Re: DNS blacklists

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

Tupker, Mike wrote:
> Hi,
>  
> I was just curious what other campus’ are using in terms of DNS 
> blacklist when it comes to email? They are very handy but recently a few 
> of them have been the source of some complaints from our users. 
> Currently we are using:
>  
> Rbl-xbl.Spamhaus
> psbl.surriel.com
> cbl.abuseat.org
> bl.spamcop.net
> dnsbl.njabl.org
> Barracudacentral – by default in our barracuda device
>  
> I know we are probably using more lists than is necessary, but I’m sure 
> you all know how cranky people can get if they find a single spam 
> message in their inbox.

We use blacklists in a weighted fashion using the 'gross' greylisting 
server, which achieves the same benefit of blacklisting, and eliminates 
the downside of false positives.  We can also use more aggressive 
blacklists without much detriment.

We use:
bl.spamcop.net
cbl.abuseat.org
dnsbl.sorbs.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
and the Sophos PureMessage IP blocker

The Sophos blocker has a weight of 3 and SpamCop has a weight of 2; all 
others have a weight of 1. If the cumulative weight of the connecting IP 
is >3 then we reject the message. If the cumulative weight is 1-3 then 
we greylist the message.  The end result is that 45% of mail is 
rejected; 30% is greylisted.  About 5% of the greylisted mail is resent 
back to us.  We haven't had any complaints about false positives.

The spam that gets through, either undetected by all DNSBLs or aren't 
listed on any of them, is mopped up by our anti-spam content scanners. 
Greylisting adds a delay to some of the spam so it gives some time to 
our anti-spam vendor to react to new spam attacks and push out updates 
before the messages are retried.

Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature