Time to make multi.uribl.org optional rather than default?

[Andy Dills <an...@xecu.net>]

It appears (from email recently sent to the admins of a few small 
mailservers I help admin) that the people in charge of uribl.com have 
decided to set a pretty low threshold for blacklisting DNS servers from 
querying, demanding that people who hit that threshold pay them a rather 
exorbitant rate for a data feed.

I have judged this threshold to be low based on the size of some of the 
mail/dns servers whose admins have gotten this email, along with the fact 
that this is the only blacklist to have taken this obnoxious stance.

I have no problem disabling their tests in my local.cf. I'm wondering if 
it's time to recognize that they are very similar to MAPS and to treat 
them similarly, because right now the default inclusion of tests against 
multi.surbl.com is in reality just a "trial service" and an opportunity 
for this for-profit organization to create revenue streams.

I really don't care much either way, for me it's a done deal, I'm 
disabling the tests on my mail servers and advising others to do the same.
I'm just wondering if the community at large is aware of this and has an 
opinion.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Time to make multi.uribl.org optional rather than default?

[Matt Kettler <mk...@verizon.net>]

Dallas Engelken wrote:
>
> Superb.  Thats all you had to do in the first place without raising a 
> stink.
Aww, but it's so much more fun to post an inflammatory rant at the start 
of a message. :-)

<insert comment about any sports team sucking here... preferably a 
baseball team.>
>
> If SA wants to completely remove uribl.com tests because we dont allow 
> the heavy hitters to query the public mirrors,  thats their choice.
>
> Although, the usage policy for Spamhaus 
> (http://www.spamhaus.org/organization/dnsblusage.html) doesnt prevent 
> inclusion of RCVD_IN_SBL in SA.
Personally, I've got no kind of problem with this kind of volume 
limiting, as long as the thresholds are reasonable enough that all but 
the most businesses can use them.

However, I do think URIBL should try to come up with a solid policy 
about what the volume limits are, what the zone transfer fees are, etc, 
and document it somewhere on your website.

In general I'm somewhat averse to systems with undocumented or vague 
policies in SA. Case in point, razor used to be disabled by default due 
to a rather vague policy about "high volume" use, that didn't really 
define what that volume was.

Re: Time to make multi.uribl.org optional rather than default?

[SM <sm...@resistor.net>]

At 15:33 19-02-2008, Andy Dills wrote:
>load on your servers. All of the other RBLs that I'm aware of (could be
>wrong) are happy to provide data feeds free of charge. To be perfectly

Some RBLs do charge if your organization is doing more than X queries daily.

Regards,
-sm 

Re: Time to make multi.uribl.org optional rather than default?

[Andy Dills <an...@xecu.net>]

On Wed, 20 Feb 2008, Jason Haar wrote:

> Andy Dills wrote:
> > For instance, if we ran a cacheing nameserver on each of our mailservers,
> > would you have ever noticed us?   
> Err - are you saying you are generating >500K requests/day against that ONE
> RBL domain - and you are *not* running a caching server?!?!?
> 
> [Hell, I even run a caching server to protect my vanity domain with 4 email
> accounts! ;-) ]

Of course I'm running a caching server...my thought was to run a single 
cacheing server for all of our mailservers to maximize the value of the 
cache.

What I'm saying is if I ran a caching server on each of our individual 
filter boxes, our volume would appear to be much less unless they 
aggregated usage by netblock. I suspect many of the "heavy hitters" do 
this.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Time to make multi.uribl.org optional rather than default?

[Jason Haar <Ja...@trimble.co.nz>]

Andy Dills wrote:
> For instance, if we ran a cacheing nameserver on each of our mailservers, 
> would you have ever noticed us? 
>   
Err - are you saying you are generating >500K requests/day against that 
ONE RBL domain - and you are *not* running a caching server?!?!?

[Hell, I even run a caching server to protect my vanity domain with 4 
email accounts! ;-) ]

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Time to make multi.uribl.org optional rather than default?

[Andy Dills <an...@xecu.net>]

On Tue, 19 Feb 2008, Dallas Engelken wrote:

> Filtering the top 0.45% IPs results in 20% fewer queries/second to the
> mirrors.  I dont see trying to limit excessive bandwidth usage on donated
> mirrors as an "obnoxious stance".

The "obnoxious stance" comment is in demanding payment for reducing the 
load on your servers. All of the other RBLs that I'm aware of (could be 
wrong) are happy to provide data feeds free of charge. To be perfectly 
honest with you, prior to the email, I wasn't even aware of uribl, just 
surbl. It was merely included when we upgraded SA. We have our own local 
DCC server and local copies of several of the RBLs; it's a win-win, we 
reduce latency, you reduce bandwidth consumption.

It's certainly your right to charge, I'm not denying that. I just don't 
think spamassassin should be promoting the use of services that ultimately 
desire to be compensated for what is in reality a very medium volume of 
queries, and which (I assume) is populated with data that is generated 
compensation-free by your users. If you gave free data feeds like 
everybody else, I would applaud you, apologize for being unaware of our 
abuse of your servers, setup the feed, and thank you for your 
contribution.

When I got your email, I immediately went to your website to setup a data 
feed and found myself disgusted that you wanted payment, just as I was 
disgusted with MAPS so many years ago. 

> We asked you to shut off your queries on 2007-12-27 19:15:09.  Nearly 3 months
> later and we still saw the same high volume queries from your systems.

My apologies, I actually never saw the initial request. I'm not sure what 
was different about this mailing, or if the first somehow got caught up in 
the holiday vacation situation.

When our spamassassin rules recompile tonight, you'll no longer see the 
bulk of those requests. 

> > I really don't care much either way, for me it's a done deal, I'm disabling
> > the tests on my mail servers and advising others to do the same.
> > I'm just wondering if the community at large is aware of this and has an
> > opinion.
> >   
> 
> Superb.  Thats all you had to do in the first place without raising a stink.
> 
> If SA wants to completely remove uribl.com tests because we dont allow the
> heavy hitters to query the public mirrors,  thats their choice.

If you think 500k queries a day is a heavy hitter, you're off your rocker. 
I suspect most of the heavy hitters have their load distributed among many 
source IPs...do you aggregate query volume data by cidr block?

For instance, if we ran a cacheing nameserver on each of our mailservers, 
would you have ever noticed us? 

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Time to make multi.uribl.org optional rather than default?

[Dallas Engelken <da...@uribl.com>]

Andy Dills wrote:
> It appears (from email recently sent to the admins of a few small 
> mailservers I help admin) that the people in charge of uribl.com have 
> decided to set a pretty low threshold for blacklisting DNS servers from 
> querying, demanding that people who hit that threshold pay them a rather 
> exorbitant rate for a data feed.
>   

Demanding?  I believe the first thing that excessive query volume email 
tells you is to simply shut it off and be done.   The data feed option 
is just that, an option.   If you see no value in it, then you wont be 
missing anything by us not answering your queries.

> I have judged this threshold to be low based on the size of some of the 
> mail/dns servers whose admins have gotten this email, along with the fact 
> that this is the only blacklist to have taken this obnoxious stance.
>
>   

What is your definition of low volume?  db2.xecu.net + 	dns02.xecu.net 
accounts for nearly 500k queries/day (~3GB of data/mo).

There are over 40k unique IP that query URIBL public dns.  As any mirror
operator can see, we have around 180 IPs in the ACL.   So thats ~0.45%. 
  And those 180 blocked IPs consist of far fewer organizations/companies 
as many have more than 1 IP on that list.

Filtering the top 0.45% IPs results in 20% fewer queries/second to the 
mirrors.  I dont see trying to limit excessive bandwidth usage on 
donated mirrors as an "obnoxious stance".


> because right now the default inclusion of tests against 
> multi.surbl.com is in reality just a "trial service" and an opportunity 
> for this for-profit organization to create revenue streams.
>
>   

If you remove it from SA by default, you're doing so at the expense of 
the other 99.55%.

We asked you to shut off your queries on 2007-12-27 19:15:09.  Nearly 3 
months later and we still saw the same high volume queries from your 
systems.


> I really don't care much either way, for me it's a done deal, I'm 
> disabling the tests on my mail servers and advising others to do the same.
> I'm just wondering if the community at large is aware of this and has an 
> opinion.
>   

Superb.  Thats all you had to do in the first place without raising a stink.

If SA wants to completely remove uribl.com tests because we dont allow 
the heavy hitters to query the public mirrors,  thats their choice.

Although, the usage policy for Spamhaus 
(http://www.spamhaus.org/organization/dnsblusage.html) doesnt prevent 
inclusion of RCVD_IN_SBL in SA.

Thanks,

-- 
Dallas Engelken
dallase@uribl.com
http://uribl.com

Re: Time to make multi.uribl.org optional rather than default?

[Andy Dills <an...@xecu.net>]

On Tue, 19 Feb 2008, Rob McEwen wrote:

> Andy Dills wrote:
> > ...the people in charge of uribl.com have decided to set a pretty low
> > threshold for blacklisting DNS servers from querying, demanding that people
> > who hit that threshold pay them a rather exorbitant rate for a data feed.
> >   
> 
> Andy,
> 
> Does the fee you describe pay for (a) being allowed to do a high volume of
> direct DNS queries, ..OR.. (b) does it pay for an RSYNC feed to
> rbldnsd-formatted files?

It's for some sort of rynsc-like feed (I don't believe it uses rsync). I 
don't believe they offer (a).

> If that is for high-volume direct queries, then why not check and see what an
> RSYNC-feed of an rbldnsd-formatted file might do for you, and the costs of the
> RSYNC feed?

Yeah, it's just a bottom line reality that the cheapest fee they will 
accept ($1450/year) in no way corresponds to any sort of bottom-line ROI. 
The cost is out of line with the value of their service.

> (Also, at one point, you mentioned SURBL... but that was a typo and you are
> talking about URIBL, correct?)

Yes, sorry...I meant URIBL. The SURBL people have always been very cool.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

Re: Time to make multi.uribl.org optional rather than default?

[Rob McEwen <ro...@invaluement.com>]

Andy Dills wrote:
> ...the people in charge of uribl.com have decided to set a pretty 
> low threshold for blacklisting DNS servers from querying, demanding 
> that people who hit that threshold pay them a rather exorbitant rate 
> for a data feed.
>   

Andy,

Does the fee you describe pay for (a) being allowed to do a high volume 
of direct DNS queries, ..OR.. (b) does it pay for an RSYNC feed to 
rbldnsd-formatted files?

If that is for high-volume direct queries, then why not check and see 
what an RSYNC-feed of an rbldnsd-formatted file might do for you, and 
the costs of the RSYNC feed?

(Also, at one point, you mentioned SURBL... but that was a typo and you 
are talking about URIBL, correct?)

Rob McEwen

Re: Time to make multi.uribl.org optional rather than default?

[Duane Hill <d....@yournetplus.com>]

On Tue, 19 Feb 2008 09:25:41 -0500 (EST)
Andy Dills <an...@xecu.net> wrote:

> 
> It appears (from email recently sent to the admins of a few small 
> mailservers I help admin) that the people in charge of uribl.com have 
> decided to set a pretty low threshold for blacklisting DNS servers
> from querying, demanding that people who hit that threshold pay them
> a rather exorbitant rate for a data feed.
> 
> I have judged this threshold to be low based on the size of some of
> the mail/dns servers whose admins have gotten this email, along with
> the fact that this is the only blacklist to have taken this obnoxious
> stance.
> 
> I have no problem disabling their tests in my local.cf. I'm wondering
> if it's time to recognize that they are very similar to MAPS and to
> treat them similarly, because right now the default inclusion of
> tests against multi.surbl.com is in reality just a "trial service"
> and an opportunity for this for-profit organization to create revenue
> streams.
> 
> I really don't care much either way, for me it's a done deal, I'm 
> disabling the tests on my mail servers and advising others to do the
> same. I'm just wondering if the community at large is aware of this
> and has an opinion.

Back on October 16th, 2007 they did make an announcement on their site:

  ...
  URIBL has begun to block IPs hitting our public DNS mirrors with high
  volume. If you are sending anything close to 500k queries/day to our
  public dns, you queries may be refused already, or in the near future.
  If you would like to become a part of the public dns infastructure and
  give some queries back to the world, please contact dnsadmin@uribl.com

This is the same thing SpamHaus started doing a year or so ago (I can't
recall for sure when, it could have been less than a year). As we are
using SpamHaus at the MTA level (not at the SA level), we have purchased
the data feed. At the MTA level, our two filter servers are doing an
average well over three(3) million queries per day.

-------
  _|_
 (_| |