On Feb 4, 2007, at 2:49 PM, Jon Lewis wrote:
On Mon, 5 Feb 2007, Simon Lyall wrote:
On Thu, 1 Feb 2007, Jay Hennigan wrote:
Set up a nameserver there. Configure it to return 127.0.0.2 (or whatever the old MAPS reply for "spam" was) to all queries. Let it run for a week. See if anything changes in terms of it getting hammered.
Well I've seen some RBLs do this with about 2 days notice. Perhaps a special value could be defined ( 127.255.255.255 ? ) to tell users that the DNSBL is no longer in operation and shouldn't be used, standard software can then raise an error or whatever.
That doesn't help get the old/unwatched installations to stop sending queries. It's been established that regardless of what you return, those installations will continue querying the dead BL.
Sure, but if we could all agree that 127.255.255.255 (or something) means that the BL has been shutdown then in the future this sort of issue could be mitigated. If software were written so that receiving this would drop the BL from the list, then you would only get one query each time the software starts up -- even better would be that this response removes (or comments out) the blacklist from the config file so that it doesn't come back after a restart.... Yes, this doesn't fix Paul's problem (or anyone who setup a blacklist before this is standardized) and there is no way to enforce this, but it is bunch better than not doing anything...
That's why I think your best/only option is to attempt to misdirect them by pointing NS at . or unreachable space...effectively giving them someplace harmless to send their queries or to fail them without even having to send them.
Killing the parent domain is an option too, but that only pushes the problem onto someone else's plate (the TLD servers).
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
W -- With Feudalism, it's your Count that votes.