Mailing List SIMS@mail.stalker.com Message #14345
From: Bill Cole <listbill@scconsult.com>
Subject: Re: cbl.abuseat.org false positive
Date: Wed, 17 Mar 2004 20:48:44 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 6:36 AM -0600 3/17/04, Larry Stone  imposed structure on a stream of electrons, yielding:
I know this is somewhat off-topic for SIMS but since most of what I know
about blacklists I learned here, I'll post it here.

Yesterday, for several hours, the IP address used by my SIMS server was
listed by cbl.abuseat.org (and of course, by xbl.spamhaus.org). The address
is actually a wireless NAT router with 3 Macs, 2 PCs, and 2TiVos behind it.
The wireless gateway is using 128-bit encryption but until this morning, was
broadcasting the SSID.

The real question is the key strategy for that wireless gateway. 128-bit WEP isn't a 10-second crack if you have MAC filtering (that's MAC not Mac) and aren't using 'open' authentication, and may be quite tough on a low-traffic network, but if our network is essentially open to anyone or even to anyone who can fake a MAC address, there's a reasonably strong chance that someone hopped on your insecure network and used your connection to spam through.

I immediately attempted to update the virus definitions on the PCs (Norton)
but they were up-to-date. Took the machines offline and ran full scans which
turned up nothing. If there's a virus here, Norton can't find it. Both PCs
are back on-line.

Also run over them with Spybot AND AdAware. The AV companies don't like to call anything which has a known publisher a virus. There also is at least one spammer (Atriks) who is supposedly running a con whereby they get users to download their spamming agent to run in the background and supposedly make the idiot user some fraction of a cent per mail sent. There is a lot of suspicion that this scheme is only a cover (and a very slimy sort of cover...) for a company that is really just abusing open proxies and other compromised machines. CBL tends to catch Atriks sender machines, but it is not clear what basis they use.

So how then, did I get listed? Unfortunately, cbl.abuseat.org provides no
supporting evidence.

Up until now, I've been impressed by cbl.abuseat.org as I've never seen any
inbound mail falsely rejected. Fortunately, other than for a small mailing
list I host, there was no outbound e-mail lost.

You really should try mailing cbl@cbl.abuseat.org and asking for more info. The CBL is NOT run by the same class of people as SPEWS or BLARS or even SORBS. They respond to problems and have demonstrated a commitment to keeping the false positives extremely low.  I don't know if they will provide the details of why a particular address got listed, but I suspect that they can.

If you can't get a response in a reasonable time from that address, let me know and I'll try poking in places likely to trigger attention.

--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster