I was just wondering what block lists (dnsbl, rbl, etc.) people use to block spam.

Currently I only use the Spamhaus Blocklist (SBL) plus their Exploit Blocklist (XBL): sbl-xbl.spamhaus.org

However I'm still getting a lot of spam, and I've heard of people blocking nearly all spam using just a couple block lists.

Also, I currently use Postfix and put the setting: "reject_rbl_client sbl-xbl.spamhaus.org" at the end of my "smtpd_recipient_restrictions" list. Is there a better place to put it?

Thanks in advance.

You can try greylisting.

I'm currently using opm.blitzed.org, lists.dnsbl.org, relays.ordb.org and bl.spamcop.net in addition to the blocklist from Spamhaus. Then again, I don't notice anything since I only have 13 domains that are relatively unknown to most people.


No, that's the correct way to put it.

Currently, in addition to letting spamassassin score off of the lists it has built-in, I block at the SMTP level using dul.dnsbl.sorbs.net, sbl.spamhaus.org, list.dsbl.org, and blackholes.mail-abuse.org. In addition to that, I let spamassassin use its various other network tests such as DCC, Razor, etc. I filter everything scoring 5 or more to spam folders. With whitelists for all the people and domains I expect to get mail from, as well as procmail rules for my mailing lists, I block nearly all spam and almost never have a false positive.

Without the blacklists I was getting over 185 spam a day. With them in place, I still see 80 or 90 a day (maybe) going into my spam folders. I get maybe an average of one a day that makes it to my inbox.

_________________
----
Ed/Bones.

Speaking of whitelists... does anyone know an easy way to do them in Postfix? I don't need anything fancy, maybe just a file I manually add IP addresses and/or domain names to.

I'm hoping for something that I could squeeze into my "smtpd_recipient_restrictions" list at some point.

Thanks for the great responses!

I forgot to mention.. one thing that helps keep my spam detection this accurate (although it strongly depends on that whitelist) is the use of the bayes filter. I train it every few days on my good/bad mail. Since the spam is already accurately filtered out most of the time, I can typically just train it agains my inbox and spam folders accordingly.

Bayesian filtering is very nice if you have the time to mess with it.

I know this is getting mildly off the original topic though, since the question was about blacklists specifically. :)

_________________
----

Ed/Bones.

I personally use bayesian filtering, but I'm trying to find a solution for people who use Outlook Express and really don't want to deal with "training" anything.

Absolutely. I highly recommend using the greylist technique. Greylisting has reduced my spam to almost zero. (Although I use milter-greylist, not sqlgrey). If possible (for example, if your email traffic volume is reasonably low), keep the tuple cache time high (days or weeks). This way, those people you receive mail from frequently in most cases won't have much delay even with the greylist enabled.

Greylisting has been so effective for me I've dropped most of the other spam filters I had set up (SpamAssassin and two others). Although I still have the SBL check in place.

--John

Another approach that can drastically reduce incoming spam is to reject incoming connections that forge the HELO/EHLO command and claim to be coming from the domain name or IP address of the server.

Let's say you're running a mail server for example.com on 10.1.2.3; the spammer's mailer or proxy will try EHLO example.com or EHLO 10.1.2.3 to convince your server to go ahead and relay the spam.

A sendmail ruleset that rejects such fraudulent connections is available here. Keep in mind that you will need to use SMTP AUTH to allow legitimate clients to relay, but you should be doing that anyway.

Combining this technique with SBL, XBL, and a local DNSBL to deal with spam and viruses that get through has reduced the spam/virus/phishing flood to a trickle on the server I run for my employer.

_________________
Bus error (passengers dumped)