Choosing a Good DNSBL 152
stry_cat submitted a story about selecting a good DNSBL. It talks about some of the problems with DNS blacklists and the sorts of things that you should be looking for. Things like Speed, Selection Criteria, and Goals make the list. And of course not requiring payment to be removed from the blacklist.
Al Iverson is your FRIEND. (Score:5, Informative)
Or, for commentary:
http://www.dnsbl.com/ [dnsbl.com]
Absolutely the best resource on the topic.
These work well for me (Score:3, Informative)
Greylisting kills a lot of stuff too.
Re: (Score:2)
Re: (Score:2)
Just pay for a smarthost instead.
Re: (Score:2)
I use IMAPS too so that I can easily wander around
Re: (Score:2)
Re: (Score:2)
Keep in mind that recipients are under no obligation to accept your email. If I can't distinguish between your email and stuff sent by zombies at the SMTP envelope, you fall into the same category. The only trustworthy factor in that decision is the IP address of the SMTP client.
If you aren't willing to pay for the privilege of communicating with my mailfarm, feel free to send mail by registered post.
Spamhaus and Spamcop (Score:2)
DNSBL for comment spammers? (Score:5, Interesting)
This seems like as good a place to ask as any. Can mostly email-based DNSBLs be used to try and block comment spammers? I'd love to reduce the load I get from comment spammers trying to spam my website.
I've been contemplating using an existing DNSBL, but all the well-known ones are focused on email spam. I expect that comment spambots and email spambots mostly overlap, but I'm not sure how effective such a measure would be.
Re: (Score:2)
I have yet to have anybody add code to their spam engine to incorporate a javascript interpreter. They just move on to the next target. Even clicking a checkbox with javascript has been enough.
Re: (Score:2)
I've added code that is essentially my own version of the "lameness filter." This has been enough to stop almost all the spammers. It may annoy some legitimate posters, but it works, and legit posters can still post (unless they want to post about Levitra, Cialis, or Viagra). It doesn't require JavaScript, which is a plus, since as a NoScript user I would be kind of annoyed if it did. (And, yes, I'm pretty sure I never whitelisted my own domain.)
But I'd still like to block spammers before I get to the poi
Re: (Score:2)
Re: (Score:2)
And yeah, the javascript trick works well. I call it the 'browser turing test'. Its like a captcha for your browser to fill in, metaphorically speaking.
But I've even seen that damn thing work well.
Of course Akismet is the web spam filter that always works the best for me.
Re:DNSBL for comment spammers? (Score:5, Informative)
Project Honey Pot's Http:BL (Score:2)
What Is http:BL [bl]?
Http:BL is a system that allows website administrators to take advantage of the data generated by Project Honey Pot in order to keep suspicious and malicious web robots off their sites. Project Honey Pot tracks harvesters, comment spammers, and other suspicious visitors to websites. Http:BL makes this data available to any member of Project Honey Pot in an easy and efficient way.
There are plugins for WordPress, phpBB, and many others. Use http://www.projecthoneypot.org?rf=32167 [projecthoneypot.org] if you want to give me some credit when you register. Or not, whatever.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Requiring payment for delisting (Score:5, Informative)
Doing a Google search for information about this lot brought up so many horror stories that I can't fathom how so many people ended up using their "service". It got to the stage where if we had a customer having trouble with SORBS blocking their mail, the only advice we could give was to contact their recipient via other means and ask them to stop using these thugs to filter mail.
Re: (Score:3, Interesting)
Just say NO to SORBS!
Re: (Score:2, Interesting)
Re: (Score:2)
We noticed. We were using their dynamic ip range list so we started noticing it pretty quickly.
As for the extortion fee for getting off their list, we never had to pay it. We would explain the problem, note that we took steps to correct the issue, and they'd remove us with no fee. On one occasion where it really was our fault for fat fingering something and they really wanted to charge us the extortion fee, we just whimpered and cried and bowed and scraped a little bit and they took us off anyway wit
Re: (Score:3, Insightful)
Which stinks to high heaven. I wish Matthew Sullivan wouldn't do that.
There are many reasons someone who is not an actual wrongdoer could become listed as a spam source. I have little doubt the parent's organization was such a spam source and did not properly address the issue. They deserved it.
It's not what problems you ha
Re: (Score:3, Interesting)
And what are you basing this belief on?
As long as a site addresses the spam problem and gets results, reads their abuse mail and acts like a good net neighbor I have no problems with them. They should be delisted as soon as possible.
Right. I work for a big webhost, which is blacklisted by SORBS from time to time. The problem is that they do not send abuse reports. (I handle abuse
Re: (Score:2)
That is wrong, then. They should send abuse reports.
Are you sure there are no abuse reports?
It's unlikely they would be *From: SORBS*.
They might be anonymous, like the ones SPEWS rep
Re: (Score:1)
Re: (Score:3, Insightful)
ISPs have customers, customers who want their mail to go through. Customers like you. If an ISP has lax abuse policies (or no abuse policies, or is a willing spam host) and you are a legitimate customer of that ISP, your mail may be blocked with the other legitimate customers of the ISP.
You are not being listed, your ISP is.
The DNSBL hopes you will call your ISP, and as a valuable customer demand they cure their spam problem
Re: (Score:2)
It makes perfect sense, doesn't it?
The problem I have
Re: (Score:2)
I never said *100%* of the people that might find themselves blacklisted deserved to be there, but different blacklists have different goals. Some, like CBL are purely for
Re: (Score:2)
A girl who works for a company that I support has never engaged in spamming in any way. Their corporate network is secure. Their mail is hosted by some company. They don't know the details, but their email usually "just works"
She tries to send an email to a perspective client, and it gets bounced due to SORBS
She calls her boss
Her boss calls me, the company consultant.
Cha
Re: (Score:2)
Especially when the ISP is also the colo provider. Which is usually the case. Nobody is going to move their servers to a new data center without a lot of motivation. Like a meteor headed towards the old data center.
I'm amazed that we're still talking about black lists at this late date. On top of all the nonsense with punishing innocent folks, screwing up legitimate email, increasing user costs, and accusations of extortion, there's one little detail everyo
Re: (Score:2)
Webhost: "How big did you say this meteor is?... Oh, that big. Hmmm. I see... Is it going to take out the whole datacenter, or just part of it?... Ah. Ok... What kind of downtime are we talking about here?...
Re: (Score:2)
Nowhere in my post did I say anything about not knowing the owner of the address block. I knew who it was in the first 5 minutes. Of course, since SORBS runs the blacklist, they were my first point of contact. At the time, I didn't know how unreasonable their policies were. From there, I assume you are actually suggesting that I call up Qwest
Re: (Score:2)
So why the cock-and-bull story about how it took so long to track down the netblock owner responsible? You were just racking up billable hours, weren't you?
If your customer was listed on one of the actual spam blacklists, the problem should have been lower in the hierarchy. I'm guessing your customer got on the DUHL. Well, guess what, that could have been prevented. I have two words for you: due diligence. It's not as if Qwest has a spotless reputation when it comes to spam.
Now, it may not have been you t
Re: (Score:2)
It sounds like you're real problem here is that you don't feel my services are worth the money by boss charges for them. I, by the way, don't make anywhere near $
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's pretty much counterproductive, listing people who are innocent, out of spite.
You just get false positives that way. The way a DNSBL becomes "influential" is by getting people to use it. If no one uses a DNSBL because it interferes with legitimate
Re: (Score:2)
I bet he incurs even more liability by having an apparent financial interest. By the way, has anyone ever told you that overuse of boldface is really annoying?
Re: (Score:2)
You may choose one more to your liking, as described here [sorbs.net]
I believe the best is to pick "safe" things like open relays, ADSL IPs and only the recently added hosts.
Yeah, I'm aware of all the horror histories on SORBS, but you know what? We maintain a public university mail server, the e-mail addresses are readily available everywhere (also, the users don't help either) AND we have a severe lack of techni
Re: (Score:2)
and since we refused to hand over extortion money to these gangsters, there was no way for us to deal with them
Extortion is a good word for it, but I'd say protection racketeering [wikipedia.org] is a better one.
-1, Bullshit (Score:2)
I see the spammers are out in force to day, to see this modded up to +5.
SORBS does not ask for donations for a mere delisting. All you have to do is submit a request to their automated request system, and you will be delisted. I have actually done this for a customer of ours who got a false positive listing. 48 hours later, listing gone, and most of that was propagation delay.
MartRe: (Score:2)
Local Whitelisting! (Score:5, Informative)
Unrelated to the above, I would also recommend looking at ironport systems if this is a commercial project with a decent sized budget. (I am not affiliated, just a happy customer).
Re: (Score:2)
:wes
There is no such thing as a good DNSBL (Score:4, Insightful)
Re: (Score:3, Interesting)
The fact is, without DNSBLs, the headaches would be worse. LOTS worse. Centralized blocking gives you some kind of theoretical hope of getting unblocked once you've fixed the problem. Decentralized blocking leaves you no chance at all. Furthermore, without tools like DNSBLs, administrators would be far too busy to even get to the point where they could have these headaches.
I'd rather live in a world with a number of rea
Re: (Score:2)
Re: (Score:2)
No, that's not right.
It's at least three or four orders of magnitude more efficient.
DNSBLs to feed other tools (Score:3, Informative)
Re: (Score:2)
Bollocks. I used to run email for a university with around 50,000 students (and around 500,000 deliverable email addresses - don't ask). We had one issue during 2 years which was a local college had got itself listed in one of the spamcop zones, because it had turned into a spam relay. So the DNSBL was working as desired. We whitelisted them as they had fixed the problem, but the listing expired around the same time anyway.
During that period we were dumping about 50% of inbound mail thanks to DNSBLs, with
Re: (Score:2)
We work with lots of customers who absolutely rely on e-mail for business correspondence: occasionally they are unwittingly listed in some RBL and removing them is a pain in the ass. Who made Joe of JOESCRAPPYDNSBL God, telling our customers' customers not to receive e-mail from them?
Unfortunately there are alot of very bad examples of DNSBLs, and there are a lot of very bad examples of e-mail admins out there - putting the two together just causes
NEVER use a DNSBL as an absolute block (Score:3, Insightful)
Spammers can get around blacklists anyways. They're about as effective as locking a door made of tissue paper. The number of false positives is high. The amount of spam blocked is negligible. My suggestion is to abandon the idea altogether.
Re:NEVER use a DNSBL as an absolute block (Score:5, Insightful)
20,000,000 blocked e-mails
480,000 tagged e-mails
90,000 viruses found
135,000 quarantined messages (user choice to quarantine or not)
610,000 delivered/approved mail
To nobody's surprise, some spam is still getting through. This is in less than two weeks, and there are two servers to handle the load, the other one is more or less as bad.
So what were you saying about not using blacklists?
Re: (Score:3, Insightful)
I would so much agree that using a DNSBL as a absolute block is a bad idea. I have experienced being caught up in them, and that is annoying. Even if the mailserver is removed some days later. Later is not soon enough, i want my email to arrive now.
I would much rather suggest running some sort of spamassassin while the SMTP connection is still open, and if it looks like spam i would reject it. This can be parallized if needed.
I
Re: (Score:2)
If not you could recognize the vCards by extracting the attachment and run some tool to recognize a vCard. And then allow it all through.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have tried to send legit email to someone i had sent to before. But just because the local ISP that i sent through was in a DNSBL then i could not get my email through and i had to wait days before i could continue the emailing. That was annoying. Other times one of my customers called and complained because one of their customers ISP was in a DNSBL.
I didnt particular setup the usage of DNSBL, i just used default postfix configuration
Re: (Score:2)
We run a 2 layer system with a cluster of St Bernard Eprism 2000 appliances and a software filter on the mailbox servers.
Right now we reject 10 million a week on RBL
Another 4.5 million in spam filters
We pass about 400,000 as legitimate mail..
Our virus rate is only 400 but the firewall is also doing AV filtering so I don't see what it's catching.
The false positive rate is very low with the Borderware RBL list the Eprism devices use..
I have more false
Re: (Score:2)
Every new Block list you add adds another DNS lookup for each message you receive.
You can configure a linux box running RBLDNSD to sync multiple block lists and perform a single lookup against all those lists on a singe Query..
The down side to that is you won't know what list did the blocking but it's great for taking some load off the DNS server.
NEVER use a DNSBL as an absolute block... (Score:2, Informative)
There is a lot of truth to the OP's statements. However, unless you have the budget for a commercial spam filtering application, there are not a lot of good solutions.
Spamassassin is great for what it does, but in high volume environments, you will be throwing so much hardware, bandwidth and electricity at the problem that you'll either give up on filtering at all or break down and buy a commercial solution.
DNSBL's give you a bit of breathing room between the two extremes. Our environm
Re: (Score:2)
Rather than subjecting ourselves to
Re: (Score:2)
I prefer to
Greylist to save CPU before using DNSBLs, SpamAss (Score:2)
Re: (Score:1)
I use several DNSBLs at SMTP level, however instead of blocking any blacklisted IP they get greylisted. The majority of zombie machines never bother trying to resend the mail, so it cuts out a large amount of spam. Any blacklisted IP address which does successfully resend gets added to the whitelist so they don't have to bother with the greylist.
For our users it works perfectly. Users from non-blacklisted IPs get their mail sent immediately, those who are blacklisted get a s
Re: (Score:2)
Thank you for your suggestion. It will be duly ignored, laughed at, or similarly ridiculed by those of us who actually run our own mail systems, or are responsible for such at work.
In my case, I'm self-hosted. Authoritative DNS for my domains, mail, web, Usenet, the w
Wrong: A good RBL is worth its weight in gold. (Score:2)
I'm responsible for a mid-sized mail system that receives an average of 10,000,000 connection requests per day. A good RBL is worth a lot to my employer.
We use Spamhaus xbl-sbl, and Trend Micro's Network Reputation Service - which is a combination of the more static RBL+ (of MAPS fame) and the highly dynamic QIL list.
Together, they drop approximately 92% of inbound connections to the SMTP server farm. This is a lot cheaper,
Re: (Score:2)
Unnecessary acronym (Score:2)
But BL for Blacklist? Nah.
This has a score of two?! (Score:5, Funny)
Allow me to introduce myself. I'm a representative of the Consortium of Common Sense. I've noticed you recently posted to an Internet-based conversation, complaining about the reduction of a nine-letter word to two letters via acronym. Your post referenced such things as numbers of syllables.
Please look at your desk now, and slam your head down as hard as you can on it. Do you feel those weird little indentations in your forehead?
THEY'RE CALLED KEYS - DID YOU NOT REALIZE THAT THINGS ARE TYPED, NOT SPOKEN, ON THE INTERNET?
Thank you. Please let us know if you have any other ridiculous complaints.
- Consortium for Common Sense
Speed, Selection Criteria and Goals make the list? (Score:2, Insightful)
It's how quick the maintainers of this particular DNSBL responding to your request to remove your ass from the list when they choose to blacklist you.
We've multiple MTAs for a single mail domain, because when an attacker found some way to relay or bounce-back one of our MTA and cause it to be backlisted by major DNSBL on earth, we still have other MTAs take up the job.
Then we could spend the rest of the week to ask for removing that MTA from their DNSBL, by email, or worse, by forum.
Trust me, i
Use as many as you can get your hands on. (Score:2)
Whole countries (Score:1)
Dynamic IPs / Zombies (Score:1)
Re: (Score:3, Informative)
missing rDNS? (Score:1)
no one has (yet) mentioned using the missing rDNS sendmail hack. [niu.edu] i block about 100,000 messages and servers per week using a combination of send_pause, blacklists, spamcop, iptables and the rDNS hack. rDNS routinely accounts for more than 50% of the spam that never makes it to my server.
any mail server that doesn't have an rDNS lookup, in this day and age, is imho not worth accepting messages from.
Ouch. (Score:2)
For a site with low, static email traffic, this is a great method. Otherwise, I wouldn't wish the resulting pain on anyone.
Now... if I co
Re: (Score:1)
i guess i should clarify - any rejected email is not simply sent to /dev/null, but is returned with an explanation that's unique to the tool used to reject it. the rDNS hack has 3 standard return error statements. wouldn't any reputable sysadmin would *want* to know that his/her mail server does not have a properly configured zone file?
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Oh, I agree wholeheartedly. So do AOL. So do a whole lot of other places.
The problem is, I work for a University. I can't do it. There are too many stupid admins out there, and they're ALL working for sites that are considered important "offshore partners". Hell, I have enough trouble dealing with offshore agents whose outbound mailservers are in dynamic dial-up ranges - I kid you not. I'd d
Spamhaus and abuseat.org (Score:2)
-Aaron
Re: (Score:2)
I don't block, but I still use DNSBL (Score:1)
DNSBLs as Greylist, TMDA Parameters (Score:2)
Re: (Score:2)
I'm a huge fan of TMDA, but I've dropped it a few months ago, because greylisting, DNSBLs and very stringent checks at SMTP level managed to drop the amount of spam to less than 0.5% of all legit mail, while keeping the amount of false positives to a bare minimum. Almost all mails that TMDA autoresponded to were legitimate anyway after all the previous combing. Basically, there was no need to use TMDA anymore.
Actually, I was lucky, because shortly after I've stopped TMDA, my domain was hit by a huge tidal
Fake MX Records any good? (Score:2)
I find the idea sort of intriguing, but I have doubts that it'll work for long in the ever-escalating arms race of spam...
I like a multi-layer approach myself (Score:2)
Spam blocking by site:
zen.spamhaus.org: 314
dnsbl.sorbs.net: 28
bl.spamcop.net: 40
psbl.surriel.com: 24
Not bad a for a single-user domain.
Re: (Score:2)
Yeah, and those 28 will never be removed
Use the right type (Score:1)
The problem with several DNSBLs is that they are the second type masquerading as the first type. Sinc
The list I currently use (Score:2)
FEATURE(`dnsbl', `list.dsbl.org', `"550 Rejected: Your IP address has been used to send spam. " $&{client_addr} " listed at list.dsbl.org"')
FEATURE(`dnsbl', `cn.ascc.dnsbl.bit.nl', `"550 Rejected: Due to a high volume of spam we do not accept mail from China. " $&{client_addr} " listed at cn.ascc.dnsbl.bit.nl"')
FEATURE(`dnsbl'
Re: (Score:2)
sbl-xbl.spamhaus.org
with:
zen.spamhaus.org
No Blocking (Score:3, Interesting)
Re: (Score:3, Interesting)
I am curious though, if you (or your boss) are happy with the loss of profits involved due to increased bandwidth and server resource costs that go with that choice (Or, if you've raised your prices to offset that, if your customers are happy with that).
To truly make blacklists useful... (Score:3, Informative)
Happily, these tests are already present in SpamAssassin; they're just not scored highly enough. Here's a nice easy way to fix that. Edit your
# High score for URL's whose IP addresses are in rbl
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_SBL 10
score URIBL_SC_SURBL 10
score URIBL_WS_SURBL 10
Restart spamd, and you will immediately see a large drop in spam.
RBL == censorship (Score:2)
Do not use one.
Re: (Score:1)
Re: (Score:2)