Mailing List SIMS@mail.stalker.com Message #13240
From: Bill Cole <listbill@scconsult.com>
Subject: Re: SPEWS and relays.osirusoft.com
Date: Fri, 25 Jul 2003 19:55:21 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 8:37 AM -0700 7/25/03, Warren Michelsen imposed structure on a stream of electrons, yielding:
I read recently, on another list, that relays.osirusoft.com is a
composite list that includes SPEWS.

I recall readying elsewhere that SPEWS is too aggressive and (I
think) I recall too that someone else said that relays.osirusoft.com
does not include SPEWS.

What's the truth of the matter?


relays.osirusoft.com is a composite list. The FAQ says:

[ BEGIN QUOTE ]

What are all these zones?

* Relays.OsiruSoft.com contains all zones, except for outputs and blocktest. Effectively, itís the master list containing the minimum casualties subzones.
* Inputs.relays.OsiruSoft.com contains only insecure mail servers.
* Dialups.relays.OsiruSoft.com contains only sources of direct-to-mx spam which are obviously in dynamic IP pools.
* Spamsites.relays.OsiruSoft.com contains only sites from spamsites.org.
* Spamhaus.relays.OsiruSoft.com contains only sites from spamhaus.org.
* Spews.relays.OsiruSoft.com contains only sites from spews.org.
* Blocktest.relays.osirusoft.com is a stand-alone zone. It's meant to block testers from testing a site or netblock for many different reasons and has no practical value. It's not to be interpreted any other way than to prevent test software from testing other sites.
* Outputs.relays.osirusoft.com will also be a stand-alone zone, and even though it will be created, it should only be used to warn the servers listed.

[ END QUOTE ]

There is also a poorly-documented spamsources.relays.osirusoft.com zone, included in the composite, that returns 127.0.0.4 like the SPEWS listings but is locally maintained at Osirusoft.

In my opinion, the fact that SPEWS list is escalatory and often includes large chunks of network space around single addresses whose connection to spam is frequently secondary (e.g. a nameserver which is a primary for a domain of an URL advertised in spam can result in a listing for the entire ARIN-allocated block that it lives in) the use of SPEWS in a simple way (i.e. in SIMS, as opposed to some more subtle system like SpamAssassin) is a bad idea for anyone who cares about false positives (rejections of non-spam as if it were spam.)

In case anyone is interested in a little deeper discussion of DNSBL's, I have one up at http://www.scconsult.com/bill/dnsblhelp.html which is really aimed at people listed on them (particularly SPEWS) but might be useful for reading by mail admins as well.


--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster