Qmail Support Forum

admin · Site Admin Joined: 21 Jun 2005 Posts: 210

I have been reading all I can find about using RBLs to block
spam with qmail and other DJB software. I think I pretty much
understand the big picture, and will get down to details and
experimentation soon. Here are a couple of questions I have:

1. Do most people use a whitelist, implemented with the "-a"
option to rlbsmtpd? Or do you just use blacklists?

2. Do most people have a local blacklist, hosted with rbldns, or
something else? From what I hear, you won't block a large
percentage of spam with just publicly available RBLs.

3. From what I read, it looks like I'll need two instances of
rbldns if I want a local blacklist and whitelist. Is this true?
How does one do that? On two different machines, or on two IP
addresses of one machine? Or something else?

I would appreciate any assistance you can provide.

admin · Site Admin Joined: 21 Jun 2005 Posts: 210

> 1. Do most people use a whitelist, implemented with the "-a" option to
> rlbsmtpd? Or do you just use blacklists?

More people whitelist by simply using tcpserver's rules database to set
RBLSMTPD to "", I would think. Much easier than setting up a server to serve
a handful of addresses/netblocks as a whitelist.

> 2. Do most people have a local blacklist, hosted with rbldns, or something
> else? From what I hear, you won't block a large percentage of spam with just
> publicly available RBLs.

I have a local blacklist, but it isn't served via DNS. It's just stored in
the filesystem; a small program checks for the existance of a file and sets
RBLSMTPD apprpriately if found.

admin · Site Admin Joined: 21 Jun 2005 Posts: 210

>More people whitelist by simply using tcpserver's rules database to
>set RBLSMTPD to "", I would think. Much easier than setting up a
>server to serve a handful of addresses/netblocks as a whitelist.

It depends how many servers you have. If it's only a few, I agree that
it's a lot easier to scp or rsync out the rules file. If it's a hundred,
a DNSWL would be easier to administer.

>I have a local blacklist, but it isn't served via DNS. It's just
>stored in the filesystem; a small program checks for the existance of
>a file and sets RBLSMTPD apprpriately if found.

My blacklist is contained in the rules database. This is equivalent to
a DNSBL entry:

1.2.3.4:accept,RBLSMTPD="Go away"

I do publish a couple of DNSBLS that are used elsewhere, the best
known of which is korea.services.net.

Others have answered your more specific questions, I just thought I
could add something on the topic.

I believe a quite common way of using RBL's to not use rbldns, but
rather a qmail-queue program running spamassassin or similar. This makes
it possible to weight together both several RBL results and other
factors before deciding whether a mail is accepted or not.

The thing is, unless you absolutely share the views of the RBL list
maintainer, using it as a definitive blacklist might cause surprises.
You always run a risk that a list "turns bad" (like spamcop who recently
started listing any mail server generating bounce messages).

At least as I see it, "spamassassin's solution" seems to be more
reliable; a host listed in a RBL elevates the "spamscore" of emails.
Being listed by a couple of RBLs basically elevates the spamscore so far
that the email has no chance of getting through. And if needed, you can
tweak the default scoring.

Per default spamassassin also applies content filters to emails, but if
you *really* only want RBL checks you can configure it to only do that.

Of course, there are some tradeoffs too:
1) Your server and bandwidth have to do some extra work; instead of
outright blocking smtp connections, emails are now transfered
before they can be analyzed and potentially rejected.

2) You expose yourself to possible security problems in spamassassin.
Since it does rather complex text-parsing, it is no unlikely that
it has yet undiscovered such problems.

//Rickard