[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What is that rbl Eric?



Gary wrote:

> On Wed, Jun 11, 2003 at 05:39:49PM -0400 or thereabouts, Danny Sauer wrote:
> 
>>That's precisely why I don't use RBLs exclusively.  I use RBLs, but 
>>they're just part of the scoring process in SpamAssasin.  The default 
>>weights are a little low for me, though, so I normally bump them up a 
>>little so that places that are listed in more than 2 or 3 go over the 
>>default threshold.
> 
> 
> I only use spamassassin as a last resort, and in fact, have not used it
> for the last 9 months, because I have implemented RBLs, <g>  I prefer
> blocking at the SMTP level rather then using CPU cycles for SA in the box.
> SA is cool though.. All toll, I have a multilevel system for spam defense,
> and this has worked extremely well for me.

Looking at my most current mail logs (June 1 - now (June 12)), my 
postfix rules have rejected 20868 messages at the SMTP level, and 
spamassassin has identified 830 spams.  Spamassassin only runs for 4 
users, though, while there are quite a few other addresses that aren't 
getting scanned.  37580 messages were locally delivered, 44477 messages 
were delivered in total (not counting messages originating locally). 
Nearly half of the mail we get is spam.  Sigh. :)

Technically, I guess that I do use relays.ordb.org - they were the 
source of 224 rejections (out of that 20868).  I have all of the korea 
netblocks listed in my own blacklist, as well as a few other addresses - 
Korea accounts for 304 rejections.  The rest are all caught by the rules 
that reject unknown/invalid hostnames in the HELO, unresolved sender 
domains, non-FQDN recipient addresses, and the regexp header checks that 
throw away messages in a bunch of weird char sets + messages with 
dangerous attachment extensions.

The thing with RBLs is that someone has to actually receive and read the 
message, identify it as spam, and add it to the list before more spam 
from that site will get through - if it ever gets through.  It's 
something that needs constant maintenence.  As a programmer who's fond 
of Perl, I *hate* having to do repetitive work.  With SpamAssassin 
catching the few messages that get through, I just have to look through 
my junk mail folder once every week or so to see if there are any false 
positives.  I've had none, and had no reports of any from the test users 
here.  The best part is that there's no real human factor to worry about 
- the spamassassin bayesian filter auto-trains itself, and users have 
control of their own whitelists.  Transferring the burden to users works 
nicely for me (MySQL prefs and a Squirrelmail plugin help).  With RBLs, 
I have to worry about malicious users outside of my control, and stupid 
things like whole subnets blocked because of bad policies.

This is really just my own experience, but my personal domain at home 
has similar results (with smaller numbers and a greater noise to signal 
ratio).  A few (26 in my inbox right now) of the valid messages I 
receive also match in one of the various RBLs, though, so unfortunately 
they just won't work for me as a definitive reject/accept rule.

--Danny, who only sees one or two spams in his inbox ever few days now 
(down from about 100/day when using just a couple of RBLs)


-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.