You may have wondered how I choose blocklists.

The first thing I do is research who others are using, and why or why not, specific lists are being used.

Then after choosing the lists I think I'll use, I pick an arbitrary order, and install them on the server hosting mail for my domains.

Then I watch them for at least a week to make refinements in the order in which i use them. The lists that have restrictive usage policies generally (but not always), go on the bottom.

Finally I find an order which seems effective, and I publish the list.

So now that the new SpamBlocker-powered exim.conf file Version 4 has been out for a while, I've decided to revisit the blocklist issue again. So I did some checking again.

This time I checked on the block rate of the all the used DNS-based lists over the last month (ending 4am this morning) and again on the server on which I host my own domain names.

I found some interesting results:


# of
emails blocklist

14827 cbl.abuseat.org
1065 dnsbl.njabl.org
3247 bl.spamcop.net
46 dnsbl.ahbl.org
0 combined.rbl.msrbl.net
36235 b.barracudacentral.org
5409 zen.spamhaus.org
4109 hostkarma.junkemailfilter.com=127.0.0.2
28 rhsbl.ahbl.org
Based on this list, I'm going to check all our other servers, and if the results are similar I know I'll be making some changes to the master; some of these lists just aren't worth checking for the small results we get; it doesn't seem realistic to check a half million emails against a blocklist for a total of between 0 and 46 catches.

However I'll probably leave all of them in the published file; your spam profile may be considerably different from mine.

Jeff

I suggest you put b.barracudacentral.org first and you'll see a dramatic decrease in the number of emails being blocked by lists placed below it.

In my case, zen blocks 10% of what barracuda blocks when placed after it and the others are almost insignificant (at the level of what SURBL and special signatures block).

so following that lines you suggest to put the higher result first and other down?

something like this in exim.conf?


#EDIT#41:
deny message = Email blocked by $dnslist_domain
hosts = !+relay_hosts
domains = +use_rbl_domains
domains = !+skip_rbl_domains
!authenticated = *
dnslists = \
b.barracudacentral.org : \
cbl.abuseat.org : \
zen.spamhaus.org : \
hostkarma.junkemailfilter.com=127.0.0.2 : \
bl.spamcop.net
# dnsbl.njabl.org : \
# dnsbl.ahbl.org : \
# combined.rbl.msrbl.net

Regards

Yes, just remove cbl.abuseat.org, it's already included in zen.

The idea is that you'll make way less DNS requests than if you had barracuda at the bottom.

but if barracuda define as spam an email so the rest shouln'd get involved, right?

That's correct.
From Exim's doc:

As soon as Exim finds an existing DNS record, processing of the list stops. Thus, multiple entries on the list provide an “or” conjunction

so no matter remove the others, should find (difficult) somethig that other doesnt no?

If I understand you correctly (I can't see your hands ;)), then yes, you should keep the other list, so that they can catch special cases.

u gotcha what i mean :) sorry my english isnt so good ^^ not main tounge

I know, it's the same for me :)

I've signed up at Baracudacentral. I've added the following to exim.conf


deny message = Email blocked by $dnslist_domain
hosts = !+relay_hosts
domains = +use_rbl_domains
domains = !+skip_rbl_domains
!authenticated = *
dnslists = b.barracudacentral.org

I then restarted exim.


Is this all the config that is necessary? If not and within the scope of a brief response could someone enlighten me.

Also, if this is all that's needed what is the best way to test it's performance?

Thank you very much.

You should add a couple more, just because barracuda doesn't block everything, but bear in mind that this is subject to personal preferences.
This is quite safe:

deny message = Email blocked by $dnslist_domain($dnslist_text)
hosts = !+relay_hosts
domains = +use_rbl_domains
domains = !+skip_rbl_domains
!authenticated = *
dnslists = \
b.barracudacentral.org : \
zen.spamhaus.org : \
bl.spamcop.net : \
hostkarma.junkemailfilter.com=127.0.0.2

Thanks interfasys,

OK I will add a couple more. It's hard to judge with such low traffic. Also, just to confirm, once I make the addition, save exim.conf and restart that should be all that's needed?

If you're looking for spam, there are quite a few ways to set up honey traps ;), but you should only add more lists if you find out that your mail server suddenly lets through thousands of spams a day.

@interfasys:

Currently SpamBlocker exim.conf file for DirectAdmin Version 4 uses these lists, in this order:

dnslists = \
cbl.abuseat.org : \
dnsbl.njabl.org : \
bl.spamcop.net : \
dnsbl.ahbl.org : \
combined.rbl.msrbl.net : \
b.barracudacentral.org : \
zen.spamhaus.org : \
hostkarma.junkemailfilter.com=127.0.0.2
With the caveat, of course, that certain blocklists may not be usable without registration and possibly should be removed.

What order does your testing suggest we should use?

Thanks.

Jeff

Hello Jeff,

I would suggest this:

dnslists = \
b.barracudacentral.org : \
zen.spamhaus.org : \
bl.spamcop.net : \
dnsbl.ahbl.org : \
combined.rbl.msrbl.net : \
hostkarma.junkemailfilter.com=127.0.0.2

The first one only requires a free registration in order to be able to use it and will catch most spam.
Zen will still have some work to do and the other ones will rarely catch anything (surbl and helo rules catch more spam than the other lists).

Olivier

So you're recommending we remove two lists? Have you tried putting them at the bottom to see if they catch anything?

What happens if you remove zen which some people may not be able to use?

What happens if you remove hostkarma which some people may not be able to use?

Jeff

The 2 lists that I removed are already part of zen (it's been discussed numerous times.)

So, yes, if someone removes zen, then those 2 should be added back.

Nothing different than what happens now will happen if you remove hostkarma. you'll get a bit more spam.

The important thing is to put barracuda first.

Thanks for your help. I'll be working on this soon. I'm discussing other changes with John as well.

Jeff

A good way to find out if a list/antispam feature gets used is to use existats.
It obviously won't give you any info regarding any pre and post filters, but I find it useful to diagnose what Exim blocks.

I already know how to find which lists work best on my servers; I like to see what others experience :).

Jeff

I know this is an older thread, however... how would one get such statistics to see what blocklist has blocked how many emails?

You can grep the blocklist name out of your exim rejectlog.

However the numbers are not very useful. Once a blocklist blocks an email, it's not run thorugh any other blocklist, so the perceived efficiency of a blocklist very much depends on it's position in the list.

How do we choose our positioning of blocklists? Somewhat arbitrarily, but we do run last blocklists that argue that if you use them for a large amount of emails you should pay them. Note that which blocklists you choose to use, and i what order, is your responsibility.

For people who don't want such a responsibility we're considering running our own consolidated list, but if we ever do it, there would be a monthly charge.

Jeff