Config is double checking blacklists

[Julian Field]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Glenn Steen wrote:
> On 22/08/06, Nigel Kendrick <support-lists at petdoctors.co.uk> wrote:
>> Hi Folks,
>>
>> I noticed we were suddenly getting a lot of our own outbound mail 
>> marked as
>> spam. The root cause was we'd ended up in CBL due to a mis-configured 
>> server
>> name, but in sorting this out, I noticed the following info at Spamhaus..
>>
>> ===
>>
>> Exploits Block List
>>
>> The Spamhaus Exploits Block List (XBL) is a realtime database of IP
>> addresses of illegal 3rd party exploits, including open proxies (HTTP,
>> socks, AnalogX, wingate, etc), worms/viruses with built-in spam 
>> engines, and
>> other types of trojan-horse exploits.
>>
>> Incorporates CBL data and NJABL proxy data
>>
>> The XBL wholly incorporates data from two highly-trusted DNSBL 
>> sources, with
>> tweaks by Spamhaus to maximise the data efficiency and lower False
>> Positives. The main components are:
>> - the CBL (Composite Block List) from cbl.abuseat.org
>> - the NJABL Open Proxy IPs list from www.njabl.org.
>>
>> Mail servers already using cbl.abuseat.org should NOT also use
>> xbl.spamhaus.org or you will be making 'double' queries to basically the
>> same data source and only one DNSBL will appear to work (the other(s) 
>> will
>> appear to not catch anything). Mail servers already using dnsbl.njabl.org
>> are advised to continue doing so, as dnsbl.njabl.org is itself a 
>> composite
>> list and contains more than the open proxy IPs list part now 
>> incorporated in
>> XBL.
>>
>> ===
>>
>> The only reason I point this out is that my installation of 
>> MailScanner et.
>> Al was originally done using Johnny Hughes' excellent howto and by 
>> default,
>> the spam checking rules used list both SBL+XBL and CBL, which 
>> according to
>> the above means we are effectively double-checking and any 'hit' will 
>> count
>> as 2 towards 'spam lists to be spam'.
>>
>> If my assumption is correct, will I be OK to remove SBL+XBL and 
>> replace it
>> with spamhaus.org in order to not check both XBL and CBL?
>>
>> Thanks
>>
> Wouldn't the natural thing to do be to remove CBL and keep SBL-XBL?
> Also, search the mailing list archives, there has been a fair amount
> of discussion of where to do rbl checking (MTA, MS or SA) whith some
> fairly informed opinions:-).

My official party line is this:
If you want nice rejection messages sent to people (please do NOT 
attempt to notify senders of spam messages, they are always fake and you 
will just royally piss off the poor innocent guy who owns the faked 
sender address) then reject in MailScanner.
Otherwise reject in the MTA.

Do not use more than about 2 "Spam Lists" in MailScanner.conf. They are 
queried in series, so every extra one slows down your mail more.

Best bet: leave the job to SpamAssassin which uses loads of blacklists, 
knows exactly how reliable and trustworthy each blacklist is (as 
reflected in its score for each one, which is carefully calculated) and 
looks them all up in parallel, ie. really fast.

But if you just want to reject anything on a particular blacklist, do it 
in your MTA.

Personally: I use MailScanner and SpamAssassin to do the job. Though one 
day I may well remove the MailScanner tests and just do it in the MTA, 
but I have enough horsepower in my MXs to do it in MailScanner.


- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at MailScanner.biz

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.0 (Build 1112)
Charset: ISO-8859-1

wj8DBQFE7KQsEfZZRxQVtlQRAqHAAKDZiAO5NtaMf0Ds8d3CE2tjJyVMoACdGWCY
EOp5agfmWmwevahIuGdhFLc=
=mohy
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk