[SLL] collaborate on a dnsbl?

Bill Campbell bill at celestial.com
Thu May 12 14:07:11 PDT 2005 

On Thu, May 12, 2005, Jeremy C. Reed wrote:
>I continue to get virus and spams sent to my systems that aren't listed on
>the RBLs that I use. I also sometimes check a set of other RBLs and not
>listed.

The problem with much of the spam and ``virus'' traffic is that most of it
now comes from zombified Windows machines on broadband networks (can you
spell Comcast).  There are some DNSBLs that purportedly identify zombies,
but they're very fast moving targets.

I've found that a combination of postfix, amavisd, spamassassin, and clamav
does a pretty good job of catching ``virus'' and spam, in particular clamav
identifies a metric tonne of phishing attempts.

The three major things we reject on are:

  1.  Postfix ``reject_unknown_client'' rejects the connecting IP address
      has no reverse DNS (AOL is now doing this so it's easy to argue it's
      OK).  This also rejects where the rDNS returns a host name, and that
      host name DNS lookup returns an IP address different than the
      connecting IP (including no IP address).

  2.  THe ``HELO'' hostname is the hostname of the machine receiving the
      message, our domain, or an IP address in our domain since I know that
      none of our machines are misconfigured to do that.

  3.  Postfix ``reject_unknown_sender_domain'' which rejects if the domain
      part of the ``MAIL FROM'' SMTP address has neither an MX record nor
      an ``A'' record.

The numbers of rejections on these three is generally far greater than
those rejected using xbl.spamhaus.org, sbl.spamhaus.org, or any of our
local DNSRBLs with no rDNS generally being at least double any other test.

>What do you all use for easily submitting IPs to blacklists?

We maintain a couple of dynamic DNSBLs here listing sites that have made
cracking attempts at ours and our customer's sites, and for the IP
addresses of sites sending mail to spam trap addresses here.  The cracking
DNSRBL is updated by e-mail messages to a user here, and a perl deliver
script that automatically updates a djbdns, rbldns data file.  Normally the
entry will be inserted within a minute of the first probe.

It's critical to maintain a similar DNSRBL ``whitehat'' list of good
addresses that will not be added to the DENY lists.

>(I am scared to automate because I don't want to submit IPs from good mail
>servers that relay spam to me, such as my NetBSD, FreeBSD, SeaBUG admin
>and other accounts.)

A good whitelist of such sites works pretty well to avoid that.

>Or would anyone be interested in starting another DNS-based realtime
>black list?
>

Bill
--
INTERNET:   bill at Celestial.COM  Bill Campbell; Celestial Software LLC
UUCP:               camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``... because most politicians and bureaucrats are technological idiots,
it's going to be crucial for the rank and file members of the IT community
to find its collective voice soon.'' --Michael Vizard, InfoWorld Editor in
Chief.

More information about the linux-list mailing list