[SLL] collaborate on a dnsbl?

Glenn Stone technoshaman at liawol.org
Thu May 12 11:00:48 PDT 2005 

On Thu, May 12, 2005 at 10:18:38AM -0700, Jeremy C. Reed wrote:
>I continue to get virus and spams sent to my systems that aren't listed on
>the RBLs that I use. I also sometimes check a set of other RBLs and not
>listed.
>
>What do you all use for easily submitting IPs to blacklists?
>
>(I am scared to automate because I don't want to submit IPs from good mail
>servers that relay spam to me, such as my NetBSD, FreeBSD, SeaBUG admin
>and other accounts.)
>
>Or would anyone be interested in starting another DNS-based realtime
>black list?
>
>Today I want to block these new IPs:

I'd be interested in collaborating on such an animal.  It would be
interesting to come up with some heuristics to alert the administrator that
there are x number of addresses within y big subnet, so one could engage in
CIDR blocking if desired (I'm currently using CIDR blocking in Postfix 2.1
to block a certain ISP out of Texas that's been nothing but trouble, as well
as Snotty Richter's (now defunct!  *happydance*) operation)... also, a tool
to take the offending addresses and do WHOIS lookups on them would be
interesting.  (That latter tool might be a good excuse for me to finally
learn Python....)  

Hmm.  We might could do something statistics-based... 

I'm also thinking that the tools we'd use would be to advise us as to what
to add to the blacklist, maybe with a web interface similar to Mailman that
we could simply go to the web control page, read the reports, and tick off
which IP's or ranges to add.  That way a human is always in the loop, but
her involvement is at a minimum.  Also, the package could keep a history
which would not only help us decide whether CIDR-based blocking was
justified, but whether a given IP or range had asked for removal before... 

I'd also want this to be a zero-loss list.  I would only want to engage in
CIDR blocking if ONLY spam comes from a given range.  I'm more than willing
to let a few false negatives splat themselves against my Bayesian filters,
in order not to miss a false positive.  (This is why I don't use the
dynamic-address blocklists; I know that a lot of folks run legitimate Linux
boxen on dynamic IP's, and I'd rather not miss a man's email just because
Comcast is all he can get, Mat.  :)  

-- Glenn
Spam buster and general BOFH at extra-large (but I'm working on that :)

More information about the linux-list mailing list