I have been asked to find out what DNSBLs are in use so my employer can see what the incidence of its being blacklisted is and how much impact this is likely to have had on their business. What DNSBLs are being used by the various agencies represented on NANOG and how much weighting do you give them. Are there any DNSBLs you would completely ignore due to data quality issues? Thanks Paul
Does this mean that your employer is a spam operator? T ----- Original Message ----- From: "Paul S. Brown" <pol@geekstuff.co.uk> To: <nanog@merit.edu> Sent: Thursday, November 20, 2003 7:16 AM Subject: RBLs in use
I have been asked to find out what DNSBLs are in use so my employer can
see
what the incidence of its being blacklisted is and how much impact this is likely to have had on their business.
What DNSBLs are being used by the various agencies represented on NANOG and how much weighting do you give them. Are there any DNSBLs you would completely ignore due to data quality issues?
Thanks
Paul
Nope, Just an ISP with normal ISP type operational spam problems. I'm trying to quantify how often we actually appear on RBL, but I want to get some idea of how much credence to give to appearing on any given list. For example something like the old Dorkslayers lists should be ignored because they would blacklist you if you sneezed at the wrong time, however MAPS is probably a good list. P. On Thursday 20 November 2003 3:33 pm, todd glassey wrote:
Does this mean that your employer is a spam operator?
T ----- Original Message ----- From: "Paul S. Brown" <pol@geekstuff.co.uk> To: <nanog@merit.edu> Sent: Thursday, November 20, 2003 7:16 AM Subject: RBLs in use
I have been asked to find out what DNSBLs are in use so my employer can
see
what the incidence of its being blacklisted is and how much impact this is likely to have had on their business.
What DNSBLs are being used by the various agencies represented on NANOG
and
how much weighting do you give them. Are there any DNSBLs you would completely ignore due to data quality issues?
Thanks
Paul
Paul S. Brown writes on 11/20/2003 10:51 AM:
For example something like the old Dorkslayers lists should be ignored because they would blacklist you if you sneezed at the wrong time, however MAPS is probably a good list.
You need a fairly wide coverage of BLs. # Open proxies - http://opm.blitzed.org and http://proxies.blackholes.easynet.nl # Open relays - http://www.ordb.org # Dialup and DSL/cable dynamic IPs - http://dynablock.easynet.nl # Current spam sources - http://cbl.abuseat.org [strongly recommended] # Direct spam sources - SBL (http://www.spamhaus.org) and possibly spews.org as well, though spews tends to produce a lot of collateral damage by design. SBL is a lot more surgical. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Suresh Ramasubramanian wrote:
You need a fairly wide coverage of BLs.
# Open proxies - http://opm.blitzed.org and http://proxies.blackholes.easynet.nl
I would add the SORBS http and SORBS socks lists to this.
# Open relays - http://www.ordb.org
I'd add VISI to that too.
# Dialup and DSL/cable dynamic IPs - http://dynablock.easynet.nl
# Current spam sources - http://cbl.abuseat.org [strongly recommended]
CBL tends to list only open proxies and spam trojans, but there's a few "classic viri emitters" (ie: Yaha) and a _very_ small number of "grossly misconfigured mail servers" in it too. All of which you want to know about anyway. What you can do is do zone downloads of the open relay/proxy/CBL lists above and correlate them to your own netblocks. _Very_ helpful in finding compromised systems. With dynablock, you may want to audit it for accuracy against your IP allocations. They're responsive to update requests. SBL/SPEWS identifies your spammers. But as Suresh says, be careful to interpret the SPEWS listings correctly, so you nail the spammer, not the collateral damage. There are a lot more DNSBLs, but the above ones are the most respected, important and useful for your purposes. XBL & Spambag, for example, are too rabid to worry about. Anybody who uses them gets what they deserve.
and then there's the granddaddy of them all, MAPS. see www.mail-abuse.org. -- Paul Vixie
On 11/20/2003 at 10:51 AM, "Paul S. Brown" <pol@geekstuff.co.uk> wrote:
Nope,
Just an ISP with normal ISP type operational spam problems. I'm trying to quantify how often we actually appear on RBL, but I want to get some idea of how much credence to give to appearing on any given list.
For example something like the old Dorkslayers lists should be ignored because they would blacklist you if you sneezed at the wrong time, however MAPS is probably a good list.
P.
Based on what you said in http://groups.google.com/groups?selm=bneav9%2410frig%241%40ID-169718.news.uni-berlin.de&oe=UTF-8&output=gplain you appear to be working for BT (British Telecom). BT have (quite rightly) been repeatedly blocked by DNSBL's and private lists as a result of their poor record in handling abuse incidents (whether that's by intent or negligence by way of a colossal management failure is another debate entirely). Are you looking to apply leverage internally to arrange for that situation to change, or are you (perhaps) attempting to gather information which your employer can use to harass or pursue DNSBL maintainers or other spam foes in some way?" I have several individuals privately voicing this suspicion to me, along with other wild suspicions, like: has BT hired Mark E. "Felonstein" Felstein to provide legal advice based on his impeccable experience gained in the E-Marketers of America vs. SPEWS et.al. case? (http://www.spamhaus.org/legal/index.html) bye,Kai
I run the Abusive Hosts Blocking List (http://www.ahbl.org). We list everything from spam sources, to spam supporters, open proxies, open relays, drones, etc. Its in use on all of the mail servers I help administrate (which includes several fortune 500 companies, half a dozen regional ISPs, and several .edu sites), plus SpamHaus, SpamCop BL, SORBS, EasyNet, and several others, which help balance out protection. A good list of all known ones is up at: http://www.declude.com/junkmail/support/ip4r.htm The only DNSbl which you really should avoid like the plague is the XBL (which I believe is gone at this point). In the various places where I've gotten a look at their spam protection, SpamHaus is very popular, as is SpamCop's BL. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org ----- Original Message ----- From: "Paul S. Brown" <pol@geekstuff.co.uk> To: <nanog@merit.edu> Sent: Thursday, November 20, 2003 10:16 AM Subject: RBLs in use
I have been asked to find out what DNSBLs are in use so my employer can
see
what the incidence of its being blacklisted is and how much impact this is likely to have had on their business.
What DNSBLs are being used by the various agencies represented on NANOG and how much weighting do you give them. Are there any DNSBLs you would completely ignore due to data quality issues?
Thanks
Paul
Brian Bruns wrote:
I run the Abusive Hosts Blocking List (http://www.ahbl.org). We list everything from spam sources, to spam supporters, open proxies, open relays, drones, etc.
Its in use on all of the mail servers I help administrate (which includes several fortune 500 companies, half a dozen regional ISPs, and several .edu sites), plus SpamHaus, SpamCop BL, SORBS, EasyNet, and several others, which help balance out protection.
Like what .edu's and fortune 500 companies? -davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
participants (8)
-
Brian Bruns -
Chris Lewis -
David A. Ulevitch -
Kai Schlichting -
Paul S. Brown -
Paul Vixie -
Suresh Ramasubramanian -
todd glassey