i want to protect my mailserver with dns blacklists for fighting the spam.
there a so many blacklists out there.
currently i use:
ix.dnsbl.manitu.net
cbl.abuseat.org
bl.spamcop.net
safe.dnsbl.sorbs.net
dnsbl.njabl.org
should i add/remove some entries? which are the best blacklists? which blacklists shouldn't used (like spamhaus)?
Here is my list and why I use them:
zen.spamhaus.org - Comprehensive RBL, catches a ton of spam sources, updated regularly. They have a long history and decent reputation in the spam filtering community. I have heard some negative things about them from time to time, but those are generally without real merit. Downside is that if your volume of traffic is high enough they will block access to the free list and you'll need to setup a paid account. Personal or small business mail servers usually do not have this problem.
b.barracudacentral.org - Another very good list from another major industry player. I've heard a lot of negative things about the Barracuda devices themselves, but their RBL is top-notch. Downside is that you have to register with them in order to use it. We've never had a false positive reported that was caused by this list, and it blocks a lot of traffic for us. See http://www.barracudacentral.org/rbl for details.
We've found that using these two lists alone, we see a significant reduction in spam intake on the server. The other lists that we've tried did not even come close to being as productive as either of these lists and essentially just wasted network resources and time while processing the incoming messages.
Here are some that I do not use and why (your experience may vary):
bl.spamcop.net - Too many false positives for our taste. They rely almost entirely on user submissions to power the list, and the people submitting are usually trigger happy and submit even legitimate messages as spam to their service, causing popular providers to get blocked when they probably shouldn't be. I have heard that this has been improved recently but we got burned too many times to go back and try again just yet.
dnsbl.sorbs.net - They run a comprehensive list, but there are too many options for my taste. They have a lot of coverage, and block a lot of traffic, but finding the right mix of lists that they supply requires a lot of trial and error. The removal process for their spam list requires a verifiable minimum donation to one of their approved charities. If one of my clients ends up on their list (whatever the cause) and we block their traffic, I don't want to have to tell them that they have to donate to a charity to appease a blacklist that we use. They are, of course, free to run their list however they like, but that is not the kind of news I want to deliver to my clients if they end up on the SORBS list and are unable to send me e-mail.
'zen.spamhaus.org' is pretty good. I recommend it.
You shouldn't be using DNSBL's directly. They cause too many false positives. The goal isn't necessarily to block spam, but to let all the good mail through. If you use a blacklist as an authority on what is spam, you'll have your bosses upset and nobody wants that.
Instead, use a composite approach. Tools like Spam Assassin or the various anti spam appliances use multiple sources and techniques. No one test determines if an email is spam.
The goal of using a DNS blacklist should not be to stop all spam -- it should be to block a good percentage of the spam, say 1/2 to maybe 2/3 of it. You're mainly doing this to reduce load on your servers.
The next step, the truly effective spam removal step, is a bayesian filtering engine. See Paul Grahams original article. They main benefit of bayesian filtering is that it provides an individual score for each email, based on the recipients past email history, interests and language.
If you follow the above approach it becomes important to avoid false positives in the first line of defense. You don't really care to maximize the effectiveness of the first filter, as you'll probably catch the remaining spam with the second filter. But you don't want false positives, as they cannot be undone later.
For this reason I like the University of Alberta traplist as my first filter. It contains only entries which have a very big probability of being spammers, and entries are removed if they have not been seen spamming within the last 24 hours.
The list can be downloaded from here. It is created by first greylisting (delaying first-time mail senders) and then greytrapping (if a mail server is already greylisted & it attempts delivery to a non-publicized email address, then greytrap it).
After 24 hours a host is automatically removed from the list, and is free to send emails again. Thus if the spamming has ended (say, a trojan was found and removed), then the host is free to send emails again. And if he's still spamming, then he will most likely just end up in the greytrap again shortly.
As said, I like the University of Alberta traplist a lot, but for completeness I should also mention Spamhaus DROP. It has a more minimalistic approach than most other RBLs, and would also make a good first filter in the above setup.
Perhaps the unpopular answer, but I do not recommend any blacklist. As a technique the false positive rate far too high and you're putting your trust in systems that are black boxes. This article explains a number of the downsides. http://www.paulgraham.com/falsepositives.html
Whichever one you use, you should not trust it.
Trusting a third party to give you more than a small amount (perhaps 10%) of your spam scores is asking for trouble. In practice these blacklists contains LOTS of false positives. It is very easy to get on to a blacklist and very hard to get off one; most people who get on accidentally never get removed (or stay on for a long time).
You should DEFINITELY NOT refuse deliveries from senders who are on a third party blacklist; you should probably not even trust your own in-house reputation system for this. Spammers' IP addresses do occasionally get taken over by non-spammers, and your users will be annoyed if they cannot receive clean mail from them.
A third party blacklist could be used to give a small amont of spam score. It could also be used to prioritise mail that is coming from "cleaner" sources - but it should definitely not be used as a completely authoritative way of determining that a particular message is spam.
How much of your own time and effort do you want to waste on spammers? I used to do my own spam fighting, but in the end I outsourced it to a hosted service, and once I did, I wished I had done it years earlier. My mail server doesn't even have to handle spammer connections, and I have freed up my time for more useful system administration and business tasks.
MessageLabs, MessageOne, Postini, F-Prot AVES and many others offer such services. As with any hosted service YMMV, but once you factor in your time and other staff time spent deleting spam (and asking you about spam) these services do make economic sense.
Spamhaus and spamcop are the only two that I would recommend. yes, there is always the chance of getting a false positive with an RBL. But the Spamhaus and Spamcop are pretty reputable RBLs so your chances are pretty low.
I would personally recommend using an appliance or some sort of hosted service. Postini is nice, but can be fairly expensive. MailFoundry is the solution that I would recommend to most people. Besides having some low cost appliances, they also have a hosted service. Depending on the size of your domain, I think it is free for the first 5 or 10 accounts.
opm.blitzed.org
The OPM project ended in May 2006. Please stop querying the opm.blitzed.org zone. As of May 2007 in order to reduce query load on our servers opm.blitzed.org is pointing at a blackholed nameserver -- queries will take a long time and result in a SERVFAIL.
Might want to avoid this one.
I'm using most of the blacklists you used, and I've been fairly happy with them. You might also want to think about country IP blacklists from say ipdeny.com - blocking China and Korea cut down on spam by a lot, and Brazil is likely to go on there next.
This of course depends on your business - if you absolutely can't miss a client's email, consider using DNS blacklist and country IPs not as blacklists but as a big bump to score in SpamAssassin or a similar spam filtering program.
gary, you couldn't be more wrong if you tried. I've been using about 5 "major" RBL for 7 years with about 5 false positives in all those years. So 100 employees and 7 years with only 5 false positives that I think were all from AOl accounts!