spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Multiple RBLs and dynamic IPs
Date Mon, 30 May 2016 20:30:13 GMT


Am 30.05.2016 um 21:49 schrieb Alex:
>>> Yeah, that's it exactly. Particularly overseas where it doesn't appear
>>> NAT and/or submission are used as readily as they are here.
>>
>>
>> with carrier grade NAT and "DS-Lite" aka "public ipv6 but NAT ipv4" becoming
>> more and more common the problem is and will be growing fast
>>
>>> So even though that IP is on virtually every blacklist, you wouldn't
>>> add any points? And there's nothing further the user could do to fix
>>> the problem, given the dynamic nature of the IP?
>>
>> no, see above
>>
>> with enough blacklists in the scoring for last-external you get the
>> offending mailservers with hacked useraccounts blacklisted fast enough and
>> in many cases faster because the submission ip's of a hacked account are
>> changing fast
>>
>> saw that the very few times it happened for customers of us where the
>> submission clients came from all over the world - because of rate-limiting
>> and a good monitoring of the mailqueue (how many mails are queued to the
>> outside world) it was each time a short enough timeframe to shut down the
>> affected account and avoid blacklisting (some abuse reports answered
>> promptly)
>>
>> so at the end of the day it's enough to check the last-external for good
>> results and not affect innocent clients which got a dynamic adress abused 30
>> minutes before by a different enduser or by a user sitting behind the same
>> ISP NAT
>
> So I created the RCVD_IN_XBL_ALL "deep header" rule and have since
> reduced its score. However, there's still RCVD_IN_BL_SPAMCOP_NET as
> part of the default ruleset, which I could of course change, but it's
> scored 1.3 by default for that same "deep header" IP address.
>
> Does that rule deserve some attention to determine whether it should
> also be reduced by default for the same reason as the SBL/XBL rule?

DUNNO - we disabled all internal RBL's (exepct mailspike) from start 
because we feed postscreen and spamassassin from the same webinterface 
with different scores for both but same lists (and some of them are 
mirrored on the local rbldnsd with different names in the own domain)



Mime
View raw message