Before I started using spam.dnsbl.sorbs.net I tested a corpus of spam and ham and determined the best way to implement.
But in the past 48 hours, mail relays from road runner, and cablevision have been added.
http://www.us.sorbs.net/using.shtml spam.dnsbl.sorbs.net - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS. This zone also contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.
While I appreciate sending the message to lame ISPs about controlling their users, adding these relays to the blacklist causes a lot of false positives. Has sorbs been reasonable in their judgment to add them, how often does it take 30 million (or whatever) random subscribers to produce 3 spams, and what is reasonable for an ISP to do about it?
I have filled out their (sorbs) complex web support forms before, on behalf of a 3rd party, and never got a response. Now, since I'm complaining about relays being added that aren't mine, I cannot even get through the questions to a dialog I can enter my observation (when I properly answer the questions).
Unfortunately for me this is 2 strikes and you're out, sorbs. Is there a good alternative for spam.dnsbl.sorbs.net?
// George
George Georgalis wrote:
Unfortunately for me this is 2 strikes and you're out
This zone is (in)famous for its $ 50 unlisting "scheme". So I wasn't the last to note this, here's my red lantern, pass it on when you find another idiot boy... :-)
For another rant see: http://ietf.org/internet-drafts/draft-church-dnsbl-harmful-01
Is there a good alternative for spam.dnsbl.sorbs.net?
Some lists I kept in rxwhois after banning $see_subject, of course you have to check the details like (un)listing policies, and some of these zones would be redundant:
.bl.spamcop.net .psbl.surriel.com .combined.njabl.org .opm.blitzed.org .list.dsbl.org .relays.ordb.org .sbl-xbl.spamhaus.org .cbl.abuseat.org .combined-hib.dnsiplists.completewhois.com
Bye, Frank
On Monday, October 31, 2005, 12:34:10 AM, Frank Ellermann wrote:
George Georgalis wrote:
Unfortunately for me this is 2 strikes and you're out
This zone is (in)famous for its $ 50 unlisting "scheme". So I wasn't the last to note this, here's my red lantern, pass it on when you find another idiot boy... :-)
For another rant see: http://ietf.org/internet-drafts/draft-church-dnsbl-harmful-01
Is there a good alternative for spam.dnsbl.sorbs.net?
Some lists I kept in rxwhois after banning $see_subject, of course you have to check the details like (un)listing policies, and some of these zones would be redundant:
.bl.spamcop.net .psbl.surriel.com .combined.njabl.org .opm.blitzed.org .list.dsbl.org .relays.ordb.org .sbl-xbl.spamhaus.org .cbl.abuseat.org .combined-hib.dnsiplists.completewhois.com
IIRC XBL has CBL and OPM included, so if you're querying all three you're probably making some duplicated/unnecessary/unwanted DNS queries on the lists.
We use NJABL, ORDB and SBL-XBL here.
BTW This is definitely off topic.
Jeff C. -- Don't harm innocent bystanders.
Jeff Chan wrote:
BTW This is definitely off topic.
Yes, but it allowed me to add Wolfgang's proposal.
For on topic debates on an the ASRG list compare http://mid.gmane.org/20051101010626.J73031@simone.iecc.com http://permalink.gmane.org/gmane.ietf.asrg/11079
Relevant also for SURBL, because SURBL and OPM are the important lists with "many" sets represented by bits.
The draft got it IMHO still wrong for 127.0.0.1, using bit 0 is a really bad idea as long as bits 1 up to 23 can be clear (as for SURBL, but not OPM, OPM always uses 127.1.0.x with bit 16 set).
But SURBL doesn't pass one minimal sanity test, as already mentioned here some months ago:
http://multi.surbl.org:80 (and http://surbl.org:80) should exist with an explanation for MULTI (SURBL).
| Most DNSxLs also contain an A record at the DNSxL's name that | points to a web server, so that anyone wishing to learn about | the bad.example.net DNSBL can check http://bad.example.net.
Bye, Frank
On Monday, October 31, 2005, 11:54:51 PM, Frank Ellermann wrote:
But SURBL doesn't pass one minimal sanity test, as already mentioned here some months ago:
http://multi.surbl.org:80 (and http://surbl.org:80) should exist with an explanation for MULTI (SURBL).
| Most DNSxLs also contain an A record at the DNSxL's name that | points to a web server, so that anyone wishing to learn about | the bad.example.net DNSBL can check http://bad.example.net.
That's probably a good idea, but most of the RBLs I use don't have web sites for their list names:
http://sbl.spamhaus.org/ http://list.dsbl.org/
Only NJABL comes up with a web page:
So it's perhaps not universal.
Jeff C. -- Don't harm innocent bystanders.
On Tue, Nov 01, 2005 at 10:13:08PM -0800, Jeff Chan wrote:
So it's perhaps not universal.
Thanks all for the comments, using sbl-xbl.spamhaus.org and bl.spamcop.net now. I typically set $opinion to the TXT lookup (vs A record), and act accordingly, which works for the lists I use. http://galis.org/script/qmail-prequeue
Bye, // George
In an older episode (Monday, 31. October 2005 00:22), George Georgalis wrote:
Before I started using spam.dnsbl.sorbs.net I tested a corpus of spam and ham and determined the best way to implement.
But in the past 48 hours, mail relays from road runner, and cablevision have been added.
http://www.us.sorbs.net/using.shtml spam.dnsbl.sorbs.net - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS. This zone also contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you
are
out' basis, where the third spam will cause the supporter to be added to the list.While I appreciate sending the message to lame ISPs about controlling their users, adding these relays to the blacklist causes a lot of false positives. Has sorbs been reasonable in their judgment to add them, how often does it take 30 million (or whatever) random subscribers to produce 3 spams, and what is reasonable for an ISP to do about it?
I have filled out their (sorbs) complex web support forms before, on behalf of a 3rd party, and never got a response. Now, since I'm complaining about relays being added that aren't mine, I cannot even get through the questions to a dialog I can enter my observation (when I properly answer the questions).
Unfortunately for me this is 2 strikes and you're out, sorbs. Is there a good alternative for spam.dnsbl.sorbs.net?
I have found ix.dnsbl.manitu.net very useful. I use it at the MTA level and with a SA rule like: header LOCAL_RCVD_IN_IXM eval:check_rbl('ixmani', 'ix.dnsbl.manitu.net.') describe LOCAL_RCVD_IN_IXM Received via a host listed in ix.dnsbl.manitu.net tflags LOCAL_RCVD_IN_IXM net score LOCAL_RCVD_IN_IXM 5
For details see http://www.heise.de/ix/nixspam/dnsbl_en/
cheers,
wolfgang
-
Frank Ellermann -
George Georgalis -
Jeff Chan -
wolfgang