294859[ot] Zen and the art of spam abatement (was: Re: greylisting generates error email?)
- Aug 20, 2013Whilst this subject is of some interest to many or most Postfix
users, it has departed from being fully on topic here. It would fit
better on a list like SDLU: <http://spammers.dontlike.us>
[Disclaimer: I am a list moderator at SDLU.)
On Sat, Aug 17, 2013 at 10:39:25AM -0700, Grant wrote:
> > [attribution of quotes reconstructed]
> > On Sat, Aug 17, 2013 at 12:54:44AM -0700, Grant wrote:
> >> Do you mean there aren't any legitimate servers listed in
> >> zen.spamhaus.org?
> > Zen is a composite list, and indeed it is intended to be safe
> > for widespread use.
> > SBL (Spamhaus Block List) lists IP addresses which are known
> > to be under the control of spammers.
> > XBL (Exploits Block List) lists IP addresses which are actively
> > spewing bot spam. Legitimate servers are occasionally listed in
> > XBL, because they meet that condition. Some short time after they
> > stop their abuse, they are delisted. Typically this is less than
> > a day.
> > PBL (Policy Block List) lists IP addresses which, according to
> > the netblock owners, should not normally be sending legitimate
> > email. Exceptions can be made for hosts with custom PTR upon
> > request. Many colocation providers submit their networks for PBL,
> > but removal is easy.
> >> When I switched servers a while back, the new IP
> >> I received was listed on several blacklists and it was a hassle
> >> to get them removed.
> > Far better that you go through that step than the Internet be
> > exposed to more spam.
> I agree, but the fact is that not everyone will go through that
You didn't understand. Those who do NOT get delisted from Zen *will*
face widespread delivery problems. No hard facts exist (nor could
valid statistics be collected), and it would vary by that site's
chosen set of sites they wish to send mail to, but in general I bet
they're going to have delivery problems for >75% of their mail.
This is speaking from my own experience when moving a server to a
PBL-listed IP address. Before getting the removal approved, my logs
were clogged with rejections. It was embarrassing. When I discovered
the problem I rerouted mail through a nonlisted relayhost until
I have also seen this at exploited sites where I have been called in
to do the cleanup.
Let them be lazy. If they want to participate in Internet mail,
they're going to take the time to get removed from PBL.
None of the anti-DNSBL zealots can dispute this fact. In fact, this
is one of the things they so despise about Spamhaus: they have been
granted "too much power" by many email administrators, large and
(I apologise to the "anti-DNSBL zealots" for the name calling. I'm a
pro-DNSBL and pro-Spamhaus zealot myself. I accept the same label.
Spamhaus and other DNSBL services have all but eliminated my spam
problem. I am grateful for that.)
Why have we (TINW) given Spamhaus this power? Do they abuse it? What
would happen if they did?
Mail administrators support Spamhaus because they have been careful
and responsible in the exercise of that power. They make our job in
trying to keep the abuse out of users' mailboxes much easier. Also,
pre-DATA filtering is safer and more accurate than content-based
There have indeed been suggestions of abuse of power by Spamhaus.
Many of these suggestions were put forth by spammers and spam
supporters (providers who are willing to sell service to spammers,
turning a blind eye or making excuses in response to abuse reports.)
I'd say those constitute the majority of complaints, in fact. But to
be fair, there are other complaints. One I am aware of is the
Austrian national NIC (dot-AT registry.) Austrian law is demonstrably
spam-friendly regarding domain registrations.
(I don't care about Austrian law. To a large extent I don't even care
about laws where I live and where my server is situated. Spam is
crime, and such crime is not excused by ignorant laws. Any valid law
which is going to require me to accept and handle spam will also
reimburse my costs in doing so. None of them do. So I block spam,
including some CAN-SPAM compliant hosts on my US-based server. The
You-Can-Spam law doesn't pay to accept spam.)
To answer my final question above, if Spamhaus went overboard and
became like a SORBS, blocking mail providers who have occasional
issues with spam, well, I'd relegate them to the same status I did
SORBS. I consider SORBS' opinion on a client useful, but not enough
to consider the mail to be spam and worthy of blocking.
I am sure that Spamhaus administrators know this. Thus they are
careful and responsible.
> > Here's my example postscreen configuration which is intended
> > to be safe and reasonable for most uses:
> > http://rob0.nodns4.us/postscreen.html
> Do you use that config on a commercial mail server? I don't mean
> to say that you shouldn't, I'm just wondering if you do. In a
Not much. The majority of traffic is from and to a free software
project. I have, however, set up mail services for SMBs using these
policies or similar. (But I am not involved in the day-to-day
management of those sites.) My only commercial users are individual
consultancies such as myself.
> commercial environment, the penalty for a false positive is a
> customer unable to reach the company behind the server which just
> isn't tolerable.
"Commercial" is an arbitrary distinction. Many commercial sites say
things like this: "Our userbase, our customers, and our suppliers are
all in the USA, so we will block everything coming from outside the
USA." It might even work for some of them. It certainly would NOT be
acceptable for a free software project, with contributors and users
from all over the world, including Russia, Nigeria, China, and Korea.
"False positive" is also an arbitrary concept. If a sending client
listed on Zen comes to me, I reject it. That is a positive, nothing
"false" about it.
Okay, that is splitting hairs. I know what you mean by "false
positive": you mean "non-spam which is rejected."
The sending client gives its user a DSN informing said user of the
rejection. They can contact me and provide the information therein.
It's in my log, and I can see it was a Zen-listed host. I can give
them the same URL that my rejection notice did and advise them to
fix whatever problem caused the listing. (I can even offer to fix it
for them, if they want to hire me. ;) )
The whole point is this, again: the Zen-listed host is having these
problems ALL OVER. I'm surely not the only site that rejected their
mail. Far more effective for them, rather than complaining to me, is
to get off the Zen list.
If they're on SBL, stop spamming! I don't even want non-UBE from
known spammers. If they think they're not spamming, let them make
their case with the folks at Spamhaus, who, I can guarantee, would
love to talk to them about it.
If they're on XBL, stop the exploit! Their site is being actively
used for the benefit of a spammer. Fix that!
If they're on PBL, follow the removal procedure. If they can't get
removed, such as for lack of custom PTR, find real hosting where
they're allowed to run a mail server.
 That's only true of hosts which get through postscreen to smtpd.
Postscreen does not provide the DNSBL's TXT record.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
- << Previous post in topic