Educause Security Discussion mailing list archives
Re: RBLs for email
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Mon, 22 Mar 2004 10:14:25 -0800
Hi Theresa, #Are you using Restricted Black Lists for stopping email spam, #and if so, who is your RBL source? I talked about this some in http://darkwing.uoregon.edu/~joe/jt-proxies/ ("The Open Proxy Problem: Should I Worry About Half A Million Trivially Exploitable Hosts?"), and continue to do work in this area (I'm now tracking in excess of 2.2 million listed open proxies/spam zombies). You may also be interested in http://darkwing.uoregon.edu/~joe/spamwar/ Based on that work, I'd recommend using a combination of lists: -- http://www.mail-abuse.org/rbl+ (for dynamic hosts, open relays, some open proxies, etc.); the RBL+ isn't free, but it is quite cheap for higher education sites when used in zone transfer mode. -- http://www.spamhaus.org/ has the SBL+XBL combination list that does a nice job of catching known spam sources plus spam zombies -- plus an open proxy list such as NJABL ( http://www.njabl.org/ ); I used to recommend Wirehub/Easynet, but they stopped doing open proxy listings Depending on how aggressive you are, you may want to augment that with additional private filtering rules; for example, here at UO we employ additional rules that returns a 571 if we see direct-to-MX mail from cable modem/DSL/dialup/wireless space (we require that traffic to go via the provider's officially designated SMTP server). Once the DNSBLs get the noise level down a couple of orders of magnitude, it pretty easy to deal with what's left. :-) Based on our experiences with this approach to date, I'd note: 1) You should try to provide a mechanism which allows user to opt out of your default filtering if at all possible; few will use it, but it provides an important safety mechanism. (we allow users to opt out by creating a special dot file in their account, either at the shell prompt or via a web page; we look for that file on an hourly basis and then adjust our filter rules to treat those accounts as exempt from filtering) So far, out of 40K+ accounts, we've have less than 60 users use it (largely folks who prefer yet-more-aggresive SpamAssassin rules or folks who have relatives or other important correspondents who have "no option" except to use some spammer-infested ISP). 2) For a while, you will spend some time educating local ISPs about why their business customers who've parked .com's on DSL or cable modem connectivity and who are getting blocked by rules that key off of cable modem/DSL rDNS naming conventions. Once they get the hang of having PTRs/in-addrs that match their forward DNS, this problem goes away. 3) You will run into some mailing entities which employ a "human shield" model for their bulk mail operations, larding "real" mailing lists among unsolicited mailings. You'll need to use your own discretion when it comes to dealing with those folks, although if you allow users to opt out of your default filtering, you have at least one clean way of dealing with this issue. 4) I'd strongly encourage you to create an alias to which spam reports can be sent in the event spam still ends up getting through. Your users can be invaluable when it comes to acting as sentinels and providing warning about holes in your spam filters. Please let me know if you have any questions, Regards, Joe St Sauver (joe () oregon uoregon edu) University of Oregon Computing Center ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- RBLs for email Theresa M Rowe (Mar 22)
- <Possible follow-ups>
- Re: RBLs for email Jason Richardson (Mar 22)
- Re: RBLs for email Dave Koontz (Mar 22)
- Re: RBLs for email Jason Richardson (Mar 22)
- Re: RBLs for email Ken De Cruyenaere (Mar 22)
- Re: RBLs for email Joe St Sauver (Mar 22)