On Sun, 1 Jun 2025, John R. Levine via NANOG wrote:
On Sun, 1 Jun 2025, John Curran wrote:
Out of curiosity, is there a reasonably clear document somewhere that describes how such network-level block lists should be operated from the view of network operators; i.e., a “best practice” statement ...
Sort of. See RFC 6471, Overview of Best Email DNS-Based List (DNSBL) Operational Practices.
Running a useful blocklist is very hard. Everyone who's listed insists that it's a mistake.
It doesn't have to be "very hard". It all depends on what the DNSBL's listing criteria are. With clear cut criteria that can be detected via code and automation, I demonstrated it can be done by one person in their spare time. Are there still cartoony threats of legal action or physical violence? Sure. Fortunately, none followed through with me. I did get some of what I'd call "indirect help"...people offering bits of code to help with the automation, software [rbldnsd] that coincidentally became available just when I needed it because bind was not scaling well, but nobody else had the access and familiarity with the systems to directly help run the thing. BTW...I don't know if it was a one-off or a new tactic, but on the topic of "the really big mailers" apparently not caring about their outbound spam problem[1], about a week ago, I saw a spam campaign being sent by setting up a Yahoo account to forward to an address hosted by Microsoft which acted as "the mailing list". The spammer would send a message to the Yahoo address, which would forward to Microsoft, and then Microsoft would explode it to all the recipients. Curious, I tried testing re-use of their system, and found that by the time I did that, the address (not the domain) hosted at Microsoft had been deleted. I don't know if this was done by the spammer as soon as they had sent their spam (that's my hunch), or by MSFT abuse. The Yahoo account was still there, and the forwarding to the account at MSFT was still in place. [1] I'd like to assume the big mailers (i.e. Yahoo, Microsoft, Google, etc.) are actively fighting their systems being abused by spammers, but these efforts are underfunded, understaffed, and whatever % we see leaking gives us the false impression they're not even trying. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________