e.g. most effective with postscreen. If a spam mail with content filter has a very high spam score, maybe would also be great to reject (reject, not block, blocking is suppression, that's not allowed in Germany), but currently not possible with PMG. Whitelists are also a good idea (usually), but I recently saw in the statistics very much false-positives (spammers, which are whitelisted), similar they also already recognized, that SPF and DKIM are measure for non-spam, so they try to use SPF-mail server nodes and try to DKIM-sign the messages, so that's no good signal for non-spam.

My current setup is a blacklist threshold of 2, so I have first tier and second tier blacklists. First tier are ones, which are absolutely trust, second tier are ones, which recently failed, so there is the need of matching two of them to get blacklisted.

First tier is:
zen.spamhaus.org (almost standard)
bl.spamcop.net (same and I also use it often to report/list spam)
psbl.surriel.com (tested for about 10+ years without any problems)
spamrbl.imp.ch (same as above)
noptr.spamrats.com (very few records and had no problems for years)
escalations.dnsbl.sorbs.net (same as above, all other sorbs have very much false-positives (fp))

Second tier is:
ix.dnsbl.manitu.net (recently was first tier, but in the past had increasing fp)
b.barracudacentral.org (in my recent setup 10+ years ago I used BRBL, but removed it because of fp)
db.wpbl.info (same as above)

I currently now test additional blacklists. How I got them? I use http://multirbl.valli.org/ with recent spam and checked, on which blacklists they are listed. My current set is:

Additional candidates for first tier:
spam.dnsbl.anonmails.de
bl.score.senderscore.com
dnsrbl.swinog.ch

Additional candidates for second tier:
bl.blocklist.de
truncate.gbudb.net
ubl.unsubscore.com
spam.spamrats.com
hostkarma.junkemailfilter.com=127.0.0.2

No decision yet:
bl.spameatingmonkey.net
dnsbl.dronebl.org
wormrbl.imp.ch
dbl.suomispam.net

Any ideas, experiences, tipps, ... on my setup?

Regards,
Christian
 
First run finished, first tier bl.score.scenderscore.com and bl.spameatingmonkey.net made it, second tier truncate.gbudb.net and bl.blocklist.de made it. spam.dnsbl.anonmails.de, dnsrbl.swinog.ch, ubl.unsubscore.com, spam.spamrats.com, hostkarma.junkemailfilter.com didn't made it, first because of false-positives and too much RBL errors, second because of two less hits and false-positives in this hits, the rest because of too much false-positives.

dbl.suomispam.net, dnsbl.dronebl.org and wormrbl.imp.ch are now in a second round, additional ones on this round are

superblock.ascams.com
vote.drbl.gremlin.ru
work.drbl.gremlin.ru
rbl.realtimeblacklist.com

as well as trial of invaluements blocklists (names not posted here, but they are also access-restricted).

In one up to two weeks, I can tell more.

Additional, I now already get better and better handling, but I still dislike, that sure spam is not rejectable. So I will now have a few on and testing, if I could do something similar like rspamd/PMG dual setup (I was not such happy with) with SA/PMG dual setup, finally invoking SA twice, but once via milter (spamass-milter) just for rejecting high score spam. Will see, if this workaround works for me until maybe Proxmox will decide to change their pmg-smtp-filter setup from content_filter to milter.
 
  • Like
Reactions: KatyComputer
@heutger thanks for sharing. I started using your first tier list today.
dnsbl_sites zen.spamhaus.org,bl.spamcop.net,psbl.surriel.com,spamrbl.imp.ch,noptr.spamrats.com,escalations.dnsbl.sorbs.net,bl.score.scenderscore.com,bl.spameatingmonkey.net
 
No problems. I keep testing, Tier 1 looks really fine, also Tier 2 with threshold looks great, from the new candidates dbl.suomispam.net is gone now also, but I may add two more to test next week. Should also not be too much blacklists, but directly rejecting before entering spam gateway is best way, if trustful lists are used.
 
Last round. I now adjusted my blacklists as followed:

zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,db.wpbl.info,truncate.gbudb.net,bl.blocklist.de,xxx,xxx24

xxx and xxx24 are the invaluement blacklists, you need to contact them to purchase.

Last testing stage are now:
rbl.abuse.ro and their domain blacklist
rbl.interserver.net
dnsbl.cobion.com
and spam.spamrats.com got a second try as a colleague didn't told me, that the false-positives she never subscribed for
 
Last round intermediate results:

I'm keeping the postscreen threshold blacklists set as above. It worked really well. Also the tier 2 kickers combination seems to be really good, as if it's really spam, they get the score of two, if there are false-positives, the only one value kept mails getting through. So I can suggest the setup above as really good working. The invaluement lists work very well as well and checking for ivmsip, ivmsip24 and ivmuri I just use in SA, they can kick very much as any other of the score one lists help to kick.

I'm a bit upset on WPBL, as for tagging only I saw some false-positives, I will keep an eye on.

For currently from the last stage I will keep to have a look one more week, currently I can say:
dbl.abuse.ro works well
rbl.abuse.ro had false positives with 127.0.0.2, I continue to test with 127.0.0.3 and 4
rbl.interserver.net, dnsbl.cobion.com as well as spam.spamrats.com get removed because of too much false positives

I will keep to check spam mails this week, but if I won't find more lists, most of them have in common, I will close up testing by end of next week and will provide my final set to the advancing PMG thread.

The milter setup also works very well currently, I just need to ask one question, I will open an extra thread for, so rare spam is coming in. Still wait bayes to start, keep to fetching spam to learn.
 
  • Like
Reactions: killmasta93
I now removed wpbl from rbl as well as from spamassassin. I added dbl.abuse.ro to main.cf.in. I will now last retest blacklist.woody.ch and dnsrbl.swinog.ch, if there will not occur more blacklists in this check, I'm done then. I adjust my Advancing PMG thread to cover the changes.
 
  • Like
Reactions: killmasta93
I continue with some new lists. I'm quite unsure, if I already tested one as I forgot to "document" here, so this time here is the full set, I test for now:

dnsbl.anticaptcha.net
dnsbl.zapbl.net
rhsbl.zapbl.net (not as dbl but as rhsbl for sure)
rbl.megarbl.net
dnsbl.isx.fr
 
Last edited:
And I already removed again some from the test because of too much false positives:

dnsbl.anticaptcha.net
dnsbl.zapbl.net
dnsbl.isx.fr

I believe, blacklist optimization is really on its last stage currently, there are not as much more lists to consider. Will see, what the last two lists will work like, but I'm afraid, I need to adjust over screws.
 
All lists not usable, dnsbl.spfbl.net lists too much systems also as domain blacklist like Strato Servers. blackholes.tepucom.nl also lists Rapidmail, our used newsletter provider

However, I started to get on steroids now, I changed the hardcore ness of my used lists by lowering down the milter reject level on my private installation down to 4, so just scores 0-3 will get through, will see, how this works out.
 
  • Like
Reactions: killmasta93
All lists not usable, dnsbl.spfbl.net lists too much systems also as domain blacklist like Strato Servers. blackholes.tepucom.nl also lists Rapidmail, our used newsletter provider

However, I started to get on steroids now, I changed the hardcore ness of my used lists by lowering down the milter reject level on my private installation down to 4, so just scores 0-3 will get through, will see, how this works out.
I was wondering so whats your DNSBL blacklist overall? or which lists are usable?
 
I was wondering so whats your DNSBL blacklist overall? or which lists are usable?

I still always post my final set (also with weights on threshold 2) on my Advancing thread (I still keep the configs up to date regarding this). I still always check new spam if new lists arise and try to optimize my set. However, it already looks very well. Just three lists are just named there, as invaluement lists are only available with subscription. It's worth and not too expensive.
 
Hi

Could you please write down the complete portion of postfix configuration ?
It's quite difficult to understand how the rbl host would be write down .

Thx
 
You can find here my current setup: #2

But if you're just looking for my rbl setting, use the GUI, set the threshold to 2 and set the lists:

zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de,xxx,xxx24

meanwhile xxx and xxx24 you should skip out unless you subscribed for invaluement and got their list names to use with your config.
 
  • Like
Reactions: killmasta93
You can find here my current setup: #2

But if you're just looking for my rbl setting, use the GUI, set the threshold to 2 and set the lists:

zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de,xxx,xxx24

meanwhile xxx and xxx24 you should skip out unless you subscribed for invaluement and got their list names to use with your config.

Why don't u use wblist too?
 
Why don't u use wblist too?

Do you mean whitelists? Because statistics as well as content scan had shown, that too much valid systems aren’t listed and too much spammer systems are (so many false positives). As my set of blacklists is such hand picked, I don’t want to weaken by using weak whitelists. It’s the same for blacklists, if they hit a very good ratio on spam like rbldns.ru but vice versa have many false positives, I also won’t use at all.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!