Mailing List SIMS@mail.stalker.com Message #13343
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Suggestions to improve this RBL list?
Date: Fri, 15 Aug 2003 20:22:25 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 11:42 PM -0400 8/14/03, Aron Spencer  imposed structure on a stream of electrons, yielding:
Here is my current RBL list:

rbl.maps.vix.com

Retired in early 2001, 2 years after the initial transition to the blackholes.mail-abuse.org zone.

relays.mail-abuse.org "/maps-rss.html"
blackholes.mail-abuse.org "/maps-rbl.html"
dialups.mail-abuse.org "/maps-dul.html"

All closed to the general public 2 years ago. See the MAPS site for instructions on how to get a license to use these.


sbl.spamhaus.org

Excellent.

;bl.spamcop.net

Keep that semicolon unless you don't mind intermittently blocking mail sources that literally never send spam. Because it relies on a user base that is somewhat skewed away from clues, and runs a system is open to intentional malicious attack by bad input data, this BL is very risky.


cn-kr.blackholes.us
singapore.blackholes.us
malaysia.blackholes.us
nigeria.blackholes.us
brazil.blackholes.us

Seems reasonable.


;wanadoo-fr.blackholes.us

Are you sure you want the semicolon?


korea.services.net

Good. Not redundant, since it covers some KR space that is allocated through ARIN still, while the blackholes.us zone misses most of not all of the KR space not allocated through APNIC/KRNIC


opm.blitzed.org

Very useful

relays.osirusoft.com

Very dangerous now. This includes both SPEWS (high collateral damage) and the Osirusoft 'spamsources' zone which is extremely light on public documentation and intermittently high on what seem to be spite listings.

If that's not enough, Osirusoft has recently been under a relentless DDoS attack which has apparently rendered its ability to properly handle the SPEWS data or its own open relay testing and removal process correctly, resulting in very stale relay listings that can't be reversed and SPEWS listings via the DNSBL that are not in the actual SPEWS data. Even if you like the Osirusoft aggregate list when it is working properly, right now it definitely is not working properly and probably should not be used.


blackholes.wirehub.net

Moved to blackholes.easynet.nl with Wirehub's purchase by Easynet. Still a fine and useful list.


relays.ordb.org


if it works for you, great, but I find that open relay lists in general are largely a waste of time these days.


I would appreciate suggestions as to how to make it more effective. Thank you.

A newer list that I really like a lot in its performance is the CBL, described (to some extent) at http://cbl.abuseat.org. It is a list of machines that have been witnessed acting in ways that are specific to open proxies sending spam or virus/worm-ridden machines. If you watch a heavily-spammed address for a while and look at the proxy spam and wormware mail you can pretty easily identify such behavior patterns, but whoever runs the CBL doesn't define them explicitly because doing so would probably lead to those patterns changing. I have tested the CBL against a rather large mail stream, and while I have as yet failed to get it accepted by the people who make decisions there, the test showed it tagging about 25% of the inbound mail without a single case of possibly legit mail being tagged. To put this in perspective: no other DNSBL I've ever tested has caught more than 15% of any mail stream and none that has beat 10% has done so without at least 0.1% false positives.

There are issues with the CBL. One is that it is not clear who exactly is running it: The domain is registered to Steve Atkins of Sam Spade fame (also someone whose home I've attended a party in and whose wife Laura I've worked closely with) (Laura is also now ED of the SpamCon foundation)  The mail for it is handled by Al Iverson's machine, and Al is also a friend and fellow co-worker who has built and run just about the only ethically-conscious open relay DNSBL's . I have no qualms trusting whoever Steve and Al have decided to sit in front of, and I have no worry about the accountability of the CBL given that it is fronted by those 2 and has a very simple removal procedure (self-service) and is not built on unauthorized testing of any sort. People who are not me and tdo not have my very individual bases for trust may be leery of the CBL, although anyone using SPEWS (i.e. including the aggregate relays.osirusoft.com zone) probably isn't too concerned about using a list with vague listing criteria and an anonymous maintainer.


--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster