Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: mmccarn on February 16, 2012, 07:01:00 PM

Title: Spam Filter Settings
Post by: mmccarn on February 16, 2012, 07:01:00 PM

[edit]
Subject changed from RBLList Changes to Spam Filter Settings
[/edit]

I've recently been seeing an increase in SPAM passing through my SME server.

My current RBLList setting is:
    RBLList=zen.spamhaus.org:combined.njabl.org

Doing some research on one recently received SPAM, I found this online check tool:
http://multirbl.valli.org/lookup

Which clearly showed the spam source as being listed on several different RBL Lists, some of which I'd never heard of before:
   blackholes.five-ten-sg.com
   b.barracudacentral.org
   bb.barracudacentral.org
   l4.bbfh.ext.sorbs.net
   ip.v4bl.org
   problems.dnsbl.sorbs.net
   spam.dnsbl.sorbs.net
   old.spam.dnsbl.sorbs.net
   bl.tiopan.com
   dnsbl.webequipped.com
   list.quorum.to

I've added 'ip.v4bl.org' and 'spam.dnsbl.sorbs.net' to my RBLList; I'll report back any success or failure here.

Title: Re: RBLList Changes
Post by: CharlieBrady on February 16, 2012, 08:06:58 PM

Be cautious about adding RBLs - if those RBLs are poorly maintained, or over-zealous, you will spend more time chasing rejected mail than you will save by receiving less spam.

Title: Re: RBLList Changes
Post by: mmccarn on February 18, 2012, 04:01:47 PM

Quote from: CharlieBrady on February 16, 2012, 08:06:58 PM

Be cautious about adding RBLs

Right you are -- I had to revert the two new RBLs less than 12 hrs later.

Before trying any more lists, I figured out a command to let me test them first.

The command below:
- scans /var/log/qpsmtpd/current for all email that was successfully delivered
- looks up the sending IP address using the blocklist specified (b.barracudacentral.org in the sample below)
- for each email that would be blocked by the test blocklist, outputs:
  - the spam score assigned by the system
  - the 'from' email address
  - the 'to' email address(es)
  - the dnsbl A result (127.0.0.x)
  - the dnsbl TXT result

Code: [Select]

TESTBL=b.barracudacentral.org
#
grep logging::logterse.*\(queue\) /var/log/qpsmtpd/current \
|awk -v DNSBL=$TESTBL '{split($7,ip,".");print "echo -ne \"" ($15) \
"\tFrom: " gensub("[<>]","","g",$10) \
"\tTo: " gensub("[<>]","","g",$11) \
"\tA: `dig +short " ip[4] "." ip[3] "." ip[2] "." ip[1] "." DNSBL \
"`\tTXT: \" ; echo -e \"`dig +short txt " ip[4] "." ip[3] "." ip[2] "." ip[1] "." DNSBL "`\""}' \
|bash | grep 127\.0 |less -S

Digging a little more, I found that pyzor (http://sourceforge.net/apps/trac/pyzor/) wasn't working on my system (apparently it stopped working around the time of the 7.5 update), so I got that working again (Bug 5973 (http://bugs.contribs.org/show_bug.cgi?id=5973)).

I also tried enabling auto_whitelisting (http://wiki.apache.org/spamassassin/AutoWhitelist) using config setprop spamassassin UseAutoWhitelist 1, and ran into some issues with that.  My notes on how I got that working have been added to Bug 6130 (http://bugs.contribs.org/show_bug.cgi?id=6130).