Mailing List Archive

Is it weird to worry I'm getting too little spam? (success of RBLs)
Background: I run a small postfix/dovecot server on my site server. Just a
handful of careful users. My spam folder would only have about 10-30
messages a day marked as spam by spamassassin. Server's running denyhosts
to help block bad actors.

Recently checked my logs and noticed that the rbl checks in postfix or SA
were sometimes getting blocked. So I finally installed a caching DNS server.

Suddenly the spam that gets to my spam folder is down to five or so a day.
Seems postfix is dropping a lot of connections due to RBL checks before
they even get to SA.

Are the RBLs that good? Is it crazy to worry that not enough spam is
getting to my spam folder? :-)
Re: Is it weird to worry I'm getting too little spam? (success of RBLs) [ In reply to ]
On 26 Jan 2019, at 17:02, Ian Evans wrote:

> Recently checked my logs and noticed that the rbl checks in postfix or
> SA
> were sometimes getting blocked. So I finally installed a caching DNS
> server.
>
> Suddenly the spam that gets to my spam folder is down to five or so a
> day.
> Seems postfix is dropping a lot of connections due to RBL checks
> before
> they even get to SA.
>
> Are the RBLs that good?

They can be.

The various slices of Spamhaus Zen together kill ~40 times as many SMTP
sessions (in postscreen and at RCPT time) as SpamAssassin rejects
messages on my personal system (I tag but deliver only a handful of
borderline messages, none on most days.) On larger systems I've worked
with, the Zen/SA kill ratio has been both higher and lower, but
generally it is 1-2 orders of magnitude. The other public DNSBLs that I
use kill about as much spam as SA (since none of them even get a chance
at anything Zen kills) and my local DNSBL (built for strictly local
needs/quirks) takes about that much out as well.

In short: if you don't see a >90% reduction in spam reaching content
filtering by enabling a few good DNSBLs in your MTA, you're doing
something wrong OR your spam is very weird. (Everyone's Spam Is Unique!)

> Is it crazy to worry that not enough spam is
> getting to my spam folder? :-)

Maybe a little... It is unfortunate that those of us building mail
systems have trained regular users and ourselves to expect a place where
a sprinkling of borderline spam-ish mail (canned ham?) hides amidst a
sea of often dangerous but legitimate-looking spam. It's like we give
users a taste of the Hell they'd have without spam filtering. I have
never been happy with any sort of "spam folder" setup because it doesn't
really work well due to human factors. Depending on the setup and user
attitudes, it seems like it always becomes a second very noisy Inbox
that needs regular checking OR a dump they end up ignoring totally.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Re: Is it weird to worry I'm getting too little spam? (success of RBLs) [ In reply to ]
In my experience, the right combination of DNSBLs are extremely
effective, typically well into the 90% of delivery attempts can be
rejected before the DATA command (and therefore before SpamAssassin)
with a combination of DNSBLs, RFC validations (greet pause of 11
seconds, early talkers rejected), rDNS validation, EHLO validation
(rejecting localhost, your own hostname and domain names, etc).
I tend to use a hair-trigger on each of these and trigger greylisting
which allows fast-acting DNSBLs to have another 30 minutes to detect and
list new spammers.
But ultimately DNSBLs alone are very very effective, a significant part
of pre-DATA filtering.


On Sat, Jan 26, 2019, at 14:02, Ian Evans wrote:
> Background: I run a small postfix/dovecot server on my site server.
> Just a handful of careful users. My spam folder would only have about
> 10-30 messages a day marked as spam by spamassassin. Server's running
> denyhosts to help block bad actors.>
> Recently checked my logs and noticed that the rbl checks in postfix or
> SA were sometimes getting blocked. So I finally installed a caching
> DNS server.>
> Suddenly the spam that gets to my spam folder is down to five or so a
> day. Seems postfix is dropping a lot of connections due to RBL checks
> before they even get to SA.>
> Are the RBLs that good? Is it crazy to worry that not enough spam is
> getting to my spam folder? :-)