RBLs

Scott Silva ssilva at sgvwater.com
Thu Sep 13 23:25:50 IST 2007 

Julian Field spake the following on 9/13/2007 1:59 PM:
> 
> 
> Scott Silva wrote:
>> Mikael Syska spake the following on 9/13/2007 1:17 PM:
>>> Hi,
>>>
>>> Just wondering ... is this a busy system or private home server ? 
>>> What are the mail flow ?
>>>
>>> // ouT
>>>
>>> Scott Silva wrote:
>>>> Gareth spake the following on 9/12/2007 6:33 AM:
>>>>> Has anyone configured spamassassin to use additional RBLs other than
>>>>> what comes in the default configuration?
>>>>>
>>>>> I use Spamhaus and Spamcop in postfix but there are lots of 
>>>>> alternatives
>>>>> available and the best way to test them would be to configure them in
>>>>> spamassassin and use the mailwatch report to see the % of ham and spam
>>>>> it matches.
>>>>>
>>>> I have a few.
>>>>
>>>> ---snip----
>>>>
>>>>
>>>> header   RCVD_IN_PSBL          eval:check_rbl('psbl', 
>>>> 'psbl.surriel.com.')
>>>> describe RCVD_IN_PSBL          Received via a relay in PSBL
>>>> tflags   RCVD_IN_PSBL          net
>>>> score    RCVD_IN_PSBL          0 1.50 0 1.50
>>>>
>>>> header   RCVD_IN_UCE_PFSM_1          eval:check_rbl('UCE_PFSM_1', 
>>>> 'dnsbl-1.uceprotect.net')
>>>> describe RCVD_IN_UCE_PFSM_1          Received via a relay in UCE_PFSM_1
>>>> tflags   RCVD_IN_UCE_PFSM_1          net
>>>> score    RCVD_IN_UCE_PFSM_1          0 1.50 0 1.50
>>>>
>>>> header   RCVD_IN_UCE_PFSM_2          eval:check_rbl('UCE_PFSM_2', 
>>>> 'dnsbl-2.uceprotect.net')
>>>> describe RCVD_IN_UCE_PFSM_2          Received via a relay in UCE_PFSM_2
>>>> tflags   RCVD_IN_UCE_PFSM_2          net
>>>> score    RCVD_IN_UCE_PFSM_2          0 1.50 0 1.50
>>>>
>>>> header   RCVD_IN_UCE_PFSM_3          eval:check_rbl('UCE_PFSM_3', 
>>>> 'dnsbl-3.uceprotect.net')
>>>> describe RCVD_IN_UCE_PFSM_3          Received via a relay in UCE_PFSM_3
>>>> tflags   RCVD_IN_UCE_PFSM_3          net
>>>> score    RCVD_IN_UCE_PFSM_3          0 1.50 0 1.50
>>>>
>>>>
>>>> header   DNS_FROM_MPBULK_RHSBL    eval:check_rbl_from_host('mprhs', 
>>>> 'bulk.rhs.mailpolice.com.')
>>>> describe DNS_FROM_MPBULK_RHSBL    From: sender listed in 
>>>> bulk.rhs.mailpolice.com
>>>> tflags   DNS_FROM_MPBULK_RHSBL    net
>>>> score    DNS_FROM_MPBULK_RHSBL    2.0
>>>>
>>>>
>>>> urirhsbl  URIBL_BULK_MPRHS  bulk.rhs.mailpolice.com.   A
>>>> body      URIBL_BULK_MPRHS  eval:check_uridnsbl('URIBL_BULK_MPRHS')
>>>> describe  URIBL_BULK_MPRHS  Contains a URL listed in the MailPolice 
>>>> bulk senders list
>>>> tflags    URIBL_BULK_MPRHS  net
>>>> score     URIBL_BULK_MPRHS  2.0
>>>>
>>>>
>>>> urirhsbl  URIBL_PORN_MPRHS  porn.rhs.mailpolice.com.   A
>>>> body      URIBL_PORN_MPRHS  eval:check_uridnsbl('URIBL_PORN_MPRHS')
>>>> describe  URIBL_PORN_MPRHS  Contains a URL listed in the MailPolice 
>>>> porn domains list
>>>> tflags    URIBL_PORN_MPRHS  net
>>>> score     URIBL_PORN_MPRHS  2.0
>>>>
>>>>
>>>> urirhsbl  URIBL_FRAUD_MPRHS  fraud.rhs.mailpolice.com.   A
>>>> body      URIBL_FRAUD_MPRHS  eval:check_uridnsbl('URIBL_FRAUD_MPRHS')
>>>> describe  URIBL_FRAUD_MPRHS  Contains a URL listed in the MailPolice 
>>>> fraud domains list
>>>> tflags    URIBL_FRAUD_MPRHS  net
>>>> score     URIBL_FRAUD_MPRHS  2.0
>>>>
>>>> header   RCVD_IN_SPAMCANNIBAL          
>>>> eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.')
>>>> describe RCVD_IN_SPAMCANNIBAL          Received via a relay in 
>>>> SpamCannibal
>>>> tflags   RCVD_IN_SPAMCANNIBAL          net
>>>> score    RCVD_IN_SPAMCANNIBAL          0 1.50 0 1.50
>>>>
>>>> header   RCVD_IN_MSRBL          eval:check_rbl('msrbl', 
>>>> 'combined.rbl.msrbl.net.')
>>>> describe RCVD_IN_MSRBL          Received via a relay in MSRBL
>>>> tflags   RCVD_IN_MSRBL          net
>>>> score    RCVD_IN_MSRBL          0 1.50 0 1.50
>>>>
>>>> ---snip---
>>>>
>>>>
>>>> Some are better than others, as I haven't had time to evaluate them 
>>>> for a while.
>>>>
>>>
>> Corporate mailservers serving about 100 users each in California, US.
>> We are a public utility serving about 80,000 plus consumers in parts 
>> of 6 cities.  Mail is usually around 10,000 to 15,000 per day before 
>> filtering. Usually 1000 or less legitimate mails, some are rather 
>> large word documents going back and forth with attorneys.
> To save space on your mail servers, have you considered trying out the 
> auto-zip functionality in MailScanner? It will squash Word documents a lot.
> 
> Jules
> 
I considered it a lot, but I'm sure the complaints from the users will just 
increase. Any change in how things work gives me nothing but grief. You should 
have heard the noise when I disabled mailing movie files! You would think I 
unplugged the coffee pot!
And when I blocked social pages like Myspace and Facebook at the proxy, people 
actually had the stones to ask why I did it. I asked them when they had time 
to do any real work if they were on myspace all day and hinted that HR might 
be looking at the proxy logs and they all shut up. BOFH!!!

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list