[SLL] collaborate on a dnsbl?

Russell Evans russell-evans at qwest.net
Fri May 13 09:49:23 PDT 2005 

> On Fri, 13 May 2005 01:08:20 -0400
> "Russell Evans" <russell-evans at qwest.net> wrote:
> 
>  
> > If there are 14 million domains, say with an average of 4 mail
> > servers per domain specified via spf, then we have 56 million target
> > hosts.
> > 
> > It looks like ordb has 255,000 hosts in its rbl, depressingly it
> > looks very steady. 
> >  http://ordb.org/statistics/relaycount/
> > 
> > Interesting, by SMTP server
> >  http://ordb.org/statistics/daemons/
> >  
> > 350 million hosts on the internet
> >  http://www.isc.org/index.pl?/ops/ds/
> > 
> > 14 million domains
> >  http://www.nw.com/zone/WWW/dist-bynum.html
> > 
> > 255,000 rbl hosts / 350 million hosts x 56 million targets = 40800
> > statically infected mail servers in a spf world
> > 
> > 350 million hosts / 14 million domains = 25 host per domain
> > ( at 25 hosts per domain, I think my assumption of 4 mail servers
> > per domain is high. It probably only averages 2 per domain - 20400
> > statically infected mail servers)
> > 
> > Because spf is domain based, spam could be blocked by domain rbls 
> >  40800 infected servers / 25 hosts per domain = 1632 domains needing
> >  to be blocked.
> 
> 
> I goofed: my assumption was 4 mail servers per domain and I should
> have used that number to determine how many domains would need
> blocking. 
> 
> 40800 infected servers / 4 servers per domain =  10200 domains needing
> to be blocked.

So 10200 domains got me thinking --- everybody duck

Subjectively, ( I can't find any rbl that lists the number of domains in
its db ) I know that there are more infected hosts on certain domains.
Using the numbers I could find, the math had to assume the hosts are
dispersed across all domains. The average hosts per domain also assumes
a bell shape curve when we know that the curve has multiple peaks. The
curve has to have at least two or three peaks because of hosting
companies ( a lot of one host domains ), consumer networks ( millions of
home hosts on dsl and cable ), and business / government networks (
probably a small peak ).

So we know there are going to be more infected hosts on
the larger networks than the smaller, and that means the number of
domains in a spf rbl is going to be much smaller than 10200 ( assuming
the orbl is the best source for infected hosts ). 

Also interesting is that because spf would allow for domain blocking
instead of host blocking, it doesn't matter how many smtp servers a
network has, if the average network had fifty smtp severs per domain or
only one, the spf rbl wouldn't grow or shrink. 

If spf, a spf rbl, and dcc where used I don't think there would be a
spam issue today. You would need dcc,
http://www.rhyolite.com/anti-spam/dcc/ because professional spammers
would just buy more domains as their old domains were put on the spf
rbl.. You would need to catch these domains as fast as possible.
Having the dcc servers mark a domain for the spf rbl seems the like it
would be the quickest fairest solution. Domains would still need in
house spam blocking in the case that they were the unlucky first ones to
be hit by a new spam domain. It seems like the spammers would get such
diminishing returns that it would slowly fade away. Yeah right.

Thank you
Russell

More information about the linux-list mailing list