Weblog entry #127 for simonw
See all weblog entries made by simonw.
#127
Zen and the art of spam filtering
Posted by simonw on Mon 8 Jan 2007 at 11:39
Spamhaus.org just announced their PBL (Policy Block List) is in beta.
This is basically the same concept as the old dial-up block lists, ISPs can list IP addresses allocated to end user which they don't believe should be sending SMTP emails directly. The main difference is end users who do want to use SMTP can opt-out on a per IP address basis. Spamhaus will do some magic to stop the opt-out being abused.
This means they have three lists SBL, XBL, PBL, previously they served two of these together as the "sbl-xbl.spamhaus.org", now all three will go under the name "zen.spamhaus.org", and they plan to eventually terminate the sbl-xbl.spamhaus.org list.
So previously in Postfix I had;
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rbl_client sbl-xbl.spamhaus.org,
Now I have this for testing;
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rbl_client sbl-xbl.spamhaus.org,
warn_if_reject reject_rbl_client pbl.spamhaus.org,
When I'm happy with it (checked the "reject_warning" entries in mail.log) I'll have;
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rbl_client zen.spamhaus.org,
Those with SMTP Auth clients in Postfix will want to make sure they don't exclude their own clients by positioning the test correctly, but in most cases if you use a blocklist it will go immediately after the current one for testing.
I can't see any reason why the PBL should be an issue, it was that inability to be removed that made the previous lists of this type unacceptable, although if it shows a lot of false positives we might want to alert key correspondence postmasters that they are listed before we switch it on.
This does however seem one step closer to the "whitelist only" approach, which I previously thought unmanageable. I guess if a lot of people use it, the abuse fight will move to the "opt out" function, or out of SMTP (as none of this solves the insecure systems problem at the root of most problematic spam).
http://www.spamhaus.org/zen/
This is basically the same concept as the old dial-up block lists, ISPs can list IP addresses allocated to end user which they don't believe should be sending SMTP emails directly. The main difference is end users who do want to use SMTP can opt-out on a per IP address basis. Spamhaus will do some magic to stop the opt-out being abused.
This means they have three lists SBL, XBL, PBL, previously they served two of these together as the "sbl-xbl.spamhaus.org", now all three will go under the name "zen.spamhaus.org", and they plan to eventually terminate the sbl-xbl.spamhaus.org list.
So previously in Postfix I had;
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rbl_client sbl-xbl.spamhaus.org,
Now I have this for testing;
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rbl_client sbl-xbl.spamhaus.org,
warn_if_reject reject_rbl_client pbl.spamhaus.org,
When I'm happy with it (checked the "reject_warning" entries in mail.log) I'll have;
smtpd_recipient_restrictions =
permit_mynetworks,
reject_rbl_client zen.spamhaus.org,
Those with SMTP Auth clients in Postfix will want to make sure they don't exclude their own clients by positioning the test correctly, but in most cases if you use a blocklist it will go immediately after the current one for testing.
I can't see any reason why the PBL should be an issue, it was that inability to be removed that made the previous lists of this type unacceptable, although if it shows a lot of false positives we might want to alert key correspondence postmasters that they are listed before we switch it on.
This does however seem one step closer to the "whitelist only" approach, which I previously thought unmanageable. I guess if a lot of people use it, the abuse fight will move to the "opt out" function, or out of SMTP (as none of this solves the insecure systems problem at the root of most problematic spam).
http://www.spamhaus.org/zen/
Comments on this Entry
Thanks for the heads up on that.
I'm small scale here so I've gone straight into reject mode, no false positives so far, and all rejects are from IP's that should not be sending mail.
Looks like a good step forward in stopping Spam from zombie bots.
I'm small scale here so I've gone straight into reject mode, no false positives so far, and all rejects are from IP's that should not be sending mail.
Looks like a good step forward in stopping Spam from zombie bots.
[ Parent | Reply to this comment ]
I should have commented that my own testing was very positive, and we deployed quickly, one of the few changes I've tested that gave a significant gain on top of greylisting + SBL-XBL. The other changes I've tested (and in some cases deployed), mostly stopped email that the other two tests would have stopped.
[ Parent | Reply to this comment ]