On Sun, 9 Mar 2003, Jack Bates wrote:
made. Instead of contacting 3-5 DNSBLs, one must contact every ISP that happened to do a scan during the outage period. Centralizing scanning for security issues is a good thing in every way. It is the responsible thing to do.
This, IMO, is where the real headache lies. If every provider (or just every large provider) has their own private DNSBL, and worse, doesn't do much to document how it works...i.e. how to check if IPs are in it, how to get IPs out of it, then it becomes a major PITA to deal with these providers when one of your servers gets into their list. I've personally dealt with this several times over the past couple years with Earthlink and more recently with AOL. In each case, there was no way (other than 5xx errors or even connections refused) to tell an IP was listed. In each case, there was no documented procedure for getting delisted. In AOL's case, they couldn't even tell us why our mail was being rejected or our connections to their MX's blocked and I had to wait a week for their postmaster dept. to get to my ticket and return my call to fill me in on what was going on.
networks are issuing their own relay and proxy checks. At this rate, in a few years, we'll see more damage done to server resources by scanners than we do from spam and those who would exploit such vulnerabilities.
I doubt that's possible. If an average sized ISP mail server receives messages from, say, a few thousand unique IPs/day, and if that ISP wanted to test every one of those IPs (with some sane frequency limiting of no more than once per X days/weeks/months) then it doesn't take long at all to get through the list. Suppose every one of those servers decided to test you back. Now you're looking at a few thousand tests/day (really a fraction of that if they do any frequency limiting). I've got servers that each reject several hundred thousand (sometimes >1 million) messages/day using a single DNSBL. Also, I suspect consensus on a central authority and testing methods is highly unlikely. People can't agree on "what is spam?" or how to deal with providers who turn a blind eye to spammer customers (spews). How will a single central DNSBL bring all these people with opposing views together? Two obvious reasons for the existence of dozens of DNSBLs are: 1) not agreeing with the policies of existing ones...thus you start your own 2) not trusting existing ones (not being willing to give up control over what you block to some 3rd party), so you start your own I suspect AOL and Earthlink run their own DNSBLs primarily for the second reason. How would you convince them to trust and give up control to a central authority? Even if IANA were to create or bless some existing DNSBL and decree that all IP address holders will submit to testing or have their space revoked (yeah, that'll happen) there would still be those who weren't happy with the central DNSBL thus creating demand for additional ones.
network. These arguments would be diminished if an authoritative body handled it in a proper manner. At what point do we as a community decide that something needs to be done? Would it not be better to have a single test suite run against a server once every six months than the constant bombardment we see now?
Parts of the community have already decided and have helped to create central quasi-authoratative DNSBLs. If nobody uses a DNSBL, who care's what's in it? If a sufficient number of systems use a DNSBL, that creates authority. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________