Re: RBLs for email

[Joe St Sauver <JOE () OREGON UOREGON EDU>]

Hi Theresa,

#Are you using Restricted Black Lists for stopping email spam,
#and if so, who is your RBL source?

I talked about this some in http://darkwing.uoregon.edu/~joe/jt-proxies/
("The Open Proxy Problem: Should I Worry About Half A Million Trivially
Exploitable Hosts?"), and continue to do work in this area (I'm now
tracking in excess of 2.2 million listed open proxies/spam zombies).

You may also be interested in http://darkwing.uoregon.edu/~joe/spamwar/

Based on that work, I'd recommend using a combination of lists:

-- http://www.mail-abuse.org/rbl+  (for dynamic hosts, open relays, some
   open proxies, etc.); the RBL+ isn't free, but it is quite cheap for
   higher education sites when used in zone transfer mode.

-- http://www.spamhaus.org/ has the SBL+XBL combination list that does a
   nice job of catching known spam sources plus spam zombies

-- plus an open proxy list such as NJABL ( http://www.njabl.org/ ); I used
   to recommend Wirehub/Easynet, but they stopped doing open proxy listings

Depending on how aggressive you are, you may want to augment that with
additional private filtering rules; for example, here at UO we employ
additional rules that returns a 571 if we see direct-to-MX mail from cable
modem/DSL/dialup/wireless space (we require that traffic to go via
the provider's officially designated SMTP server). Once the DNSBLs get
the noise level down a couple of orders of magnitude, it pretty easy to
deal with what's left. :-)

Based on our experiences with this approach to date, I'd note:

1) You should try to provide a mechanism which allows user to opt out of your
   default filtering if at all possible; few will use it, but it provides an
   important safety mechanism. (we allow users to opt out by creating a
   special dot file in their account, either at the shell prompt or via a
   web page; we look for that file on an hourly basis and then adjust our
   filter rules to treat those accounts as exempt from filtering)

   So far, out of 40K+ accounts, we've have less than 60 users use it
   (largely folks who prefer yet-more-aggresive SpamAssassin rules or folks
   who have relatives or other important correspondents who have "no option"
   except to use some spammer-infested ISP).

2) For a while, you will spend some time educating local ISPs about why
   their business customers who've parked .com's on DSL or cable modem
   connectivity and who are getting blocked by rules that key off of
   cable modem/DSL rDNS naming conventions. Once they get the hang of
   having PTRs/in-addrs that match their forward DNS, this problem goes away.

3) You will run into some mailing entities which employ a "human shield"
   model for their bulk mail operations, larding "real" mailing lists
   among unsolicited mailings. You'll need to use your own discretion
   when it comes to dealing with those folks, although if you allow users
   to opt out of your default filtering, you have at least one clean way
   of dealing with this issue.

4) I'd strongly encourage you to create an alias to which spam reports can
   be sent in the event spam still ends up getting through. Your users can
   be invaluable when it comes to acting as sentinels and providing warning
   about holes in your spam filters.

Please let me know if you have any questions,

Regards,

Joe St Sauver (joe () oregon uoregon edu)
University of Oregon Computing Center

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.