Loading ...
Sorry, an error occurred while loading the content.

283360Re: Outbound RBL

Expand Messages
  • /dev/rob0
    Jan 31, 2012
      On Tue, Jan 31, 2012 at 08:54:33PM -0600, Noel Jones wrote:
      > On 1/31/2012 8:30 PM, list@... wrote:
      > > What we were thinking was using RBLs to dynamically block known
      > > malicious IPs before allowing SMTP Auth to occur, hopefully
      > > seeing a decrease in spam. Not sure if this would have
      > > unintended consequences, which is why I am consulting the list.
      >
      > That would probably cause a huge number of false positives; a
      > support desk nightmare.
      >
      > Many "consumer" IPs are listed on the popular RBLs. As a
      > consequence, legit users may be unable to send mail because their
      > dynamic IP was used by a spambot at some point in the past.
      >
      > I don't know of any RBLs that would be useful on incoming
      > authenticated mail.

      Even a locally-maintained private DNSBL is the wrong approach. When
      spam is detected from an authenticated account, revoke the
      credentials. You have no other good choice. Even after the user's
      system is purged of the ratware, you cannot be sure that these
      credentials were not forwarded to the botnet's control node[s].

      Detection of a spamming account is done as Noel suggested, through
      rate limiting (and possibly behavioral monitoring) policy daemons.
      Content filtering of user-submitted mail is also important. Most
      malware will spew mail containing positive URIBL/SURBL hits.
      SpamAssassin can do this (I recommend using SA from amavisd-new.)

      > You can test this yourself by inserting "warn_if_reject
      > reject_rbl_client zen.spamhaus.org" just before
      > permit_sasl_authenticated. Then watch your logs for
      > reject_warning: from legit connections. (this is a
      > logging-only function; the client is not rejected and
      > sees no additional messages.)

      Perhaps a slightly less insane ;) test would be to check
      xbl.spamhaus.org at that point. But hotels and public hotspots are
      often listed there. You might catch a few bad users, but you will
      *not* have reasonable protection for clean users.
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 8 messages in this topic