It's funny, I repeatedly bump into this thread when I am Googling for anything related to qmail and spam. Glad to see lots of people are using it. Anyway, it's been almost a year since my last post here. Thought I'd give an update.
I stopped using Sorbs because of Hotmail and Yahoo mail being blocked. I hate to alter my behaviour because of these corporate behemoths, but I have little choice. I do recognize they are in a difficult spot on this. I am now only using Spamhaus ... temporarily. Sorbs seems too aggressive and Spamhaus is not aggressive enough. I will eventually start using Sorbs again, but I need to tone it down a bit first. More on that later.
A new problem I am bumping into now is hammering of Spamhaus due delivery attempts from virus-infected machines at dynamic ip addresses. A typical scenario would be maybe 100 connections per minute from the same dynamic ip address each resulting in a query to Spamhaus from my server for the same ip address. 100 identical queries in a minute just seems a waste of resources (mine and Spamhaus'). When I was using Sorbs I didn't mind because I ran a local rsync copy of Sorbs. However, last time I checked rsync service was not available for free from Spamhaus. When I notice this happening I have been manually putting the ip address on my own local blacklist that gets checked prior to Spamhaus. This works, but it's very manual and not a very good solution.
I have a plan that will eventually solve these problems and allow me to start using Sorbs again. I have searched a bit, but have so far been unable to find any existing software and/or qmail patches, etc that exactly accomplish what I want. I think the coding is pretty simple and I will eventually do this myself. Here is my 2-step plan:
1. Capture ip addresses from positive Spamhaus queries and automatically place them on a local blacklist that gets checked prior to Spamhaus. Then run a cron job that clears or deletes this blacklist at regular intervals (every hour, 2 hours, 12 hours, whatever). This would prevent my server from needlessly querying Spamhaus when there has recently been a positive Spamhaus hit on an ip address. So, in the virus-infected scenario I described above, only the very first hit by the virus-spammer would query Spamhaus, then all remaining hits would be blocked by my local blacklist. Cycling of that blacklist would ensure that ip addresses that appear on Spamhaus and then get removed, would not be blocked by my local blacklist for long.
2. Use Sorbs for "greylisting" rather than blacklisting. I need to study up a bit more on this, but as I understand it, greylisting sends a temporary failure (temporary SMTP error 451) on the first attempt, then accepts subsequent delivery attempts. What does this accomplish? Apparently, many spamming methods will often give up after one attempt, whereas email originating at legitimate email servers will follow the standard schedule to re-deliver undelievered mail at regular intervals. So, mail from blacklisted Hotmail servers, for example, would be rejected on the first attempt, but then accepted 5 minutes later or whatever delay interval is used for the 2nd attempt.
A bit of research tells me Thomas Mangin's greylist solution may be a good place to start:
I plan to implement #1 and #2 in that order in my qmail run file. Essentially, this solution is a less aggressive blacklist (Spamhaus) followed by a very aggressive greylist (Sorbs). This should allow me to take advantage of the aggressiveness of Sorbs without as many false positives. So why even bother with the blacklist? I dunno, I just like the idea of the blacklist -- if you're listed, you're out. I also suspect a greylist alone will let more spam through than my 2-step blacklist/greylist solution.
I still need to work out the details, but I will post them when I have implemented this (weeks or months maybe).
As always, comments are appreciated.