Educause Security Discussion mailing list archives
Re: DNS blacklists
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 21 May 2009 12:20:19 -0500
Tupker, Mike wrote:
Hi,I was just curious what other campus’ are using in terms of DNS blacklist when it comes to email? They are very handy but recently a few of them have been the source of some complaints from our users. Currently we are using: Rbl-xbl.Spamhauspsbl.surriel.com cbl.abuseat.org bl.spamcop.net dnsbl.njabl.org Barracudacentral – by default in our barracuda deviceI know we are probably using more lists than is necessary, but I’m sure you all know how cranky people can get if they find a single spam message in their inbox.
We use blacklists in a weighted fashion using the 'gross' greylisting server, which achieves the same benefit of blacklisting, and eliminates the downside of false positives. We can also use more aggressive blacklists without much detriment.
We use: bl.spamcop.net cbl.abuseat.org dnsbl.sorbs.net dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net and the Sophos PureMessage IP blockerThe Sophos blocker has a weight of 3 and SpamCop has a weight of 2; all others have a weight of 1. If the cumulative weight of the connecting IP is >3 then we reject the message. If the cumulative weight is 1-3 then we greylist the message. The end result is that 45% of mail is rejected; 30% is greylisted. About 5% of the greylisted mail is resent back to us. We haven't had any complaints about false positives.
The spam that gets through, either undetected by all DNSBLs or aren't listed on any of them, is mopped up by our anti-spam content scanners. Greylisting adds a delay to some of the spam so it gives some time to our anti-spam vendor to react to new spam attacks and push out updates before the messages are retried.
Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- DNS blacklists Tupker, Mike (May 18)
- <Possible follow-ups>
- Re: DNS blacklists Dexter Caldwell (May 18)
- Re: DNS blacklists Dexter Caldwell (May 18)
- Re: DNS blacklists Ben Williams (May 18)
- Re: DNS blacklists McClenon, Braden (May 18)
- Re: DNS blacklists Tupker, Mike (May 18)
- Re: DNS blacklists Jesse Thompson (May 21)
- Re: DNS blacklists Jesse Thompson (May 21)