Re: [Dspam-user] RBL Configuration
Brought to you by:
paulcockings,
sbajic
From: Michael W. <ne...@so...> - 2009-07-31 18:17:34
|
On Fri, July 31, 2009 10:32, Steve wrote: > That Geo-IP patch you are talking about can be easy avoided. Just use > stock policyd-weight and DNSBL functionality to increase score for them. > If you are from Europe then you could use lookups to *.countries.nerd.dk > and all others could use lookups to *.countries.blackholes.us. I used to use nerd.dk/blackholes.us; am not completely sure why I stopped - I didn't log the reason. I have a vague recollection that I was seeing problems with certain addresses/blocks not being accurately reported by nerd where geoip was more up to date at the time. While I am a bit of an efficiency geek, I doubt I implemented the patch for that reason, although doing one lookup rather than several is always appealing to me. > So in your case I would use: > # Give a better score to our Canadian mail servers > 'ca.countries.nerd.dk', -1.00, 0.00, 'NERD-CA', > # Set the bar higher for some high-rate spam countries > 'vn.countries.nerd.dk', 0.00, 2.00, 'NERD-VN', Indeed I have always done that regardless of the method of IP location identification -- very little spam hits me from CA sources; I give US servers a minor negative score just so they show up in the output. > But it does not stop here. Wanting to set the bar high for certain ASN? No > problem (just an example): > 'AS5617.rbl.cluecentral.net', 2.500, 0.00, 'AS5617', # > Telekomunikacja Polska S.A. > 'AS4134.rbl.cluecentral.net', 1.606, 0.00, 'AS4134', # Aha, now there is a new use I'd not "clued" into - weighting by ASN. Thanks! In addition to the usual offenders in CN, KR, VN, BR I have a particular hate on for TPNET in Poland. /mw goes off to adjust policyd-weight.conf accordingly. > But I have as well patched my policyd-weight. Added p0f integration, (will I make it through that gauntlet? my firewall blocks such queries!) > additional sender based reputation lookups, > S25R rules, etc... Ok, something new for me - I wasn't aware of that initiative. /mw heads for a quick read of: http://www.gabacho-net.jp/en/anti-spam/paper.html I too have extended the regex tests associated with the "seems like dialup" rejection / test of $revhost. I'll steal some ideas from the rule sets discussed in the paper. > It's kind of hard to not patch since Robert has stopped developing it any further. Agreed. It seems that policyd-weight will live on in various patches and permutations and that isn't altogether a bad thing. It works, is simple (a good thing) and is reliable, and for those reasons I don't feel like diving into the postfix "firewall" alternative. Because it works I don't have to muck with policyd-weight very much, but as I don't do much work in Perl, each time I do open up the script I have been tempted to rewrite policyd-weight in Python. Of course I'd only do that if there was some longer term benefit in doing so. I can think of some integration I'd like to do with spam reporting / feeding / maintaining my firewall's blocked ip table, some country analysis for interest sake (and perhaps auto-adjusting the weighting rules) - just to name a few. Cheers Mike |