Mailing List SIMS@mail.stalker.com Message #14151
From: Global Homes Webmaster <webmaster@globalhomes.com>
Subject: Re: BlackListing
Date: Thu, 8 Jan 2004 10:29:51 -0800
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Mailsmith 2.1 (Blindsider)
On 1/8/04 at 08:30, Timothy Binder wrote:

> On Jan 8, 2004, at 10:32 AM, Tod Fitch wrote:
>
> > Yep. You can enter host addresses or ranges of host addresses as lines
> > in the blacklist section under the SMTP area. If I get a problem with
> > one IP address I typically blacklist everything in the class C address
> > range that covers it. For example if I detect address harvesting or
> > spam from 12.34.56.78 then I will enter the following line into the
> > blacklist area:
> >
> > 12.34.56.0-12.34.56.255  ; 12.34.56.78 8Jan04 - Addr Harvest
> >
> > The stuff after the semicolon is a comment to remind me why I entered
> > the line.

I keep a commented version of my local blacklist in a text file. I wrote an
AppleScript that I use with BBEdit that strips the comments and white space
and then copies the naked list to the clipboard so that it can be pasted it
into SIMS. Stripping out the unnecessary cruft allows me to stuff the
maximum useful data into the blacklist before it hits SIMS' size limit.

> I'm doing something similar, although I haven't automated it yet. Also,
> rather than automatically listing the surrounding /24 range, I check
> arin (and subsequently apnic or ripe, usually :-) and block the
> surrounding net block. Sometimes it's a smaller range, sometimes it's a
> /17! I'll also usually check reverse DNS in several IPs within the
> range, starting with the lowest & the highest, to get a feel for the
> block. If it appears to be a DSL or dial up range, for example, I'll
> immediately block the full range, rather than a subset.

That's pretty close to what I do. In my case I don't automatically
blacklist everything, though. While I don't have any problem with
blacklisting large blocks in, say, Asia or Eastern Europe, I usually don't
like to blacklist large blocks closer to home (North America) for fear of
false positives. My users are generally more tolerant of a small amount of
excess spam than they are of not getting important messages from customers
and then having to deal with the customer. The decision whether or not to
blacklist a block is a case by case judgement call for me, so I would
hesitate to completely automate that particular part of the process.

> Also, I'm using many of the standard blacklist servers discussed on
> this list. I started small, but kept adding more as spam slipped
> through. At this point, the only major one I'm not using is spamcop &
> it's getting awfully tempting to start using it, despite the warnings I
> recall from this list. Can I get some current opinions on this list?

I've recently reduced the number of DNSbl's that I'm using. A few days ago,
some of my users (including myself) started complaining about having
trouble sending mail through my server. They were getting time outs and
'server not responding' type errors. When I looked at the server with
Communigator, I saw that pretty much all of SIMS' configured 25 incoming
TCP channels were in use and most of them were waiting for DNSbl look-ups
to complete. Basically, my users were having to wait their turn to get in
through the cracks between all the spammers that were using up all the
available channels, with the delay of DNSbl look-ups exacerbating the
problem. I immediately increased the incoming channels to 50, realizing
that it was only a temporary fix -- the spammers would keep coming until
they filled up the extra channels and I'd be back where I started. So then
I took a serious look at my DNSbl list. This was about the time that there
was a thread here about using sbl-xbl.spamhaus.org to consolidate
sbl.spamhaus.org and cbl.abuseat.org to a single look-up, so I did that,
reducing the number of DNS queries by one for each incoming connection. I
also removed four entries from the bottom of the list that were only
catching a rather small amount of spam (the malaysia, singapore and
wanadoo-fr lists from blackholes.us, and relays.ordb.org). I suspect that
the SBL-XBL list will catch a large majority of spam that the deleted lists
might have. The net change is up to five fewer DNS look-ups that SIMS has
to do for each incoming SMTP connection. The result is that my users and I
are no longer experiencing problems sending mail. Looking at the server
this morning, I can see that it's back to its former pattern of only a
handful (usually less than five) of active SMTP connections at any one
time. And, since pruning the DNSbl servers, I have not seen any noticeable
increase in spam getting through for delivery (at least not to the accounts
that I check, which tend to be spam magnets -- webmaster, postmaster,
etc.). FWIW, my DNSbl list is now down to:

sbl-xbl.spamhaus.org
opm.blitzed.org
dul.dnsbl.sorbs.net
cn-kr.blackholes.us
hongkong.blackholes.us
taiwan.blackholes.us
argentina.blackholes.us
brazil.blackholes.us
--
                   Christopher Bort | cbort@globalhomes.com
            Webmaster, Global Homes | webmaster@globalhomes.com
                      <http://www.globalhomes.com/>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster