Milter-greylist

Hi Adam,

Thank you for this comprehensive explanation.
Just a few notes:
1) Your script only gathers info about the botnets from the spamcop
site, but you also mentioned dnswl to whitelist the "promising" senders.
How did you implemented this? senderbase is meant to be more like
"scoring" system ranking the sender's IP from -10 (a spammer) to 10
(innocent guy) -> so I thought we could use it for whitelisting as well.

I have almost persuaded my boss to engage greylisting to protect the
whole company, but he is still sort of concerned about the possible
delays it could cause (and I must admit, I understand that concern). So
far, I am whitelisting all senders who passes the SPF check or are able
to do the TLS encryption, but it would be nice to have some other
judgement as well (SPF and TLS technologies are gaining the popularity
quite slowly)

2) Before I went to the CiscoExpo, I was sort of careful about dnsbls or
dnswls. How could we trust them? If one starts to be too popular,
spammers might try to DOS it (it is a single point of failure). You say,
report the spam to make it better, but how is it protected from the
spammers filling it with a number if innocent senders?

Ok, now I think, Cisco & Ironport use it and so do all their customers
so it is probably working. But still, I feel a bit uneasy about it.

3) I have installed your script to cron on our MTA (looks like it works
fine) to give it a try. I am sure others would be interested as well.
What about putting it into our wiki so it won't get lost?

Thanks,
Ondrej
Adam Katz wrote:
>
> Ondrej Valousek wrote:
> > I have just returned from CiscoExpo exhibition - I was quite
> > curious to see what technology they offer to fight spam. It turned
> > out that they acquired company Ironport which is looking after
> > senderbase, the most successful black/whitelist sender database (so
> > they say).
> >
> > Google says the usage of the senderbase portal should be free so
> > question is:
> > - Is it possible to use www.senderbase.org to gather reputation of
> > the sender and set greylisting constants accordingly to that
> > reputation? (i.e. the similar way we can do with dnswl or dnsbl)
> > - Is here anyone who managed to do it? How?
> > - Any other comments, suggestions?
>
> Short answer: The Spamcop DNSBL represents the data from Senderbase.
> However, it requires 100% accuracy, and we don't care so much for
> greylisting. I wrote a script to delay members of bad networks.
>
> Ironport owns and operates Spamcop (senderbase's big sister), which is
> one of the best of the DNSBLs. I correlated a significant boost to
> spam filtering to the fact that I started reporting spam to them.
> Some spam botnet/relays stay below the radar by limiting who they
> spam, so it is your duty to report them; DNSBLs can only go so far
> with their honeynets. Take a look at http://stats.dnsbl.com/
> <http://stats.dnsbl.com/> for
> DNSBL stats and reviews.
>
> My greylisting time is increased for hits in DNSBLs and whitelisted
> for DNSWLs. I bumped up the SpamAssassin score on trusted DNSBLs
> rather than rejecting mail outright due to not fully trusting DNSBLs.
>
> Spamcop/Senderbase is GREAT. I regularly scrape their top offending
> /24 blocks to add to milter-greylist for extra delays in hopes that it
> delays spam long enough to get reported (this helps fight growing
> botnets and the like).
>
> I've attached my update/install script, which should be very portable,
> though it might require GNU sed, and systems with non-fully
> POSIX-compliant /bin/sh should run it with /bin/bash (it works with
> ash/dash but possibly not with jsh (Solaris /bin/sh)). It's extremely
> user-friendly and well documented, even if my code is a bit dense.
>
> I have a similar non-updating rule defined in SpamAssassin, which
> seems to verify that this helps a lot.
>
>