Spamhaus XBL with DCC (Was: Experience with DKIM...)

Gary Mills mills@cc.umanitoba.ca
Sun Mar 30 13:35:31 UTC 2008


On Sat, Mar 29, 2008 at 06:42:57PM +0000, Vernon Schryver wrote:
> > From: Gary Mills <mills@cc.umanitoba.ca>
> 
> > We are using Spamhaus' XBL, and are happy to pay for it.  
> 
> Since you are already using the XBL, I think you should switch to
> Spamhaus' ZEN unless you are checking the XBL via dccm, dccproc, or
> dccifd.  Even if you are using `dccm -B`, you should enable ZEN checks
> on SMTP clients and on MX servers for SMTP envelope domains with something 
> like this in /var/dcc/dcc_conf
> DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 %ID %BT http://www.spamhaus.org/query/bl?ip=%BIP' -Bsbl-xbl.spamhaus.org -Bset:no-NS -Bzen.spamhaus.org"
> 
> That is because ZEN/PBL includes IP addresses of legitimate DNS servers
> and so should not be used for the default dccm, dccproc, or dccifd DNSBL
> checks on NS records.

Yes, I'm using XBL through DCC because I want users to be able to
whitelist messages rejected by XBL in the same manner that they can
for messages rejected for bulkiness.  I'm using this setting:

    DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 id %s from %s rejected. See http://www.spamhaus.org/xbl/' -Bset:no-body -Bset:no-MX -Bset:no-NS -Bxbl.dnsbl,any"

I don't want to use PBL, included in ZEN I believe, because it includes
the IP networks of many of our SMTP mail submission clients.  I don't
want to reject those.  Now that most ISPs are blocking the SMTP port,
it may be possible to revisit that decision.

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.