/dev/rob0 | 15 Feb 17:51 2011
Picon

My postscreen results

I went live with my postscreen blocking mail, after some time of 
non-blocking while watching logs. Here's a discussion of those 
results (both non-blocking and blocking.) I've singled out some of 
the items which interested me; perhaps they will interest you as 
well. (Possibly all old-hat to the ones who leapt in early.)

* Settings
  ========

postscreen_dnsbl_sites =
    zen.spamhaus.org*3
    b.barracudacentral.org*2
    dnsbl.njabl.org*2
    bl.spameatingmonkey.net*2
    dnsbl.ahbl.org
    bl.spamcop.net
    dnsbl.sorbs.net
    spamtrap.trblspam.com
    swl.spamhaus.org*-5
    list.dnswl.org=127.[0..255].[0..255].0*-2
    list.dnswl.org=127.[0..255].[0..255].1*-4
    list.dnswl.org=127.[0..255].[0..255].[2..255]*-6
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

* Gripe
  =====

The one thing I do not like about it is that the DNSBL given as the
reason for rejection is semi-random, specifically it seems to be the 
first one to hit dnsblog(8) for that client.

My postscreen_dnsbl_sites are arranged in trust order. If a real 
person was to see one of these rejections, I would prefer that this 
person see Spamhaus or Barracuda or NJABL, not SORBS, Spamcop, or 
TRBL. I know my workaround is to use postscreen_dnsbl_reply_map,
shown here in pcre:
    !/^zen\.spamhaus\.org$/    multiple DNS-based blocklists
But, I'd prefer for logging to sort the dnsblog names by score, 
highest first, and use that DNSBL name as the reason.

(This workaround is in place and working fine.)

* Scoring and whitelists
  ======================

Thanks to Noel for getting me thinking about DNS whitelists. I am 
doubtful that they will matter much overall, but they do seem to be 
conservative so far. Mine have offset only a few negatively-scored 
hosts from my less-trusted (1 point) DNSBLs, mostly. There were 2 
DNSWL hits for spameatingmonkey hosts, and zero for AHBL, so I am 
considering switching their places (and scores) in the above list.

The largest part of my DNSWL hits are weighted toward lower-scored 
hosts. Out of 610 in the sample period I had 474 + 89 + 34 + 13 of 
127.0.x.Y where Y is 0, 1, 2, and 3 respectively. I'm not seeing a 
lot of hits in SWL so far, and the few I did see were also found in 
DNSWL. (No SWL host was listed in any of the DNSBLs.)

Overlap between dnswl.org and the DNSBLs listed was as follows:

  Also listed in:
  ---------------
  bl.spameatingmonkey.net   2
  bl.spamcop.net            4
  dnsbl.sorbs.net          24
  spamtrap.trblspam.com    52

Of these, only 5 were listed on more than one DNSBL. All 5 of these 
were listed on TRBL; 3 also on spam.dnsbl.sorbs.net (127.0.0.6), and 
the other 2 also on bl.spameatingmonkey.net (127.0.0.10). Not 
surprisingly, each of the DNSWL listings was a .0 (trust level 
"none".)

  DNSWL-SEM-TRBL
  --------------
  174.34.187.66   list.dnswl.org          127.0.15.0
  174.34.187.66   bl.spameatingmonkey.net 127.0.0.10
  174.34.187.66   spamtrap.trblspam.com   127.0.0.2

  174.34.187.67   list.dnswl.org          127.0.15.0
  174.34.187.67   bl.spameatingmonkey.net 127.0.0.10
  174.34.187.67   spamtrap.trblspam.com   127.0.0.2

Note, the DNSWL-SEM-TRBL triples are right next door to one another, 
which suggests that a netblock listing might have been done. These 
particular hosts are an ESP:
    http://www.yourmailinglistprovider.com/antispam_policy.html
I don't know how good (or bad) they are, but they do offer a free 
trial, so they're likely to attract spammers.

  DNSWL-SORBS-TRBL
  ----------------
  66.192.165.130  list.dnswl.org          127.0.15.0
  66.192.165.130  dnsbl.sorbs.net         127.0.0.6
  66.192.165.130  spamtrap.trblspam.com   127.0.0.2

  216.27.93.124   list.dnswl.org          127.0.15.0
  216.27.93.124   dnsbl.sorbs.net         127.0.0.6
  216.27.93.124   spamtrap.trblspam.com   127.0.0.2

  195.121.247.8   list.dnswl.org          127.0.5.0
  195.121.247.8   dnsbl.sorbs.net         127.0.0.6
  195.121.247.8   spamtrap.trblspam.com   127.0.0.2

The first two of those are the ESP iContact.com. The latter is KPN, 
an ISP in Europe.

The breakdown of dual listings by DNSWL trust level is what I would 
expect:

  dnswl.org returns: ##   ## per DNSBL
  ------------------ --   ------------
  127.0.x.3 (high)    3    2 TRBL
                           1 SORBS spam (127.0.0.6)
  127.0.x.2 (medium)  0
  127.0.x.1 (low)     0    9 SORBS spam (All of these: Facebook)
  127.0.x.0 (none)   70   50 TRBL
                          14 SORBS spam
                           4 Spamcop
                           2 Spameatingmonkey 

FWIW the three high-trust hosts are all well-known listservers: 
outgoing.securityfocus.com and webster.isc.org on TRBL; and 
vger.kernel.org on SORBS. No, I'd not want to lose mail from them.

The non-trust hosts are about evenly split between ESPs and ISPs. 
These, I did not bother to examine as carefully other than that. 
Seems like some more aggressive sites might want to score lower for 
dnswl.org's 127.0.[5;15].0 than for other values of the third quad.

Oh, and of course, thanks also to Mathias for running DNSWL. Looks 
like you're doing a good job. I signed up and got listed with a 
"medium" trust score (which is probably fair; if anything, to be 
honest, possibly a bit too high. I'm not full-time on this, and if
something went wrong and we were being used by a spammer, there 
could be a delay in our response to complaints.)

* Subjective & Plans, Conclusions
  ===============================

I have (had!) pretty good spam controls in place before this. I do 
not expect to see any substantial decrease in spam getting through, 
simply because most that the postscreen blocks was already being 
blocked by smtpd. I did see a couple in the last few days before 
starting postscreen_dnsbl_action=enforce which were not in Zen, yet 
scored above my postscreen_dnsbl_threshold.

Whilst I do not relish a return to the pain of greylisting, I am 
planning to activate the deep protocol tests after a bit. I'm 
thinking that the post-220 tests might nearly wipe out the spam I get 
other than snowshoe, and delays can indeed help with snowshoe in some 
cases (giving the DNSBLs more time to list them.)

I'm still not using any kind of content filtering here, but that 
remains a possibility for the future. URIBL checking should mop up 
the snowshoe spam and "leakage" from the otherwise legitimate mail 
hosts.

I am pleased with my list of DNSBL (and dnswl) sites and their 
scoring. I could add in a few more and still feel safe, except for 
having more DNSBLs to keep up with.

I'm confident in those lists insofar as that they're adhering to 
their policies. I'm sure their spamtraps are being hit by the 
whitelisted hosts; but I'd not be comfortable using TRBL or SORBS as 
a reject_rbl_client lookup.

It's not a FUSSP, and it won't be, unless/until a new secure mail 
protocol is adopted and everyone switches to it. Spammers will be a 
moving target, always. But I definitely feel like we're ahead in the 
game for now. Thanks Wietse, and also thanks to those early adopters 
who provided the feedback on postscreen.
--

-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header


Gmane