best blacklist list

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
rodolfor
Senior user
Senior user
Posts: 282
Joined: 2005-06-30 09:05
Location: Gubbio - Italy

best blacklist list

Post by rodolfor » 2005-12-04 13:17

Hi all.
I use a list of blacklist servers like this:
- sbl-xbl.spamhaus.org
- relays.ordb.org
- bl.spamcop.net
- bl.csma.biz
- sbl.csma.biz
- psbl.surriel.com
- dnsbl.sorbs.net
- blackholes.five-ten-sg.com

Does anyone know if exist better server ?

thanks

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-04 15:30

I was hunting around today for a list of blacklists (thanks).

Question for Martin, Does hMailServer's blacklist work like this:

email comes in, hMailServer, checks it against the first BL in the DNS black list, if nothing is found moves on to the next server in the DNS black list if nothing is found, this is repeated till the last DNS black list server in the list ??

Or

Does email come in, hMailServer checks it against the first BL in the DNS black list if IP address IS found its STOPS looking at any further servers in the DNS black list and just deletes the email ??

Thanks
Michael
Missing Hmailserver ... Now running Debian servers

Gustav
Normal user
Normal user
Posts: 224
Joined: 2005-11-01 16:25
Location: CPH

Post by Gustav » 2005-12-04 17:18

Here's some inspiration:
http://article.gmane.org/gmane.ietf.asrg:10671

Based on own experience and that article we use these:

bl.spamcop.net
combined.njabl.org
sbl-xbl.spamhaus.org
cbl.abuseat.org
dsbl.dnsbl.net.au
list.dsbl.org

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-04 17:23

Howdi Gustav

Question, I tried combined.njabl.org and used 127.0.0.* as the expected result and it didnt seem to work. What are you using in the "exected result" section ?

Thanks
Michael
Missing Hmailserver ... Now running Debian servers

Gustav
Normal user
Normal user
Posts: 224
Joined: 2005-11-01 16:25
Location: CPH

Post by Gustav » 2005-12-04 18:05

We are using a separate spam filter proxy: Pinjo.
I cannot tell what it reads from the blacklists, but as far as I know 127.0.0.* should do.

Sune
Normal user
Normal user
Posts: 59
Joined: 2005-09-21 20:11
Location: Denmark
Contact:

Post by Sune » 2005-12-04 20:40

Be carefull not to use too many and to choose the right blacklists. I once used a blacklist (RelayWatcher.com) who forgot to renew their domain, resulting in someone else buying the domain and telling the thousands of mail servers checking with it, that everyhing was spam which caused a lot of mails to be lost.

- Such a scenario isn't very good, and as far as i can see there's nothing to stop it from happening again if someone forgets to renew a domain or in another way looses it.

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-05 05:01

Still not having any luck with combined.njabl.org using 127.0.0.*

Anyone else using the BL and having luck with it ??

Thanks
Michael
Missing Hmailserver ... Now running Debian servers

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Post by GlenC » 2005-12-05 15:36

Does it work if you use the individual returns? Like 127.0.0.3?

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-06 02:18

GlenC wrote:Does it work if you use the individual returns? Like 127.0.0.3?
That’s a hard one to answer. I have tried doing that but I have since worked out that hMailServer does its look ups down the hierarchy as per the way you enter them in. (so if the first one you use [sbl-xbl.spamhaus.org] always comes back with a match then it never tries the next one). So I have disabled all except combined.njabl.org and will try again.

Let you know.
Michael
Missing Hmailserver ... Now running Debian servers

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-06 06:06

Just a follow up

combined.njabl.org BL using 127.0.0.* in HmailServer is working 8)

Thanks everyone
Missing Hmailserver ... Now running Debian servers

Gustav
Normal user
Normal user
Posts: 224
Joined: 2005-11-01 16:25
Location: CPH

Post by Gustav » 2005-12-06 13:08

I tried combined.njabl.org and used 127.0.0.* as the expected result and it didnt seem to work.
So what has changed as you now have success?

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-06 14:38

Gustav wrote:
I tried combined.njabl.org and used 127.0.0.* as the expected result and it didnt seem to work.
So what has changed as you now have success?
Nothing I believe. I think what was happening was this. If the first or second DNSBL had a IP match hMailServer would delete the email. But since I had combined.njabl.org last on the list, when it did get to query combined.njabl.org the IP address wasnt not listed in is database and hence did not give a result.

Once I disabled all the DNS BL in front of combined.njabl.org it worked. So I dont think I ever had a problem, it just seems that combined.njabl.org IP list is not as complete / up to date as some of the others IN FRONT of combined.njabl.org in the DNS BL in hMailServer.

Regards
Michael
Missing Hmailserver ... Now running Debian servers

Gustav
Normal user
Normal user
Posts: 224
Joined: 2005-11-01 16:25
Location: CPH

Post by Gustav » 2005-12-06 14:40

OK. That explains.

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2005-12-14 17:18

Just another update

I am finding that dnsbl.sorbs.net is giving me a lot of false positives. (stopping legitament email).

Anyone else finding this ??

Michael
Missing Hmailserver ... Now running Debian servers

Gustav
Normal user
Normal user
Posts: 224
Joined: 2005-11-01 16:25
Location: CPH

Post by Gustav » 2005-12-14 19:35

So we've heard as well. Thus we've decided not to use this list.
It sure blocks everything from many dynamic pools and as that includes many ADSL pools with some fixed address, it is too rigorous.
But as always: If it matters for your situation depends ...

rodolfor
Senior user
Senior user
Posts: 282
Joined: 2005-06-30 09:05
Location: Gubbio - Italy

Post by rodolfor » 2005-12-17 10:55

I found this interesting page with a list of blacklist:
http://www.email-policy.com/Spam-black-lists.htm

cuneytoral
New user
New user
Posts: 15
Joined: 2010-04-22 18:22
Location: Turkey

Re: best blacklist list

Post by cuneytoral » 2017-09-10 19:06

The below list is very successful for me, but can anyone improve the below list?

I use below list:
DNS blacklist
  • zen.spamhaus.org
    bl.spamcop.net
    psbl.surriel.com
    b.barracudacentral.org
    dnsbl.sorbs.net
    cbl.abuseat.org
    sbl-xbl.spamhaus.org
    dsbl.dnsbl.net.au
    relays.ordb.org
    blackholes.five-ten-sg.com
SURBL servers
  • multi.surbl.org
    ru.countries.nerd.dk
I tried below list but they response time is too bad so I don't use them:
  • dnsbl.njabl.org
    combined.njabl.org
    list.dsbl.org
    bl.csma.biz
    sbl.csma.bız

User avatar
mattg
Moderator
Moderator
Posts: 20782
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: best blacklist list

Post by mattg » 2017-09-11 00:54

I also use

DNS Blacklists
aspews.ext.sorbs.net (different to dnsbl.sorbs.net)
ubl.unsubscore.com
zz.countries.nerd.dk
hostkarma.junkemailfilter.com
all.bl.blocklist.de
all.spamrats.com (still testing this one)

I also split sbl.spamhaus.org into different DNSBL to get a different score for each type of result - eg I reject outright all mail that fits the snowshow profile (thanks to SorenR for the hint)

You have a couple there that I haven't tested, so I'll check them out.


Additional SURBL servers I have are
dbl.spamhaus.org
uribl.spameatingmonkey.net
uribl.swinog.ch
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3562
Joined: 2006-08-21 15:38
Location: Denmark

Re: best blacklist list

Post by SorenR » 2017-09-11 01:52

Wow... I only have SpamAssassin and ...

DNS:
zen.spamhaus.org (127.0.0.2-11)
b.barracudacentral.org (127.0.0.2)
bl.spamcop.net (127.0.0.2)

SURBL:
multi.surbl.org
dbl.spamhaus.org

VBscript code to check for;

- SnowShoe SPAM (Deny access)
- Invalid HELO/EHLO string syntax (Deny access + AutoBan)
- Invalid HELO/EHLO IP Address syntax (Deny access + AutoBan)
- Multiple concurrent connection attempts (IDS/Flooding) (Deny access + AutoBan)
- Dynamic Greylist-Whitelist of selected domains. All other connects are greylisted
- SMTP listen on port 25 World-Wide
- SMTP AUTH on port 465 and 587 for Denmark ONLY! - The Danish Realm. (Deny access + AutoBan)
- IMAP on port 143 and 993 for Denmark ONLY! - The Danish Realm. (Deny access + AutoBan)
- Various small RegEx BlackLists/WordLists to call function "SPAMList" which in turn will train SpamAssassin. SpamLists/SpamWords get cleaned every quarter, manually.

SPAM falsepositives and falsefalse < 10/month on 1.300 emails/month in average. Appx. 350 SPAM emails/month in average. At the moment I get more falsepositives than falsefalse due to massive iPhone campains - Yes, I tag everything with "iPhone #" in body or subject as SPAM ... :evil:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20782
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: best blacklist list

Post by mattg » 2017-09-11 04:58

Ok So everything...(in order)

SMTP Auth not allowed port 25 (set in ini and AUTH simply not offered to port 25 connections)

OnClientConnect - Port 25 Access from computers that use specific EHLO host names, including my public IP, my FQDN or 'ylmf-pc' or 'user' are autobanned immediately and dropped after some seconds
OnClientConnect - NonSMTP ports (eg 110, 143 993 & 995), if not from Australia or USA, are autobanned immediately and dropped after some seconds

DNSBL
bl.spamcop.net
zen.spamhaus.org
b.barracudacentral.org
cbl.abuseat.org
aspews.ext.sorbs.net
dnsbl.sorbs.net
ubl.unsubscore.com
sbl.spamhaus.org - snowshoe - this score will get above reject spam level
sbl.spamhaus.org - non snowshoe
zz.countries.nerd.dk (scores if not from Australia or USA)
hostkarma.junkemailfilter.com
all.bl.blocklist.de
all.spamrats.com

hMailserver Spam Tests
HELO
MX record exists
SPF

SURBL
multi.surbl.org
dbl.spamhaus.org
uribl.spameatingmonkey.net

hMailserver Spam Tests
Verify DKIM

Heavily customised SpamAssassin, With ClamAV addin and SaneSecurity and LinuxMalwareDetect definitions - with these scoring identified mail as SPAM
I use SpamAssassin Score in hMailserver, with all mail scoring above negative 500 being marked as spam (effectively ALL mail is marked as SPAM by SpamAssasin)

OnAcceptMessage - ensures that if a client authenticates that the account used for auth is the FROM, and that all mail from local domains must be Authenticated
OnAcceptMessage - test Authenticated mail for number of sent messages in last day using database query, and if high then rejects message
OnAcceptMessage - Access from computers that use specific EHLO host names, including my public IP, my FQDN or 'ylmf-pc' or 'user' are autobanned immediately and dropped after some seconds
OnAcceptMessage - SorenR's Ransomware detection and check for a Valid EHLO/HELO
OnAcceptMessage - rejects mail with a high spam score - with a long wait


OnDeliveryStart (not used for Spam testing)

Anti-virus scans
ClamAV scan
Avast custom line scanner

Global Rules including sending spam to a specific address

OnMessageDeliver (not used for Spam testing)

Account level rules including for spam address moving all mail to Public IMAP folder

(and that doesn't include the logging, and the semi-automated log analysis that leads to further Auto-ban ranges being created)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3562
Joined: 2006-08-21 15:38
Location: Denmark

Re: best blacklist list

Post by SorenR » 2017-09-11 13:18

This all goes to show that there are no "standard setup" when it comes to fighting SPAM.. We all deal with it the best way we can by digging into the common toolbox and use whatever we can.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 1040
Joined: 2008-06-27 14:42
Location: Netherlands

Re: best blacklist list

Post by RvdH » 2017-09-17 22:49

@SorenR

I have enabled your IDS Detection script on my own "home" server....maybe i have misread something, but does'nt this basically interfere with HMS greylisting?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3562
Joined: 2006-08-21 15:38
Location: Denmark

Re: best blacklist list

Post by SorenR » 2017-09-18 15:09

RvdH wrote:@SorenR

I have enabled your IDS Detection script on my own "home" server....maybe i have misread something, but does'nt this basically interfere with HMS greylisting?
No... Well, it should not and I have even cut down the timing on GL from what the GUI suggests..

EDIT: ... Ehrm... I use a Backup-MX and any server not conforming to the "SENT: 451 4.7.1 Service unavailable - try again later." simply delivers to the next MX in line thus bypassing the IDS code - which is fine by me :mrgreen:

It may require some tweaking on these params in order not to interfere with GreyListing ...
- Private Const idsHits = 3
- Private Const idsMinutes = 30

My Greylisting settings are: (yes, I modified my GUI to do this ;-) )

- Minutes to defer delivery attempts: 4
- Hours to remove unused records: 12
- Days before removing unused records: 32

Table: hm_settings:
"greylistinginitialdelay" "4"
"greylistinginitialdelete" "12"
"greylistingfinaldelete" "768"
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

eliassal
Normal user
Normal user
Posts: 221
Joined: 2010-08-15 18:05
Contact:

Re: best blacklist list

Post by eliassal » 2020-02-01 18:18

Hi, can somebody share the return codes for the list mentioned above

bl.spamcop.net
psbl.surriel.com
b.barracudacentral.org
dnsbl.sorbs.net
cbl.abuseat.org
sbl-xbl.spamhaus.org
dsbl.dnsbl.net.au
relays.ordb.org
blackholes.five-ten-sg.com

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: best blacklist list

Post by palinka » 2020-02-01 19:01

eliassal wrote:
2020-02-01 18:18
Hi, can somebody share the return codes for the list mentioned above

bl.spamcop.net
psbl.surriel.com
b.barracudacentral.org
dnsbl.sorbs.net
cbl.abuseat.org
sbl-xbl.spamhaus.org
dsbl.dnsbl.net.au
relays.ordb.org
blackholes.five-ten-sg.com
Go to http://multirbl.valli.org/ and look at the listings. Link seems to be down at the moment... :roll:

eliassal
Normal user
Normal user
Posts: 221
Joined: 2010-08-15 18:05
Contact:

Re: best blacklist list

Post by eliassal » 2020-02-01 20:20

Ok thanks, as I am new to this, can you please let me know what I should look for, when enter a url I get a huge list of different things but not sure what to pick

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: best blacklist list

Post by palinka » 2020-02-01 20:52

You made a list. You can find them on the list at valli.org which has links to the maintainers' sites. There you will find instructions / return codes.

Post Reply