Relay Blacklist Optimization

Discussion in 'Mail Gateway: Installation and configuration' started by heutger, Jun 17, 2018.

  1. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    First need to say, I'm from Germany, so my set would not fit all as my selection fits best to spam seen in Germany. Looking at e.g. importing spam to quick-start bayesian filter, I just realized, that "my spam" is not "others spam", so I don't recommend to import "foreign" spam to quick-start bayesian filter. I also don't really recommend (although the idea is interesting) catch-all (worst) or self-placed (better, but still different) spam honeypots to learn the bayesian filter, maybe could be used to setup a blacklist, but for bayes it's still different to learn stupid spam waves instead of spam directly sent to an user.

    So best spam protection is spam, which is already rejected on connection, e.g. most effective with postscreen. If a spam mail with content filter has a very high spam score, maybe would also be great to reject (reject, not block, blocking is suppression, that's not allowed in Germany), but currently not possible with PMG. Whitelists are also a good idea (usually), but I recently saw in the statistics very much false-positives (spammers, which are whitelisted), similar they also already recognized, that SPF and DKIM are measure for non-spam, so they try to use SPF-mail server nodes and try to DKIM-sign the messages, so that's no good signal for non-spam.

    My current setup is a blacklist threshold of 2, so I have first tier and second tier blacklists. First tier are ones, which are absolutely trust, second tier are ones, which recently failed, so there is the need of matching two of them to get blacklisted.

    First tier is:
    zen.spamhaus.org (almost standard)
    bl.spamcop.net (same and I also use it often to report/list spam)
    psbl.surriel.com (tested for about 10+ years without any problems)
    spamrbl.imp.ch (same as above)
    noptr.spamrats.com (very few records and had no problems for years)
    escalations.dnsbl.sorbs.net (same as above, all other sorbs have very much false-positives (fp))

    Second tier is:
    ix.dnsbl.manitu.net (recently was first tier, but in the past had increasing fp)
    b.barracudacentral.org (in my recent setup 10+ years ago I used BRBL, but removed it because of fp)
    db.wpbl.info (same as above)

    I currently now test additional blacklists. How I got them? I use http://multirbl.valli.org/ with recent spam and checked, on which blacklists they are listed. My current set is:

    Additional candidates for first tier:
    spam.dnsbl.anonmails.de
    bl.score.senderscore.com
    dnsrbl.swinog.ch

    Additional candidates for second tier:
    bl.blocklist.de
    truncate.gbudb.net
    ubl.unsubscore.com
    spam.spamrats.com
    hostkarma.junkemailfilter.com=127.0.0.2

    No decision yet:
    bl.spameatingmonkey.net
    dnsbl.dronebl.org
    wormrbl.imp.ch
    dbl.suomispam.net

    Any ideas, experiences, tipps, ... on my setup?

    Regards,
    Christian
     
    Sommer and killmasta93 like this.
  2. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    First run finished, first tier bl.score.scenderscore.com and bl.spameatingmonkey.net made it, second tier truncate.gbudb.net and bl.blocklist.de made it. spam.dnsbl.anonmails.de, dnsrbl.swinog.ch, ubl.unsubscore.com, spam.spamrats.com, hostkarma.junkemailfilter.com didn't made it, first because of false-positives and too much RBL errors, second because of two less hits and false-positives in this hits, the rest because of too much false-positives.

    dbl.suomispam.net, dnsbl.dronebl.org and wormrbl.imp.ch are now in a second round, additional ones on this round are

    superblock.ascams.com
    vote.drbl.gremlin.ru
    work.drbl.gremlin.ru
    rbl.realtimeblacklist.com

    as well as trial of invaluements blocklists (names not posted here, but they are also access-restricted).

    In one up to two weeks, I can tell more.

    Additional, I now already get better and better handling, but I still dislike, that sure spam is not rejectable. So I will now have a few on and testing, if I could do something similar like rspamd/PMG dual setup (I was not such happy with) with SA/PMG dual setup, finally invoking SA twice, but once via milter (spamass-milter) just for rejecting high score spam. Will see, if this workaround works for me until maybe Proxmox will decide to change their pmg-smtp-filter setup from content_filter to milter.
     
  3. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    Second round already cleaned up on first day:

    superblock.ascams.com
    vote.drbl.gremlin.ru
    work.drbl.gremlin.ru

    have been removed.

    rbl.realtimeblacklist.com and the invaluement lists continue the second round.
     
  4. Sommer

    Sommer Member

    Joined:
    Jun 7, 2018
    Messages:
    45
    Likes Received:
    4
    @heutger thanks for sharing. I started using your first tier list today.
     
  5. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    No problems. I keep testing, Tier 1 looks really fine, also Tier 2 with threshold looks great, from the new candidates dbl.suomispam.net is gone now also, but I may add two more to test next week. Should also not be too much blacklists, but directly rejecting before entering spam gateway is best way, if trustful lists are used.
     
  6. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    Last round. I now adjusted my blacklists as followed:

    zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,db.wpbl.info,truncate.gbudb.net,bl.blocklist.de,xxx,xxx24

    xxx and xxx24 are the invaluement blacklists, you need to contact them to purchase.

    Last testing stage are now:
    rbl.abuse.ro and their domain blacklist
    rbl.interserver.net
    dnsbl.cobion.com
    and spam.spamrats.com got a second try as a colleague didn't told me, that the false-positives she never subscribed for
     
  7. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    Last round intermediate results:

    I'm keeping the postscreen threshold blacklists set as above. It worked really well. Also the tier 2 kickers combination seems to be really good, as if it's really spam, they get the score of two, if there are false-positives, the only one value kept mails getting through. So I can suggest the setup above as really good working. The invaluement lists work very well as well and checking for ivmsip, ivmsip24 and ivmuri I just use in SA, they can kick very much as any other of the score one lists help to kick.

    I'm a bit upset on WPBL, as for tagging only I saw some false-positives, I will keep an eye on.

    For currently from the last stage I will keep to have a look one more week, currently I can say:
    dbl.abuse.ro works well
    rbl.abuse.ro had false positives with 127.0.0.2, I continue to test with 127.0.0.3 and 4
    rbl.interserver.net, dnsbl.cobion.com as well as spam.spamrats.com get removed because of too much false positives

    I will keep to check spam mails this week, but if I won't find more lists, most of them have in common, I will close up testing by end of next week and will provide my final set to the advancing PMG thread.

    The milter setup also works very well currently, I just need to ask one question, I will open an extra thread for, so rare spam is coming in. Still wait bayes to start, keep to fetching spam to learn.
     
    killmasta93 likes this.
  8. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    I now removed wpbl from rbl as well as from spamassassin. I added dbl.abuse.ro to main.cf.in. I will now last retest blacklist.woody.ch and dnsrbl.swinog.ch, if there will not occur more blacklists in this check, I'm done then. I adjust my Advancing PMG thread to cover the changes.
     
    killmasta93 likes this.
  9. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    231
    Likes Received:
    63
    I decided against blacklist.woody.ch and dnsrbl.swinog.ch. My set looks fine now, I will now continue to have an eye on the commercial test spams and may consider some more lists.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice