I'm gonna post this back publically because it will be of interest to all (I hope)... Jasper van Beusekom wrote:
Mat:
Noone is exempt from listing in SORBS, but proven whitehats don't get blocked.
Do you have many such contacts?
I have a few (less than 50)
Would it be something to create a DNSBL list for known whitehats and sites with functioning abuse teams? Such a whitelist could be a partial implementation of a 'trusted network' principle.
I am *currently* creating an extension to SORBS which will allow ISPs to register as whitehats along with their mailservers and netblocks, and a fast response email address. The idea being if a mailserver is about to be listed they will get 24 hours warning to avert the listing. If addresses within their netblocks get listed they will get notification mails, and the host is listed immediately.
A similar project runs under the DNSBL domain: nlwhitelist.dnsbl.bit.nl
Usenet reference unfortunately in Dutch: 3f81483c$1@inaja.bit.nl
Basically, respectable ISPs with active abuse desks can request to get listed, and will be removed when complaints start coming in.
Whitelists wouldn't attract the same kind of DDoS activities either.
I think I'll still be a DDoS target though ;-/ Yours Mat
While on the subject of dnsbls, I would like to bounce an idea off the list. I would like to find out of there anything in existance like this and if there would be interest in an implementation. I must admit that I have not checked every single dnsbl, but as far as I could tell, there doesnt seem to be any that work like the way I am going to describe. If there are, I would like to find out. Consider a dnsbl that provides delegation only information as to the nameservers which contain the zones of ip addresses of non-mail sending hosts. Basically like a dialup or dynamic ip dnsbl, but it would hopefully be more accurate and complete since the management of the zone would be delegated to the ISP. ISPs would register their networks and authenticate via ARIN/RIR contact email. The nameserver could be mapped to the same as the in-addr.arpa or maybe allow the addresses to be specified. What would the drawbacks be? Well, you wouldn't be able to do a zone transfer of the actual data. Of course, the dns servers would probably be the same ones you are checking for the PTR records and other info, so if there is a problem with them you may reject/defer the mail anyway. I would be interested to hear if anyone can think of any drawbacks or security implications. I should also mention, that it would be possible (assuming the proper coordination) to just define a zone 'in-dnsbl.arpa' for argument sake, and delegate the networks to the existing 'in-addr.arpa' servers (maybe via some fancy zone name mapping option in the dns server). This would mean there is no central authority to attack (other than the in-addr.arpa' servers). The drawback would be lots of unwanted traffic to nameservers that never configured the zones. That is why I prefer the registration, method. +--------------------------------------------------------------------------+ | Michael Moscovitch CiteNet Telecom Inc. | | michaelm@citenet.net Tel: (514) 861-5050 | +--------------------------------------------------------------------------+
participants (2)
-
Matthew Sullivan
-
Michael Moscovitch