disable spamhaus rbl?

[Fletcher Mattox <in...@cs.utexas.edu>]

Spamhaus has determined that my query rate is too high to continue
using their servers for free.  So they have, apparently, blocked my
queries at their router, which incurs a 5 second timeout.  How do I
tell SpamAssassin to stop using all spamhaus servers, including zen?
I tried this in local.cf:

score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0

But it seems not to work.  I still see lots of outgoing queries with
tcpdump, and I still get these debug messages:

[30474] dbg: dns: checking RBL zen.spamhaus.org., set zen
[30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background
[30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds

Thanks,
Fletcher

Re: disable spamhaus rbl?

[Theo Van Dinter <fe...@apache.org>]

On Tue, Aug 14, 2007 at 02:07:20AM +0000, Duane Hill wrote:
> Wouldn't these changes get overwritten by the next sa-update performed? 
> I'm just asking to solidify my thoughts.

Nope.  You set the score in your site config dir
(/etc/mail/spamassassin/local.cf), which doesn't change via sa-update.

-- 
Randomly Selected Tagline:
You're growing out of some of your problems, but there are others that
 you're growing into.

Re: disable spamhaus rbl?

[Duane Hill <d....@yournetplus.com>]

Never mind. I understand. Set the scores to zero within local.cf. Forgive 
the noise.

On Tue, 14 Aug 2007 at 02:07 -0000, d.hill@yournetplus.com confabulated:

> On Mon, 13 Aug 2007 at 17:02 -0400, felicity@apache.org confabulated:
>
>> You need to find the source rules and set them to zero, ala:
>> 
>> $ grep spamhaus.org 
>> /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk 
>> '/check_rbl/ { print $2 }'
>> __RCVD_IN_ZEN
>> RCVD_IN_XBL
>> RCVD_IN_PBL
>> 
>> Set those scores to 0.
>
> Wouldn't these changes get overwritten by the next sa-update performed? I'm 
> just asking to solidify my thoughts.

-------
   _|_
  (_| |

Re: disable spamhaus rbl?

[Duane Hill <d....@yournetplus.com>]

On Mon, 13 Aug 2007 at 17:02 -0400, felicity@apache.org confabulated:

> You need to find the source rules and set them to zero, ala:
>
> $ grep spamhaus.org /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk '/check_rbl/ { print $2 }'
> __RCVD_IN_ZEN
> RCVD_IN_XBL
> RCVD_IN_PBL
>
> Set those scores to 0.

Wouldn't these changes get overwritten by the next sa-update performed? 
I'm just asking to solidify my thoughts.

-------
   _|_
  (_| |

Re: disable spamhaus rbl?

[Andrzej Adam Filip <an...@xl.wp.pl>]

Theo Van Dinter wrote:
> On Mon, Aug 13, 2007 at 03:55:52PM -0500, Fletcher Mattox wrote:
>> But it seems not to work.  I still see lots of outgoing queries with
>> tcpdump, and I still get these debug messages:
>>
>> [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen
>> [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background
>> [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds
> 
> You need to find the source rules and set them to zero, ala:
> 
> $ grep spamhaus.org /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk '/check_rbl/ { print $2 }'
> __RCVD_IN_ZEN
> RCVD_IN_XBL
> RCVD_IN_PBL
> 
> Set those scores to 0.

Consider also using CBL.abuseat.org - it is included in XBL.spamhaus.org
and gives most hits of XBL. CBL.abuseat.org zone files can be downloaded
via rsync.

> Alternately, add a "spamhaus.org" zone to your name server w/ no entries so
> that queries return "instantly".

-- 
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Home site: http://anfi.homeunix.net/

Re: disable spamhaus rbl?

[Fletcher Mattox <in...@cs.utexas.edu>]

Theo Van Dinter writes:
> Alternately, add a "spamhaus.org" zone to your name server w/ no entries so
> that queries return "instantly".

Perfect!  Thanks, Theo.
Fyi, even with

	score __RCVD_IN_ZEN 0
	score RCVD_IN_SBL 0
	score RCVD_IN_XBL 0
	score RCVD_IN_PBL 0

I still see lots of queries to sbl.spamhaus.org.
(But I no longer care, since the name server hack works).

Fletcher

Re: disable spamhaus rbl?

[Theo Van Dinter <fe...@apache.org>]

On Mon, Aug 13, 2007 at 03:55:52PM -0500, Fletcher Mattox wrote:
> But it seems not to work.  I still see lots of outgoing queries with
> tcpdump, and I still get these debug messages:
> 
> [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen
> [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background
> [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds

You need to find the source rules and set them to zero, ala:

$ grep spamhaus.org /var/lib/spamassassin/3.001008/updates_spamassassin_org/*.cf | awk '/check_rbl/ { print $2 }'
__RCVD_IN_ZEN
RCVD_IN_XBL
RCVD_IN_PBL

Set those scores to 0.

Alternately, add a "spamhaus.org" zone to your name server w/ no entries so
that queries return "instantly".

-- 
Randomly Selected Tagline:
Windows: Where do you want to go today?
 MacOS  : Where do you want to be tomorrow?
 Linux  : Are you coming or what?
         - June 2000 issue of Linux Journal

Re: disable spamhaus rbl?

[John Rudd <jr...@ucsc.edu>]

Fletcher Mattox wrote:
> John Rudd wrote:
>> Fletcher Mattox wrote:
>>> Spamhaus has determined that my query rate is too high to continue
>>> using their servers for free.  So they have, apparently, blocked my
>>> queries at their router, which incurs a 5 second timeout.  How do I
>>> tell SpamAssassin to stop using all spamhaus servers, including zen?
>>> I tried this in local.cf:
>>>
>>> score RCVD_IN_SBL 0
>>> score RCVD_IN_XBL 0
>>> score RCVD_IN_PBL 0
>>>
>>> But it seems not to work.  I still see lots of outgoing queries with
>>> tcpdump, and I still get these debug messages:
>>>
>>> [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen
>>> [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background
>>> [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds
>>
>> a) If you're hitting them that hard, why not pay for their service?
> 
> Thanks, John, for your friendly advice.  However, please keep in mind that
> I was *not* complaining about their policy--which is quite reasonable.
> In fact, since you ask, we *are* going to pay for their service, but
> that contract has not been finalized, and I need help now.  Ok?
> 
> Just in case someone else thinks I am trying to freeload.  :)
> I love spamhaus's service, and I am happy to pay for it.


When we were in that same situation, we asked them for an extension and 
they gave it to us.


> 
>> b) Are you using anything to help lighten your load on their servers, 
>> like a local caching name server so that you don't have to do repeated 
>> lookups of the same addresses?
> 
> Of course we use a caching name server.  We just happen to be a high
> volume user.
> 
> Fletcher
> 

Re: disable spamhaus rbl?

[Fletcher Mattox <in...@cs.utexas.edu>]

John Rudd wrote:
> Fletcher Mattox wrote:
> > Spamhaus has determined that my query rate is too high to continue
> > using their servers for free.  So they have, apparently, blocked my
> > queries at their router, which incurs a 5 second timeout.  How do I
> > tell SpamAssassin to stop using all spamhaus servers, including zen?
> > I tried this in local.cf:
> > 
> > score RCVD_IN_SBL 0
> > score RCVD_IN_XBL 0
> > score RCVD_IN_PBL 0
> > 
> > But it seems not to work.  I still see lots of outgoing queries with
> > tcpdump, and I still get these debug messages:
> > 
> > [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen
> > [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background
> > [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds
> 
> 
> a) If you're hitting them that hard, why not pay for their service?

Thanks, John, for your friendly advice.  However, please keep in mind that
I was *not* complaining about their policy--which is quite reasonable.
In fact, since you ask, we *are* going to pay for their service, but
that contract has not been finalized, and I need help now.  Ok?

Just in case someone else thinks I am trying to freeload.  :)
I love spamhaus's service, and I am happy to pay for it.

> b) Are you using anything to help lighten your load on their servers, 
> like a local caching name server so that you don't have to do repeated 
> lookups of the same addresses?

Of course we use a caching name server.  We just happen to be a high
volume user.

Fletcher

Re: disable spamhaus rbl?

[John Rudd <jr...@ucsc.edu>]

Fletcher Mattox wrote:
> Spamhaus has determined that my query rate is too high to continue
> using their servers for free.  So they have, apparently, blocked my
> queries at their router, which incurs a 5 second timeout.  How do I
> tell SpamAssassin to stop using all spamhaus servers, including zen?
> I tried this in local.cf:
> 
> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
> 
> But it seems not to work.  I still see lots of outgoing queries with
> tcpdump, and I still get these debug messages:
> 
> [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen
> [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background
> [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds


a) If you're hitting them that hard, why not pay for their service?

b) Are you using anything to help lighten your load on their servers, 
like a local caching name server so that you don't have to do repeated 
lookups of the same addresses?

Re: disable spamhaus rbl?

[Diego Pomatta <in...@abelsonsa.com.ar>]

Kai Schaetzl wrote:
> Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300:
>
>   
>> I always considered it to be more efficient this way, would this be correct?
>>     
>
> It's a matter of trust. If you trust the RBL to produce an insignificant 
> amount of false positives for you then rejecting at MTA level is the best 
> thing you can do. I do it the same way. But there are people/companies who 
> think they cannot even afford a single FP, so they cannot do this. Some also 
> use RBLs as a source of greylisting which is a very good compromise.
> BTW: you should use zen and not xbl+sbl, anymore, visit the spamhaus.org site.
>
> Kai
>
>   
Will do, thanks.

Re: disable spamhaus rbl?

[Kai Schaetzl <ma...@conactive.com>]

Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300:

> I always considered it to be more efficient this way, would this be correct?

It's a matter of trust. If you trust the RBL to produce an insignificant 
amount of false positives for you then rejecting at MTA level is the best 
thing you can do. I do it the same way. But there are people/companies who 
think they cannot even afford a single FP, so they cannot do this. Some also 
use RBLs as a source of greylisting which is a very good compromise.
BTW: you should use zen and not xbl+sbl, anymore, visit the spamhaus.org site.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

RE: disable spamhaus rbl?

[Skip Brott <sb...@dmp.com>]

> After reading all the replies I was left wondering..
> These kind of rules are not used when spamd is started with the -L
> (--local) switch, right?
> I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to 
> query spamhaus at smtp time. (qmail - tcpserver) 
> /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org'
> I always considered it to be more efficient this way, would 
> this be correct?

If I am not mistaken, this methodology will simply dump any hits on spamhaus
rather than score a hit in combination with other scores.  Someone can
correct me if I am wrong.

- Skip

Re: disable spamhaus rbl?

[Matthias Leisi <ma...@leisi.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Diego Pomatta schrieb:

> After reading all the replies I was left wondering..
> These kind of rules are not used when spamd is started with the -L
> (--local) switch, right?
> I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to query
> spamhaus at smtp time. (qmail - tcpserver)
> /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org'
> I always considered it to be more efficient this way, would this be
> correct?

Almost correct -- SA will not only consider the "connecting" IP address,
but also look at the "most likely source" IP address, as determined by
the trusted_network & Co. algorithm.

Ie., having RBLs *both* on the MTA and in SA gives you a double benefit:
reduce the load on SA by rejecting certain messages early (modulo false
positive issues mentioned in this thread), and possibly hitting more
RBLed sources by going beyond what is possible in the MTA alone.

While there are additional DNS queries for the additional candidate IP
addresses (if present), the result for the connecting IP address will
already be cached (if previously queried by the MTA) and hence cause no
additional DNS traffic.

Personally, I prefer checking (some) RBLs both in the MTA and in SA for
the added benefit, but YMMV.

- -- Matthias

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFGwtosxbHw2nyi/okRAlf5AJwJ3KVq/sRq8FlqO6vQBF6rHLUx2ACg0U5t
u104adPfhKSFZtLjU2dXt/M=
=EZJh
-----END PGP SIGNATURE-----

Re: disable spamhaus rbl?

[Diego Pomatta <in...@abelsonsa.com.ar>]

Fletcher Mattox escribió:
> Spamhaus has determined that my query rate is too high to continue
> using their servers for free.  So they have, apparently, blocked my
> queries at their router, which incurs a 5 second timeout.  How do I
> tell SpamAssassin to stop using all spamhaus servers, including zen?
> I tried this in local.cf:
>
> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
>
> But it seems not to work.  I still see lots of outgoing queries with
> tcpdump, and I still get these debug messages:
>
>   

After reading all the replies I was left wondering..
These kind of rules are not used when spamd is started with the -L 
(--local) switch, right?
I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to query 
spamhaus at smtp time. (qmail - tcpserver)
/usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org'
I always considered it to be more efficient this way, would this be correct?

/Regards

Re: disable spamhaus rbl?

[Richard Frovarp <Ri...@sendit.nodak.edu>]

Fletcher Mattox wrote:
> Spamhaus has determined that my query rate is too high to continue
> using their servers for free.  So they have, apparently, blocked my
> queries at their router, which incurs a 5 second timeout.  How do I
> tell SpamAssassin to stop using all spamhaus servers, including zen?
> I tried this in local.cf:
>
> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
>
> But it seems not to work.  I still see lots of outgoing queries with
> tcpdump, and I still get these debug messages:
>
> [30474] dbg: dns: checking RBL zen.spamhaus.org., set zen
> [30474] dbg: dns: launching DNS A query for 229.51.225.220.zen.spamhaus.org. in background
> [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, DNSBL-A, dns:A:229.51.225.220.zen.spamhaus.org. after 5 seconds
>
> Thanks,
> Fletcher
>
>   

score __RCVD_IN_ZEN 0

Re: disable spamhaus rbl?

["John D. Hardin" <jh...@impsec.org>]

On Mon, 13 Aug 2007, Fletcher Mattox wrote:

> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
 
> [30474] dbg: dns: timeout for zen, __RCVD_IN_ZEN, 
-------------------------------------^^^^^^^^^^^^^


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 [Small arms] are fundamentally dangerous and their removal from the
 equation either by control, neutralisation or removal is essential.
 The first step is to gain information on their numbers and
 whereabouts.         -- the UN, who "doesn't want to confiscate guns"
-----------------------------------------------------------------------
 2 days until The 62nd anniversary of the end of World War II