[Rspamd-Users] Subscribing to blocklist services for use with Rspamd

G.W. Haywood rspamd at jubileegroup.co.uk
Thu Aug 25 23:12:41 UTC 2022 

Hi there,

On Thu, 25 Aug 2022, Jason White via Users wrote:

> I've recently been working to improve my mail server configuration, and I 
> noticed the availability of subscription-based blocklist services from, at 
> least, Abusix and Spamhaus. Of course, there may be others.

There are many others.  Here's a lookup that I did earlier today:

https://multirbl.valli.org/dnsbl-lookup/52.53.248.254.html

> I suspect my query rate would be sufficiently low to qualify for free access 
> under their licensing policies, if I'm reading correctly. I would welcome any 
> comments on such services, including their effectiveness in reducing spam 
> delivery, Rspamd integration, and whatever else I should consider.

In my experience they can be very effective.  The setup here uses more
than a dozen of them with a homebrew scoring system which alone caught
more than 70% of today's spam for example.  The scores feed into other
decision-making, much of it based on Yara rules, and this improves the
effectiveness of the other defences.  I can't comment on integration
with rspamd as I've never used it that way, although I imagine it will
be very straightforward for most purposes.  There's one more or less
standard way of making the queries, for example if I wanted to look up
68.183.60.66 at all.spamrats.com the query could be something like this:

8<----------------------------------------------------------------------
$ dig +short 66.60.183.68.all.spamrats.com
127.0.0.50
127.0.0.38
127.0.0.37
8<----------------------------------------------------------------------

That IP happened along a few minutes ago and was listed on eight lists
for an aggregate score of 14, so it has no chance whatever of getting
any mail to any of our users. :)

> Which of the available services, if any, should I subscribe to, for
> a small Postfix/Rspamd/Dovecot configuration?

I can recommend Spamhaus, but read the documentation because they have
a range of lists for various purposes.  I've never used Abusix.  There
are a few that I wouldn't touch with a bargepole.  Perhaps Wikipedia
will help, it's probably worth skimming through some of the references:

https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists

Some of the opinions about these lists and their use are, shall we
say, strongly held.  There are some charlatans Out There, and there
should be no need for you to pay anything for modest use of these
sevices.  We try to put something back into the pot by making reports
about the spam received, typically 3,000 to 5,000 reports per month go
to a dozen recipients.  We take great care that the reporting is not
in itself abusive.

-- 

73,
Ged.

More information about the Users mailing list