postscreen_dnsbl_whitelist_threshold and SORBS and Google

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

postscreen_dnsbl_whitelist_threshold and SORBS and Google

mrobti
Right now and for at least the last 24hours+ gmail IPs are on SORBS.
Good, I don't mind. However, it's causing Gmail to hit after-220 deep
protocol tests in postscreen and this causes long delays because Gmail
rotates sending IPs.

I scroe dnsbl.sorbs.net 2 points. dnswl.org:

list.dnswl.org=127.0.[0..255].0*-1
list.dnswl.org=127.0.[0..255].1*-2
list.dnswl.org=127.0.[0..255].2*-3
list.dnswl.org=127.0.[0..255].3*-4

Also: postscreen_dnsbl_whitelist_threshold = -1

First idea, maybe raise the negative points for dnswl: -2, -3, -4, -5 so
to zero the total score and set postscreen_dnsbl_whitelist_threshold =
0. But it won't work? postscreen_dnsbl_whitelist_threshold only works if
it is negative? Is that the right way to read the docs?

If that's true I dunno to set dnswl to -3, -4, -5, -6 cuz that seems
like a little bit too much. Hmmmm maybe I will set SORBS for 1 point and
dnswl -2, -3, -4, -5?

What other people do about this? Remove SORBS completely? Increase dnswl
socring? Reduce SORBS scoring?
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

Wietse Venema
Don't use SORBS.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

Karol Augustin
In reply to this post by mrobti
On 01/03/18 04:47, MRob wrote:

> What other people do about this? Remove SORBS completely? Increase dnswl
> socring? Reduce SORBS scoring?

I am using postwhite to generate cidr list from SPF records of known
senders and have them whitelisted in Postfix. It saves a lot of delays
for postfix checks and ensures that gmail is whitelisted in case of
similar issues. Also a lot of my mail traffic comes from I would
describe as "good" sedners from postscreen perspective a least, so I
don't have to screen them as they will pass anyways.

Google it and change the list of host in the script/config to suit your
needs.

Also if RBL is listing google servers they doing it wrong. I just
disabled SORBS for that even though I have never hit this issue myself
as I have google CIDR records whitelisted.

k.




--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

Andreas Schamanek

I also use postwhite and similar whitelisting, but I also have

   postscreen_dnsbl_sites =
     ...
    list.dnswl.org=127.0.[5;9].0*-2

--
-- Andreas

     :-)

Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

mrobti
On 2018-03-01 17:51, Andreas Schamanek wrote:
> I also use postwhite and similar whitelisting, but I also have
>
>   postscreen_dnsbl_sites =
>     ...
>    list.dnswl.org=127.0.[5;9].0*-2

Good suggestions thank you everyone. Over the last 24hours I saw clients
SORBS listed:

** a few that were listed by other RBLs
** many that were senders I can't block or delay: facebook, google, etc
** one or two that looked like they could be spammy

SORBS on one hand seem a real pain to deal with on the other hand
facebook and google do send spam, its a known fact, doesnt someone have
to step up and push them a little bit especially cuz they dont even
accept abuse complaints?
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

J Doe
Hi,

> On Mar 1, 2018, at 4:17 PM, MRob <[hidden email]> wrote:
> Good suggestions thank you everyone. Over the last 24hours I saw clients SORBS listed:
>
> ** a few that were listed by other RBLs
> ** many that were senders I can't block or delay: facebook, google, etc
> ** one or two that looked like they could be spammy
>
> SORBS on one hand seem a real pain to deal with on the other hand facebook and google do send spam, its a known fact, doesnt someone have to step up and push them a little bit especially cuz they dont even accept abuse complaints?

That’s disconcerting.  I *was* using SORBS . . .

I have temporarily removed SORBS from my postscreen DNS BL lists.  I know there are a number of lists of publicly available DNS BL’s but is there a list of BL’s that have a low false-positive history ?  I’m aware that false positives do happen, but blacklisting Gmail seems to be avoidable.

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

Dominic Raferd
On 1 March 2018 at 23:24, J Doe <[hidden email]> wrote:
>  I know there are a number of lists of publicly available DNS BL’s but is there a list of BL’s that have a low false-positive history ?  I’m aware that false positives do happen, but blacklisting Gmail seems to be avoidable.

For external rbls this is what I currently use (extract from
smtpd_recipient_restrictions list in main.cf, not postscreen), I have
not been made aware of any false positives in a long time. Suggestions
for improvement welcome:

    ...
    permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
    permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
    permit_dnswl_client white.uribl.com
    reject_rbl_client zen.spamhaus.org
    reject_rbl_client dyna.spamrats.com
    reject_rbl_client noptr.spamrats.com
    reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
    reject_rbl_client bad.psky.me=127.0.0.3
    reject_rbl_client truncate.gbudb.net
    reject_rhsbl_helo dbl.spamhaus.org
    reject_rhsbl_sender dbl.spamhaus.org
    reject_rhsbl_reverse_client dbl.spamhaus.org
    reject_rhsbl_helo uribl.spameatingmonkey.net
    reject_rhsbl_sender uribl.spameatingmonkey.net
    reject_rhsbl_reverse_client uribl.spameatingmonkey.net
    reject_rhsbl_helo black.uribl.com
    reject_rhsbl_sender black.uribl.com
    reject_rhsbl_reverse_client black.uribl.com
    reject_rbl_client dnsbl.cobion.com
    reject_rbl_client b.barracudacentral.org
    # stop here for some recipients
    check_recipient_access hash:/etc/postfix/recipients_with_less_aggressive_rbl
    reject_rhsbl_helo multi.surbl.org
    reject_rhsbl_sender multi.surbl.org
    reject_rhsbl_reverse_client multi.surbl.org
    reject_rbl_client psbl.surriel.com
    ...
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

mrobti
In reply to this post by J Doe
On 2018-03-01 23:24, J Doe wrote:

> Hi,
>
>> On Mar 1, 2018, at 4:17 PM, MRob <[hidden email]> wrote:
>> Good suggestions thank you everyone. Over the last 24hours I saw
>> clients SORBS listed:
>>
>> ** a few that were listed by other RBLs
>> ** many that were senders I can't block or delay: facebook, google,
>> etc
>> ** one or two that looked like they could be spammy
Being clear, on the last point I meant spammy looking client hostnames,
and no other RBLs listed them.

>>
>> SORBS on one hand seem a real pain to deal with on the other hand
>> facebook and google do send spam, its a known fact, doesnt someone
>> have to step up and push them a little bit especially cuz they dont
>> even accept abuse complaints?
>
> That’s disconcerting.  I *was* using SORBS . . .
>
> I have temporarily removed SORBS from my postscreen DNS BL lists.

Or you can score it low like 1 point and make sure dnswl points are -2
or more so only getting SORBS listing for a client carries no meaning

> I
> know there are a number of lists of publicly available DNS BL’s but is
> there a list of BL’s that have a low false-positive history ?

I don't think it's false positive. Its just strict. Spammers get into
gmail all the time, and probably half the junk notifiers from facebook
can be termed spam. I think its rather the ratio or the fact that so
many people use gmail that they are "too big to ban",, if you want happy
users
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

mrobti
In reply to this post by Dominic Raferd
On 2018-03-02 07:24, Dominic Raferd wrote:

> On 1 March 2018 at 23:24, J Doe <[hidden email]> wrote:
>>  I know there are a number of lists of publicly available DNS BL’s but
>> is there a list of BL’s that have a low false-positive history ?  I’m
>> aware that false positives do happen, but blacklisting Gmail seems to
>> be avoidable.
>
> For external rbls this is what I currently use (extract from
> smtpd_recipient_restrictions list in main.cf, not postscreen), I have
> not been made aware of any false positives in a long time. Suggestions
> for improvement welcome:
>
>     ...
>     permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
>     permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
>     permit_dnswl_client white.uribl.com
>     reject_rbl_client zen.spamhaus.org
>     reject_rbl_client dyna.spamrats.com
>     reject_rbl_client noptr.spamrats.com
>     reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
>     reject_rbl_client bad.psky.me=127.0.0.3

https://www.spamhaus.org/organization/statement/015/fraudulent-dnsbl-uncovered-protected-sky-bad.psky.me

>     reject_rbl_client truncate.gbudb.net
>     reject_rhsbl_helo dbl.spamhaus.org

Doesn't zen contain everything you need from spamhaus?

>     reject_rhsbl_sender dbl.spamhaus.org
>     reject_rhsbl_reverse_client dbl.spamhaus.org
>     reject_rhsbl_helo uribl.spameatingmonkey.net
>     reject_rhsbl_sender uribl.spameatingmonkey.net
>     reject_rhsbl_reverse_client uribl.spameatingmonkey.net
>     reject_rhsbl_helo black.uribl.com
>     reject_rhsbl_sender black.uribl.com
>     reject_rhsbl_reverse_client black.uribl.com
>     reject_rbl_client dnsbl.cobion.com
>     reject_rbl_client b.barracudacentral.org
>     # stop here for some recipients
>     check_recipient_access
> hash:/etc/postfix/recipients_with_less_aggressive_rbl
>     reject_rhsbl_helo multi.surbl.org
>     reject_rhsbl_sender multi.surbl.org
>     reject_rhsbl_reverse_client multi.surbl.org
>     reject_rbl_client psbl.surriel.com
>     ...
Reply | Threaded
Open this post in threaded view
|

Re: postscreen_dnsbl_whitelist_threshold and SORBS and Google

Dominic Raferd
On 2 March 2018 at 07:53, MRob <[hidden email]> wrote:

> On 2018-03-02 07:24, Dominic Raferd wrote:
>>
>> For external rbls this is what I currently use (extract from
>> smtpd_recipient_restrictions list in main.cf, not postscreen), I have
>> not been made aware of any false positives in a long time. Suggestions
>> for improvement welcome:
>>
>>     ...
>>     reject_rbl_client bad.psky.me=127.0.0.3
>
>
> https://www.spamhaus.org/organization/statement/015/fraudulent-dnsbl-uncovered-protected-sky-bad.psky.me

Thanks - I have now removed this from my configuration. Upon checking
I find that it didn't pick up anything in the last few months anyway,
which is perhaps unsurprising.

>
>>     reject_rhsbl_helo dbl.spamhaus.org
>
>
> Doesn't zen contain everything you need from spamhaus?
>

zen.spamhaus.org holds ip addresses, dbl.spamhaus.org holds domain
names, so they are different - hence dbl catches a few that zen
misses.

I no longer get blocks from noptr.spamrats.com, presumably because I
now use reject_unknown_reverse_client_hostname earlier in the
restriction list. So noptr.spamrats.com could come out.