[SLL] Best list of RBLs?
John W. Baxter
jwblist at olympus.net
Mon May 16 17:47:34 EDT 2005
On 5/16/05 12:21 PM, "Glenn Stone" <technoshaman at liawol.org> wrote:
> On Mon, May 16, 2005 at 11:47:40AM -0700, Bill Campbell wrote:
>> On Mon, May 16, 2005, Glenn Stone wrote:
>>> On Mon, May 16, 2005 at 10:10:46AM -0700, Bill Campbell wrote:
>>>> SpamCop's FP rate is pretty high, largely because they take
>>>> reports from clueless Lusers too seriously. I've seen them block
>>>> one of our servers that handles technical mailing lists because
>>>> one user reported a single spam that made its way through our
>>>> rather draconian spam filters to the list (no spam filters are
>>>> perfect, and the wetware moderator may occassionally make a
>>>> mistake as well :-).
>>>
>>> How long ago was this? The latest FAQ says they no longer list for a
>>> single email...
>>
>> It's been a while, and they may have fixed it.
>
> That being the case, I think I'm going to go add SpamCop to my Postfix
> config, as well as list.dsbl.org (based on Jules' post of the SpamAssassin
> stats). These stats were pretty well confirmed by a sample of 76 spam I got
> at work over the last week; of the ones either SpamHaus or my personal
> filtering system would not have caught, four were tagged by SpamCop and 2 by
> DSBL. Sure, it's a marginal increase, but I'm trying to get as close as I
> can without going over, and with the one-shot false positive problem fixed,
> and the fact that SpamCop automatically delists after 48 hours, I think I'll
> be able to catch some of the drive-by (virus-based) spam without arbitrarily
> excluding everybody with a dynamic IP.
>
> Somebody remind me in a week or two and I'll report back on what I came up
> with.
>
>> Instead of giving money to found colleges to promote learning, why don't
>> they pass a constitutional amendment prohibiting anybody from learning
>> anything? If it works as good as the Prohibition one did, why, in five
>> years we would have the smartest race of people on earth.
>> -- The Best of Will Rogers
>
> If only it were that simple.
The past weekend was not a good time to sample "normal" operations. The far
right German spam was a huge deluge. Sober N (Sophos) or Sober Q (probably
the Symantec name) seems to have had the agenda of preparing zombies for
this drivel.
(Greylisting and Spamhaus stopped it for most of our users--excepting those
few who have opted out of those blocks, but I spent a few hours adding the
sending hosts to our local block database to reduce the greylisting load.)
A huge portion of the drivel came from
168.103.73.40
168-103-73-40.dnvr.qwest.net
(I have Eudora tossing out messages with that IP in the Received: headers,
since <postmaster> is one of the exempt accounts. Why do spammers send to
postmaster, the person most likely to be able to take action quickly to
block them?)
That one host has tried our servers
4489
times since 23:58 Sunday evening. Almost time to block it at the firewall
instead of the mail system.
--John
More information about the linux-list
mailing list