RE: Help with SPAM blocking

["Kurt" <kurtbuff () spro net>]

Best practice is to not use standard RBLs as a direct method of blocking
spam.

There are far too many false postives, especially if you have any
discourse with non-US senders.

However, something like SpamAssassin can use RBLs as a factor in an
overall score for determining whether or not an email is spam, which is
a much safer way of evaluating email. Not only does Spamassassin use
standard RBLS (I turn them off, myself) it can also use RBLs that
contain URI/URLs that are used in spam. This makes a huge amount of
sense, if you consider that spam must direct the viewer of the mail to a
particular spot in the world for them to make money or get their message
across in full. The only downside with URIBLs is that they must be
updated in fairly close to real time. This has been solved to my
satsifaction, and I'm very happy to say that it helps enormously to cut
down on spam in our environment.

In particular, if you are familiar with *nix, I can highly recommend
using SpamAssassin with ClamAV and Amavisd-new, with Postfix as your
MTA, as a gateway for your email infrastructure. I happen to run mine on
FreeBSD, because of the ease of installation and maintenance, but Linux
is more widespread, and more people are familiar with it.

Details of implementation will depend on your mail volume more than
anything else, in particular whether or not you cache results from, or
even rsync files from, the various RBLs, URI or otherwise.

Kurt

| Greetings list,
|
| I'm new to SPAM blocking and am trying to ramp up my knowledge of its
| mechanisms. I've done several days of research all over the net and
| there are still some points of confusion I can't seem to find
| explanations for. Anything you can help clarify for me is most
| appreciated. I also welcome reference to more focused mail lists I can
| query.
|
| First, I'm still looking for a good technical explanation of how
| Realtime Blackhole Lists (RBLs) work. Many references have specific
| implementation details (the syntax of the sendmail config lines, etc),
| but not the overview of RBL technology. The overviews I have found are
| too generic and mail-recipient/end-user oriented to be of much use.
|
| Do RBL's have a standard file format? What's it look like?
|
| What I can glean from FAQs and documentation implies there are two
| types: SMTP based and DNS based. Is this correct? Or is DNSRBL
| synonymous with RBL? Some lists (like njabl.org) imply they
| can be used
| by a DNS server, but I'm not clear how that functions. Why do so many
| references mention loopback addresses (see www.njabl.org/use.html, or
| the declude.com database). What's the connection?
|
| Is it best practice to use one list integrated with your DNS
| server, or
| saved as a hosts file on your mail server, and another configured at
| your SMTP gateway?
|
| Also, is an RBL downloaded to your SMTP host, or is it used
| as a remote
| query? If it's remote, how can one create exceptions when needed? Is
| that where your SMTP gateway's white-list feature comes in?
|
| Again, thanks for any info you can provide.
|
| Dan Lynch, CISSP
| County of Placer
| Auburn, CA
|
| dlynch at placer dot ca dot gov