283360Re: Outbound RBL
- Jan 31, 2012On Tue, Jan 31, 2012 at 08:54:33PM -0600, Noel Jones wrote:
> On 1/31/2012 8:30 PM, list@... wrote:Even a locally-maintained private DNSBL is the wrong approach. When
> > What we were thinking was using RBLs to dynamically block known
> > malicious IPs before allowing SMTP Auth to occur, hopefully
> > seeing a decrease in spam. Not sure if this would have
> > unintended consequences, which is why I am consulting the list.
> That would probably cause a huge number of false positives; a
> support desk nightmare.
> Many "consumer" IPs are listed on the popular RBLs. As a
> consequence, legit users may be unable to send mail because their
> dynamic IP was used by a spambot at some point in the past.
> I don't know of any RBLs that would be useful on incoming
> authenticated mail.
spam is detected from an authenticated account, revoke the
credentials. You have no other good choice. Even after the user's
system is purged of the ratware, you cannot be sure that these
credentials were not forwarded to the botnet's control node[s].
Detection of a spamming account is done as Noel suggested, through
rate limiting (and possibly behavioral monitoring) policy daemons.
Content filtering of user-submitted mail is also important. Most
malware will spew mail containing positive URIBL/SURBL hits.
SpamAssassin can do this (I recommend using SA from amavisd-new.)
> You can test this yourself by inserting "warn_if_rejectPerhaps a slightly less insane ;) test would be to check
> reject_rbl_client zen.spamhaus.org" just before
> permit_sasl_authenticated. Then watch your logs for
> reject_warning: from legit connections. (this is a
> logging-only function; the client is not rejected and
> sees no additional messages.)
xbl.spamhaus.org at that point. But hotels and public hotspots are
often listed there. You might catch a few bad users, but you will
*not* have reasonable protection for clean users.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
- << Previous post in topic Next post in topic >>