The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Which RBL's do you use?

Discussion in 'General Discussion' started by hostseeker, Jan 21, 2005.

  1. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Since I stopped using MailScanner and went solely to using the RBL's to block spam I have been very happy! A lot less server load, plus the spam is blocked just as efficiently or maybe more than MailScanner.

    I was wondering what RBL's everyone uses?

    Currently I use:

    sbl-xbl.spamhaus.org
    bl.spamcop.net
    dnsbl.njabl.org
    dnsbl.sorbs.net
     
  2. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    I wouldn't suggest:

    dnsbl.sorbs.net

    As it will block many legit users of your sites. I reside on Comcast PRO cable, and adding that immediately caused a test email to be blocked becuase I was on a dynamic (Comcast cable) IP. So unless your customers send mail from static Ips, which is less than 25% probably less than 15%, the rest will be blocked. :eek:
     
  3. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    We use the following with great success:

    sbl-xbl.spamhaus.org
    bl.spamcop.net
    relays.ordb.org
    list.dsbl.org

    We've trialed and trialed and trialed them all.. the above have proven the most successfull and least negative in regards to lost legitimate email out of any of the ones we've tried.

    I've heard rumors that sbl-xbl.spamhaus.org incorporate bl.spamcop.net ( whould be great and would help reduce lookups on our servers ) though i've not been able to confirm this myself.
     
  4. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, good to know, I will stop using dnsbl.sorbs.net


     
  5. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Okay I am going to try your exact list!

    I don't think bl.spamcop.net is currently incorporated within sbl-xbl.spamhaus.org because viewing the logs I still see bl.spamcop.net listed AFTER the IP had been looked up at sbl-xbl.spamhaus.org and was not found there.

     
  6. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    Stopped using RBLs here, purely out of reason as some of the network blocks are never reinvestigated - banned all of Telstra (Australia)'s business ISDN customers and cut out some of our people. Quite nasty. We've reinvested back into clamav and spamassassin as first line of defence.
     
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    That happens, it pays to research and investigate what sort of criteria is required before hand for the list. We've been through the same ordeal however the above listed ones i mentioned have been absolutely great with that respect.
     
  8. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    Too time intensive going through the RBL lists to find out they blocked your customers - they'll only report it when they feel like it, otherwise they get fed up and flee :)
     
  9. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    Oops what I meant to say is that they're not sane enough for my liking :)
     
  10. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Anyone use cbl.abuseat.org or have any comments about it?
     
  11. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    Yes, we do and it works great and never had anyone complain about them.
     
  12. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    If you're using sbl-xbl.spamhaus.org then that above list is already in use as its combined into either sbl or xbl.. can't remember.
     
  13. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    You may be right, however I have received spam and looked the IP up in the sbl-xbl.spamhaus.org list and it wasn't there. However the offending IP was listed in cbl.abuseat.org, so that's why I am asking if there have been any problems or comlaints with it.
     
  14. projectandrew

    projectandrew Well-Known Member

    Joined:
    Aug 27, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    From http://www.spamhaus.org/xbl/index.lasso:

    "We recommend you use xbl.spamhaus.org together with sbl.spamhaus.org, as the SBL and XBL block different spam sources. To save you having to query two separate DNSBL zones there is a special combined "SBL+XBL" zone, sbl-xbl.spamhaus.org, which contains the complete SBL and XBL data (we recommend you use this combined zone), to use it, simply set your mail server's DNSBL check to query sbl-xbl.spamhaus.org only."
     
  15. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    I also found the below quote on this page:
    http://www.spamhaus.org/xbl/

    "The XBL wholly incorporates data from two highly-trusted DNSBLs, the CBL (Composite Block List) from cbl.abuseat.org, and the Blitzed Open Proxy Monitor from opm.blitzed.org, therefore mail servers already using cbl.abuseat.org and opm.blitzed.org should NOT also use xbl.spamhaus.org or you will be making 'double' queries to basically the same data source and only one DNSBL will appear to work, the other(s) will appear to not catch anything. For additional FAQs and information on the CBL see http://cbl.abuseat.org/. For information on OPM see http://opm.blitzed.org/info"

    However no matter what the above says I still have found spammer IP's in the cbl.abuseat.org that were not in either XBL or SBL at spamhaus.org.

    The way I found them was a small amount of spam got through my RBL's so I looked them up to see if they were in any lists. The only lists I found them on was cbl.abuseat.org.
     
    #15 hostseeker, Jan 26, 2005
    Last edited: Jan 26, 2005
  16. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    SpamAssassin 3.x does that now (a live sample):

    2.8 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
    1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
    [cf: 100]
    0.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
    1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
    1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    [Blocked - see <http://www.spamcop.net/bl.shtml?4.61.246.30>]
    2.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
    [<http://dsbl.org/listing?4.61.246.30>]
    2.5 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
    [4.61.246.30 listed in sbl-xbl.spamhaus.org]
    0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
    [4.61.246.30 listed in dnsbl.sorbs.net]
    1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
    [4.61.246.30 listed in combined.njabl.org]
    0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
    [URIs: 2005downloadclub.com]
    0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
    [URIs: 2005downloadclub.com]
    2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
    [URIs: 2005downloadclub.com]
    2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
    [URIs: 2005downloadclub.com]
    3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
    [URIs: 2005downloadclub.com]
    0.2 DIGEST_MULTIPLE Message hits more than one network digest check

    Could just decide what score would be best score level to block off completely. No thunb rule as such but needs a close monitoring and interaction with your clients if you decide to do a server wide blocking on basis of score.

    Anup
     
  17. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Are these all applied from "20_dnsbl_tests.cf"?

    David
     
  18. aeroweb

    aeroweb Well-Known Member

    Joined:
    Jun 4, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Anyone know how to incorporate the dnsbl.sorbs.net RBL into Exim properly?

    We currently use spamcop and it works correctly but we would like to also add dnsbl.sorbs.net. Unfortunately, as per a previous listing on this thread, dnsbl.sorbs.net blocks dynamic IP’s, which prevents our local legitimate domain users from connecting to the mail server from their home ISP.

    My question is, is there another way to configure this RBL (dnsbl.sorbs.net) so that if a legit user connects to mail server and authenticates, the dnsbl.sorbs.net would be bypassed and the user could send mail as usual?

    The authentication would have to take place before the RBL is executed.

    If this is not possible, this RBL seems pointless since most mail users connect to a mail server from a remote location and usually have a dynamic IP.

    Ironically, the reason we want to use this RBL is because it blocks dynamic IP’s. We would like to block the spammers that use their local ISP as a spam mail server. However, we do not want to block the legitimate dynamic IP ISP users who authenticate on the server.

    Anyone have any thoughts or ideas?

    Here is our current RBL configuration:

    #**#
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse for any local domain
    #
    accept domains = +local_domains
    local_parts = postmaster:abuse
    #
    # Check sending hosts against DNS black lists.
    # Reject message if address listed in blacklist.
    deny message = Message rejected because $sender_fullhost \
    is blacklisted at $dnslist_domain see $dnslist_text
    dnslists = bl.spamcop.net : \
    #dnsbl.njabl.org : \
    #blackholes.easynet.nl : \
    #dynablock.easynet.nl : \
    #proxies.blackholes.easynet.nl : \
    #list.dsbl.org : \
    #cbl.abuseat.org : \
    #relays.ordb.org : \
    #sbl.spamhaus.org : \
    #sbl-xbl.spamhaus.org
    #dnsbl.sorbs.net
    # RBL Bypass Local Domain List
    !domains = +rbl_bypass
    # RBL Whitelist incoming hosts
    !hosts = +rbl_whitelist
    #**#
    #**# RBL List End
    #**#
     
  19. jsnape

    jsnape Well-Known Member

    Joined:
    Mar 11, 2002
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    Why would you want to use someone as criminal as the spammers? I would suggest not using sorbs for anything - ever, unless you like perpetuating his criminal enterprise of fining webhosts before removing them from his blacklist.
     
  20. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    I just included RBL/DNSBL directly into EXIM following this guys instructions:

    http://www.webhostgear.com/175.html

    For the dnslists I am currently only using:

    "dnslists = sbl.spamhaus.org : xbl.spamhaus.org : relays.ordb.org :"

    I didnt put in the part he mentions :

    ---------

    NOTICE: The following below didn't work for my configuration of RHE and WHM 9.4
    so I had to remove it. I recommend you try it first to see if it works, if not then come back and remove this.

    Scroll down the center window of the ACL section, directly below the line:
    accept domains = +local_domains

    Enter these lines:

    #**#
    #**# Reject Email to Invalid Recipient
    #**#
    endpass
    message = unknown user
    verify = recipient
    #**#
    ---------

    Then did the routers part as he notes.

    Saved it, restarted exim and it went NUTS killing bad guys. I got terrified when I started seeing HUNDREDS AND HUNDREDS of blocks in the log so I started copying down lots of IPs from the reject_log in "/var/log/exim/" (this is freebsd) and ran a check on
    http://www.spamhaus.org/sbl/index.lasso and they ALL were in a block list.

    Now ALL of my machines have RBL/DNSBL (cpanel, non-cpanel unix and windows 2003).

    Nobody has complained yet and spam is down tremendously.

    I am sure there is more I can do but this really made my week.

    :)
     

Share This Page