I finally gave in last night and switched my spam proxy to using the SORBS DUL DNSRBL (also their web and http RBLs). This means that you can't send mail to me from a dynamic IP, or an open web proxy.
Why? Most of my spam comes from hosts listed in those RBLs, and none of my legitimate mail. And I'm doing SMTP-time rejects based on spamassassin scores, and spamassassin chews CPU time like there's no tomorrow. I'd already added a DNS whitelist (white.dnsl.dis.org.nz) which listed the people I[*] usually got mail from, and I hacked qpsmtpd's spamassassin plugin to ignore mail that had been whitelisted. But spam still chews CPU, and it seems to come in waves.
So far, no one has complained (but it has only been 12 hours or so). But the spam proxy's load average seems to be hitting 10 much less often, which can only be a good thing.
Oh. And qpsmtpd is wonderful. It's a perl SMTP proxy designed to sit in front of your ordinary MTA. It's amazingly easy to write plugins for. You should all use it.
[*] Well, mail to me, or to tepidmail users, or to lists.dis.org.nz.
update: or to *.interface.org.nz. Which seems to have unhappified some people whose TCL cable modems are listed in the SORBS DUL despite their IPs being static. But that's what the whitelist is for.
Comments:
I COMPLAIN!
SORBS includes 203.97.212.0/22 - a perfectly good, statically assigned TelstraClear cable range which I happen to be on. Their delisting form makes it clear that they will only listen to TC asking for it to be removed, not me (unless I get my PTR record changed, in which case they might make an exception for my particular host). I don't want to live on the phone to TC for the next day or three, so I'd rather not try myself to get them to jump through the appropriate hoops.
lorne: I don't check SPF at all.
Chris: sorted. But grumble.
Do you check SPF before or after SORBS?