Relay Blacklist Optimization

heutger said:
I currently try dnsbl.beetjevreemd.nl, which looks fine, if it works. On one system it works well, on the other, I'm unable to get use of, I always get SERVFAIL also on the test address 127.0.0.2 (or for sure to be used in reverse order).

I also try black.dnsbl.brukalai.lt and light.dnsbl.brukalai.lt. First one has too much false positives, so I will remove it again, second one currently looks fine, however low volume of hits. Will continue to try.
Click to expand...

Update: I got contact with the operator of dnsbl.beetjevreemd.nl and it seems only to be accessible via IPv6.

black.dnsbl.brukalai.lt and light.dnsbl.brukalai.lt are both producing too much false positives, they are both out.

New one to test is bl.scientificspam.net and rhsbl.scientificspam.net.
 
heutger said:
First need to say, I'm from Germany, so my set would not fit all as my selection fits best to spam seen in Germany. Looking at e.g. importing spam to quick-start bayesian filter, I just realized, that "my spam" is not "others spam", so I don't recommend to import "foreign" spam to quick-start bayesian filter. I also don't really recommend (although the idea is interesting) catch-all (worst) or self-placed (better, but still different) spam honeypots to learn the bayesian filter, maybe could be used to setup a blacklist, but for bayes it's still different to learn stupid spam waves instead of spam directly sent to an user.

So best spam protection is spam, which is already rejected on connection, e.g. most effective with postscreen. If a spam mail with content filter has a very high spam score, maybe would also be great to reject (reject, not block, blocking is suppression, that's not allowed in Germany), but currently not possible with PMG. Whitelists are also a good idea (usually), but I recently saw in the statistics very much false-positives (spammers, which are whitelisted), similar they also already recognized, that SPF and DKIM are measure for non-spam, so they try to use SPF-mail server nodes and try to DKIM-sign the messages, so that's no good signal for non-spam.

My current setup is a blacklist threshold of 2, so I have first tier and second tier blacklists. First tier are ones, which are absolutely trust, second tier are ones, which recently failed, so there is the need of matching two of them to get blacklisted.

First tier is:
zen.spamhaus.org (almost standard)
bl.spamcop.net (same and I also use it often to report/list spam)
psbl.surriel.com (tested for about 10+ years without any problems)
spamrbl.imp.ch (same as above)
noptr.spamrats.com (very few records and had no problems for years)
escalations.dnsbl.sorbs.net (same as above, all other sorbs have very much false-positives (fp))

Second tier is:
ix.dnsbl.manitu.net (recently was first tier, but in the past had increasing fp)
b.barracudacentral.org (in my recent setup 10+ years ago I used BRBL, but removed it because of fp)
db.wpbl.info (same as above)

I currently now test additional blacklists. How I got them? I use http://multirbl.valli.org/ with recent spam and checked, on which blacklists they are listed. My current set is:

Additional candidates for first tier:
spam.dnsbl.anonmails.de
bl.score.senderscore.com
dnsrbl.swinog.ch

Additional candidates for second tier:
bl.blocklist.de
truncate.gbudb.net
ubl.unsubscore.com
spam.spamrats.com
hostkarma.junkemailfilter.com=127.0.0.2

No decision yet:
bl.spameatingmonkey.net
dnsbl.dronebl.org
wormrbl.imp.ch
dbl.suomispam.net

Any ideas, experiences, tipps, ... on my setup?

Regards,
Christian
Click to expand...
That post are uptodate?
Or it`s not editable?
 
vassilij said:
That post are uptodate?
Or it`s not editable?
Click to expand...

No, as written, this post is only to document, which blacklists I tested. It’s for others as well but mostly for me to be able to check, if I already tested a blacklist or not as there are so many. The final set is somehow on my Advancing PMG Thread, somehow because the last two lists are xxxed out, as this one a paid ones (as also mentioned there), so you need to order and get the lists names by invaluement. For protection of their servers (although access is IP restricted and just get available on purchase) I don’t list their public names there, as well for not blaming me, the lists are inaccessible and produce delays in checkup (timeouts). There is another list, I currently try, which may result in an extra restriction: It’s only accessible via IPv6.
 
  • Like
Reactions: vassilij
thank you man!
I saw you are very active in these forum, and have tutorial of a optimized installation and others best practices, I guess you can would write some fixed topics and maintain there updated. It would be very important for the development of the PMG and the forum.


My english is a work in progress, I hope you understand what I wrote.
 
vassilij said:
thank you man!
I saw you are very active in these forum, and have tutorial of a optimized installation and others best practices, I guess you can would write some fixed topics and maintain there updated. It would be very important for the development of the PMG and the forum.


My english is a work in progress, I hope you understand what I wrote.
Click to expand...

My plan is to update my thread soon and also move the content to Github (to keep it easier to maintain for me and the users). I also plan to write some more about my security optimization trials with SPF, DKIM, DMARC, TLS 1.3, DANE etc. Currently I'm very spare of time, especially now at Corona Crisis as the kindergarten is closed, my daughter is at home and I try to focus my time on family.
 
  • Like
Reactions: vassilij
heutger said:
Update: I got contact with the operator of dnsbl.beetjevreemd.nl and it seems only to be accessible via IPv6.

black.dnsbl.brukalai.lt and light.dnsbl.brukalai.lt are both producing too much false positives, they are both out.

New one to test is bl.scientificspam.net and rhsbl.scientificspam.net.
Click to expand...

One more update: All our out again. Scientficspam has significant false-positives, Beetjevreemd has a 3:1 ratio of false-positives:hits, so it's out as well. EDIT: for me, I only test for myself, so please do your own tests!
 
Another test failed: dnsbl.darklist.de had too much false-positives, but will start a new test:

bl.octopusdns.com
rhsbl.rbl.polspam.pl
rhsbl-h.rbl.polspam.pl
bl.rbl.polspam.pl
bl-h1.rbl.polspam.pl
bl-h2.rbl.polspam.pl
bl-h3.rbl.polspam.pl
bl-h4.rbl.polspam.pl
bl-h5.rbl.polspam.pl

Reason for retesting polspam: They recently introduced new lists which may help to differentiate false positives from good results.
 
Last edited:
heutger said:
Another test failed: dnsbl.darklist.de had too much false-positives, but will start a new test:

bl.octopusdns.com
rhsbl.rbl.polspam.pl
rhsbl-h.rbl.polspam.pl
bl.rbl.polspam.pl
bl-h1.rbl.polspam.pl
bl-h2.rbl.polspam.pl
bl-h3.rbl.polspam.pl
bl-h4.rbl.polspam.pl
bl-h5.rbl.polspam.pl

Reason for retesting polspam: They recently introduced new lists which may help to differentiate false positives from good results.
Click to expand...

And once again nothing new. All the lists above (still) produce too much false-positives to be useful.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back