Too aggressive
in [Postfix]
|
From: Curtis Maurand on 11 Jun 2010 08:30 currently I have in my smtpd_client_restrictions: ... reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit Is flat out rejecting clients on the RBL's considered too agressive? should I just let spamassassin handle this and score accordingly? Thanks in advance, Curtis
From: Simon Waters on 11 Jun 2010 08:48 On Friday 11 June 2010 13:30:44 Curtis Maurand wrote: > currently I have in my smtpd_client_restrictions: ... > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, > permit > > Is flat out rejecting clients on the RBL's considered too agressive? > should I just let spamassassin handle this and score accordingly? It is a policy issue - there is no right answer - does it work for you? I include flat reject on zen.spamhaus.org on some servers without unacceptable (for us) false positive rate (Spamhaus are good at listing mostly spammers). Main issue I see with zen.spamhaus.org is some persistent spammers who presumably are clean in parts, or otherwise difficult for Spamhaus to list (suing them?). I can't comment on bl.spamcop.net, but I'd expect it to have more false positives based on the description provided, so a weighted use of this is probably sensible. I'd stick it in with warn_if_reject and measure the false positive rate, and benefit if any over existing lists I use. Block lists don't add nicely -- they may well include the same spam sources but tend to disagree over their mistakes, so you get addition of mistakes but overlap on the correct answers meaning the returns may diminish quickly.
From: Kenneth Marshall on 11 Jun 2010 08:53 On Fri, Jun 11, 2010 at 01:48:53PM +0100, Simon Waters wrote: > On Friday 11 June 2010 13:30:44 Curtis Maurand wrote: > > currently I have in my smtpd_client_restrictions: ... > > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, > > permit > > > > Is flat out rejecting clients on the RBL's considered too agressive? > > should I just let spamassassin handle this and score accordingly? > > It is a policy issue - there is no right answer - does it work for you? > > I include flat reject on zen.spamhaus.org on some servers without unacceptable > (for us) false positive rate (Spamhaus are good at listing mostly spammers). > > Main issue I see with zen.spamhaus.org is some persistent spammers who > presumably are clean in parts, or otherwise difficult for Spamhaus to list > (suing them?). > > I can't comment on bl.spamcop.net, but I'd expect it to have more false > positives based on the description provided, so a weighted use of this is > probably sensible. > > I'd stick it in with warn_if_reject and measure the false positive rate, and > benefit if any over existing lists I use. Block lists don't add nicely -- > they may well include the same spam sources but tend to disagree over their > mistakes, so you get addition of mistakes but overlap on the correct answers > meaning the returns may diminish quickly. > We use the policyd_weight policy server to evaluate a number of RBLs and other message criteria before refusing a message. You can weight each RBL and decide how much effect its entries should have. This helps to minimize the mistakes from any one RBL. Regards, Ken
From: Bill Cole on 11 Jun 2010 10:40 Curtis Maurand wrote, On 6/11/10 8:30 AM: > currently I have in my smtpd_client_restrictions: ... > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit > > Is flat out rejecting clients on the RBL's considered too agressive? No. Or, yes. Maybe. A lot depends on who your users are and who their legitimate correspondents are. For "false positive" rejections, there is almost zero risk for almost all mail systems in using Zen for absolute rejection, provided you make sure you either exempt authenticated submission or don't have any need to do so. The Spamcop BL is intrinsically a little riskier, but it has become a lot safer over the past few years. Many systems use those two lists outside of scoring structures without trouble. Beyond the FP risk, there is a more subtle issue of whether the benefit of rejecting spam cheaply is worth the potential cost of not having a steady stream of representative spam feeding the adaptive dynamic features of a scoring system like SpamAssassin. > should I just let spamassassin handle this and score accordingly? A mailing list can't tell you who you are. That is especially true for one made up largely of sysadmins. :) Questions you need to address for a clearer answer: 1. How much mail are you handling? Scale can make lightweight spam rejection important, but it can also reach a point where statistically you are virtually assured of having a constant stream of FP's from even 'safe' blacklists like Spamcop. 2. What sorts of users do you have? Business and personal mail systems are often more deeply knowable in this aspect than are ISP and educational systems, but anyone running a mail system has to be aware of who the users are, how diverse their legitimate mail is, how much spam they get, etc. 3. How much spare capacity do you have? If you have a bunch of free memory and idle CPU cycles, you may not be spending anything valuable to you by showing every message to SA. 4. What are your tolerances for complexity and malfunction? One of Postfix's best design features is that subtle and complex policy issues are left to optional external programs. Limiting yourself to what Postfix can do by itself means that you have a simpler configuration that is easier to get right and easier to troubleshoot when it does not do what you want. SpamAssassin is a great tool, but making it work well for your mail streams and your users can be a lot of work. Restricting yourself to the configurability of Postfix itself makes figuring out problems easier, but it also means that you might not be able to solve problems in an ideal way. Using the external filtering and policy tools that can be hooked into Postfix offers you the freedom to devise configuration as subtle and purpose-fit for your needs as possible, and using that freedom may chain you to an endless task of tweaking that configuration. And you thought your question was simple...
From: Stan Hoeppner on 11 Jun 2010 11:31
Curtis Maurand put forth on 6/11/2010 7:30 AM: > currently I have in my smtpd_client_restrictions: ... > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, > permit > > Is flat out rejecting clients on the RBL's considered too agressive? > should I just let spamassassin handle this and score accordingly? This is purely dnsbl dependent. I've never seen an FP doing straight rejections with any Spamhaus lists. On the flip side, there's only maybe one SORBS list I'd outright block with--too many FPs. Use SORBS for scoring but not outright rejections. There are some really aggressive dnsbls out there today. Generally, the more aggressive they are, the greater the FP rates. For many sites, it's probably best to score with the aggressive dnsbls and only do outright blocking with the conservative ones. An exception to this rule is the ivmSIP dnsbl. It's really aggressive at catching snowshoe but the FP rate is statistically zero. It's one of the best performing dnsbls. It's a paid service though, although I hear the pricing is reasonable. Here's a nice tool that lists most of the currently available dnsbls: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a24.39.42.58 -- Stan |