RBL against Spam – Still working?
As you may have read over the last few days on several internet news services such as eg. Tecchannel, Realtime Blackhole Lists like eg. Spamhaus are seeming to become less effective against spam.
What I read is that spammers have started to change their IPs very fast, which results in spam mails being more likely to falsely pass RBL Filters.
So what to do about it? There are several possibilitys. One is to use a tool like Spamassassin that can check the mailbody (and the links in it) against databases on the internet and/or their internal (learning) filter.
But I’m not quite convinced yet to use such a system. It’s not just the configuration that might be a little more complicated than eg. RBLs. What also scares me off a little is the maintaining effort. A system like that is very likely to have at least a few false positives, that have to be marked as such, so that the system can ‘learn’ from it. I don’t know yet whether I like that kind of a solution.
But what else is there?
Is Greylisting an answer?
How it works is basically that it at first refuses any email that someone is trying to send to your server with an error like a server misconfiguration error. The sender’s IP is stored then, and after a little while (say, something like 5 minutes), when (and if) the server tries to resend the message to you, it will be accepted and the sender will be added to a whitelist.
The hope in that is that spammers either won’t try to send the email again, or that those extra 5 minutes were enough for the spammers to be detected by services such as spamhaus.
The idea is good, and I think I will implement greylisting on my server and try it – also to see how many ‘real’ mailservers and (free)mailservices there are that also do not try to resend an email after a failure (that would be a false positive then).
Attention: WEIRD!! To attract some spammers for testing purposes, I’m just publishing another emailaddress:
stest@klappspaten.info
Kommentar von adlerweb — 11. März 2008 at 18:38
About Greylisting: A few month ago there was a article in the computer-magazine “c’t” – they said that most spambots are able to resend this mails. (afaik most of the botnets added this mid 2007). Additionally this stuff causes a double load for the affected mailservers, causes delays and on some systems delivery-notices to the sender.
Kommentar von Max1 — 11. März 2008 at 18:49
hmm… That’s a problem allright!
But should a properly configured mailserver really send a notification because of a 4-5 min delay?
About the load: tools such as spamassassin and clamav cause a lot more load I think!
What do you think about the thesis that the delay might be long enough to have the spammers listed on rbls?
The spam I receive at least doubled over the past few days! Really annoying ;)
Kommentar von adlerweb — 11. März 2008 at 21:29
“should a properly configured mailserver really send a notification” No – bur not every vendor likes usability ;)
“tools such as spamassassin and clamav cause a lot more load” only on your server – greylisting causes also load on the senders server, the ISPs, etc
“delay might be long enough to have the spammers listed on rbls” no idea… i just dont like it when my uber-urgent mails take longer than a second to appear in my inbox ;)
Kommentar von Max1 — 12. März 2008 at 11:24
Hmmm the delay really sucks… I’ll have to see if the number of spam mails I get will increase any further.. and then decide :P
Perhaps I’m also gonna look into spamd or something.