You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andy Dills <an...@xecu.net> on 2008/02/19 15:25:41 UTC
Time to make multi.uribl.org optional rather than default?
It appears (from email recently sent to the admins of a few small
mailservers I help admin) that the people in charge of uribl.com have
decided to set a pretty low threshold for blacklisting DNS servers from
querying, demanding that people who hit that threshold pay them a rather
exorbitant rate for a data feed.
I have judged this threshold to be low based on the size of some of the
mail/dns servers whose admins have gotten this email, along with the fact
that this is the only blacklist to have taken this obnoxious stance.
I have no problem disabling their tests in my local.cf. I'm wondering if
it's time to recognize that they are very similar to MAPS and to treat
them similarly, because right now the default inclusion of tests against
multi.surbl.com is in reality just a "trial service" and an opportunity
for this for-profit organization to create revenue streams.
I really don't care much either way, for me it's a done deal, I'm
disabling the tests on my mail servers and advising others to do the same.
I'm just wondering if the community at large is aware of this and has an
opinion.
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
Re: Time to make multi.uribl.org optional rather than default?
Posted by Matt Kettler <mk...@verizon.net>.
Dallas Engelken wrote:
>
> Superb. Thats all you had to do in the first place without raising a
> stink.
Aww, but it's so much more fun to post an inflammatory rant at the start
of a message. :-)
<insert comment about any sports team sucking here... preferably a
baseball team.>
>
> If SA wants to completely remove uribl.com tests because we dont allow
> the heavy hitters to query the public mirrors, thats their choice.
>
> Although, the usage policy for Spamhaus
> (http://www.spamhaus.org/organization/dnsblusage.html) doesnt prevent
> inclusion of RCVD_IN_SBL in SA.
Personally, I've got no kind of problem with this kind of volume
limiting, as long as the thresholds are reasonable enough that all but
the most businesses can use them.
However, I do think URIBL should try to come up with a solid policy
about what the volume limits are, what the zone transfer fees are, etc,
and document it somewhere on your website.
In general I'm somewhat averse to systems with undocumented or vague
policies in SA. Case in point, razor used to be disabled by default due
to a rather vague policy about "high volume" use, that didn't really
define what that volume was.
Re: Time to make multi.uribl.org optional rather than default?
Posted by SM <sm...@resistor.net>.
At 15:33 19-02-2008, Andy Dills wrote:
>load on your servers. All of the other RBLs that I'm aware of (could be
>wrong) are happy to provide data feeds free of charge. To be perfectly
Some RBLs do charge if your organization is doing more than X queries daily.
Regards,
-sm
Re: Time to make multi.uribl.org optional rather than default?
Posted by Andy Dills <an...@xecu.net>.
On Wed, 20 Feb 2008, Jason Haar wrote:
> Andy Dills wrote:
> > For instance, if we ran a cacheing nameserver on each of our mailservers,
> > would you have ever noticed us?
> Err - are you saying you are generating >500K requests/day against that ONE
> RBL domain - and you are *not* running a caching server?!?!?
>
> [Hell, I even run a caching server to protect my vanity domain with 4 email
> accounts! ;-) ]
Of course I'm running a caching server...my thought was to run a single
cacheing server for all of our mailservers to maximize the value of the
cache.
What I'm saying is if I ran a caching server on each of our individual
filter boxes, our volume would appear to be much less unless they
aggregated usage by netblock. I suspect many of the "heavy hitters" do
this.
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
Re: Time to make multi.uribl.org optional rather than default?
Posted by Jason Haar <Ja...@trimble.co.nz>.
Andy Dills wrote:
> For instance, if we ran a cacheing nameserver on each of our mailservers,
> would you have ever noticed us?
>
Err - are you saying you are generating >500K requests/day against that
ONE RBL domain - and you are *not* running a caching server?!?!?
[Hell, I even run a caching server to protect my vanity domain with 4
email accounts! ;-) ]
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Time to make multi.uribl.org optional rather than default?
Posted by Andy Dills <an...@xecu.net>.
On Tue, 19 Feb 2008, Dallas Engelken wrote:
> Filtering the top 0.45% IPs results in 20% fewer queries/second to the
> mirrors. I dont see trying to limit excessive bandwidth usage on donated
> mirrors as an "obnoxious stance".
The "obnoxious stance" comment is in demanding payment for reducing the
load on your servers. All of the other RBLs that I'm aware of (could be
wrong) are happy to provide data feeds free of charge. To be perfectly
honest with you, prior to the email, I wasn't even aware of uribl, just
surbl. It was merely included when we upgraded SA. We have our own local
DCC server and local copies of several of the RBLs; it's a win-win, we
reduce latency, you reduce bandwidth consumption.
It's certainly your right to charge, I'm not denying that. I just don't
think spamassassin should be promoting the use of services that ultimately
desire to be compensated for what is in reality a very medium volume of
queries, and which (I assume) is populated with data that is generated
compensation-free by your users. If you gave free data feeds like
everybody else, I would applaud you, apologize for being unaware of our
abuse of your servers, setup the feed, and thank you for your
contribution.
When I got your email, I immediately went to your website to setup a data
feed and found myself disgusted that you wanted payment, just as I was
disgusted with MAPS so many years ago.
> We asked you to shut off your queries on 2007-12-27 19:15:09. Nearly 3 months
> later and we still saw the same high volume queries from your systems.
My apologies, I actually never saw the initial request. I'm not sure what
was different about this mailing, or if the first somehow got caught up in
the holiday vacation situation.
When our spamassassin rules recompile tonight, you'll no longer see the
bulk of those requests.
> > I really don't care much either way, for me it's a done deal, I'm disabling
> > the tests on my mail servers and advising others to do the same.
> > I'm just wondering if the community at large is aware of this and has an
> > opinion.
> >
>
> Superb. Thats all you had to do in the first place without raising a stink.
>
> If SA wants to completely remove uribl.com tests because we dont allow the
> heavy hitters to query the public mirrors, thats their choice.
If you think 500k queries a day is a heavy hitter, you're off your rocker.
I suspect most of the heavy hitters have their load distributed among many
source IPs...do you aggregate query volume data by cidr block?
For instance, if we ran a cacheing nameserver on each of our mailservers,
would you have ever noticed us?
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
Re: Time to make multi.uribl.org optional rather than default?
Posted by Dallas Engelken <da...@uribl.com>.
Andy Dills wrote:
> It appears (from email recently sent to the admins of a few small
> mailservers I help admin) that the people in charge of uribl.com have
> decided to set a pretty low threshold for blacklisting DNS servers from
> querying, demanding that people who hit that threshold pay them a rather
> exorbitant rate for a data feed.
>
Demanding? I believe the first thing that excessive query volume email
tells you is to simply shut it off and be done. The data feed option
is just that, an option. If you see no value in it, then you wont be
missing anything by us not answering your queries.
> I have judged this threshold to be low based on the size of some of the
> mail/dns servers whose admins have gotten this email, along with the fact
> that this is the only blacklist to have taken this obnoxious stance.
>
>
What is your definition of low volume? db2.xecu.net + dns02.xecu.net
accounts for nearly 500k queries/day (~3GB of data/mo).
There are over 40k unique IP that query URIBL public dns. As any mirror
operator can see, we have around 180 IPs in the ACL. So thats ~0.45%.
And those 180 blocked IPs consist of far fewer organizations/companies
as many have more than 1 IP on that list.
Filtering the top 0.45% IPs results in 20% fewer queries/second to the
mirrors. I dont see trying to limit excessive bandwidth usage on
donated mirrors as an "obnoxious stance".
> because right now the default inclusion of tests against
> multi.surbl.com is in reality just a "trial service" and an opportunity
> for this for-profit organization to create revenue streams.
>
>
If you remove it from SA by default, you're doing so at the expense of
the other 99.55%.
We asked you to shut off your queries on 2007-12-27 19:15:09. Nearly 3
months later and we still saw the same high volume queries from your
systems.
> I really don't care much either way, for me it's a done deal, I'm
> disabling the tests on my mail servers and advising others to do the same.
> I'm just wondering if the community at large is aware of this and has an
> opinion.
>
Superb. Thats all you had to do in the first place without raising a stink.
If SA wants to completely remove uribl.com tests because we dont allow
the heavy hitters to query the public mirrors, thats their choice.
Although, the usage policy for Spamhaus
(http://www.spamhaus.org/organization/dnsblusage.html) doesnt prevent
inclusion of RCVD_IN_SBL in SA.
Thanks,
--
Dallas Engelken
dallase@uribl.com
http://uribl.com
Re: Time to make multi.uribl.org optional rather than default?
Posted by Andy Dills <an...@xecu.net>.
On Tue, 19 Feb 2008, Rob McEwen wrote:
> Andy Dills wrote:
> > ...the people in charge of uribl.com have decided to set a pretty low
> > threshold for blacklisting DNS servers from querying, demanding that people
> > who hit that threshold pay them a rather exorbitant rate for a data feed.
> >
>
> Andy,
>
> Does the fee you describe pay for (a) being allowed to do a high volume of
> direct DNS queries, ..OR.. (b) does it pay for an RSYNC feed to
> rbldnsd-formatted files?
It's for some sort of rynsc-like feed (I don't believe it uses rsync). I
don't believe they offer (a).
> If that is for high-volume direct queries, then why not check and see what an
> RSYNC-feed of an rbldnsd-formatted file might do for you, and the costs of the
> RSYNC feed?
Yeah, it's just a bottom line reality that the cheapest fee they will
accept ($1450/year) in no way corresponds to any sort of bottom-line ROI.
The cost is out of line with the value of their service.
> (Also, at one point, you mentioned SURBL... but that was a typo and you are
> talking about URIBL, correct?)
Yes, sorry...I meant URIBL. The SURBL people have always been very cool.
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
Re: Time to make multi.uribl.org optional rather than default?
Posted by Rob McEwen <ro...@invaluement.com>.
Andy Dills wrote:
> ...the people in charge of uribl.com have decided to set a pretty
> low threshold for blacklisting DNS servers from querying, demanding
> that people who hit that threshold pay them a rather exorbitant rate
> for a data feed.
>
Andy,
Does the fee you describe pay for (a) being allowed to do a high volume
of direct DNS queries, ..OR.. (b) does it pay for an RSYNC feed to
rbldnsd-formatted files?
If that is for high-volume direct queries, then why not check and see
what an RSYNC-feed of an rbldnsd-formatted file might do for you, and
the costs of the RSYNC feed?
(Also, at one point, you mentioned SURBL... but that was a typo and you
are talking about URIBL, correct?)
Rob McEwen
Re: Time to make multi.uribl.org optional rather than default?
Posted by Duane Hill <d....@yournetplus.com>.
On Tue, 19 Feb 2008 09:25:41 -0500 (EST)
Andy Dills <an...@xecu.net> wrote:
>
> It appears (from email recently sent to the admins of a few small
> mailservers I help admin) that the people in charge of uribl.com have
> decided to set a pretty low threshold for blacklisting DNS servers
> from querying, demanding that people who hit that threshold pay them
> a rather exorbitant rate for a data feed.
>
> I have judged this threshold to be low based on the size of some of
> the mail/dns servers whose admins have gotten this email, along with
> the fact that this is the only blacklist to have taken this obnoxious
> stance.
>
> I have no problem disabling their tests in my local.cf. I'm wondering
> if it's time to recognize that they are very similar to MAPS and to
> treat them similarly, because right now the default inclusion of
> tests against multi.surbl.com is in reality just a "trial service"
> and an opportunity for this for-profit organization to create revenue
> streams.
>
> I really don't care much either way, for me it's a done deal, I'm
> disabling the tests on my mail servers and advising others to do the
> same. I'm just wondering if the community at large is aware of this
> and has an opinion.
Back on October 16th, 2007 they did make an announcement on their site:
...
URIBL has begun to block IPs hitting our public DNS mirrors with high
volume. If you are sending anything close to 500k queries/day to our
public dns, you queries may be refused already, or in the near future.
If you would like to become a part of the public dns infastructure and
give some queries back to the world, please contact dnsadmin@uribl.com
This is the same thing SpamHaus started doing a year or so ago (I can't
recall for sure when, it could have been less than a year). As we are
using SpamHaus at the MTA level (not at the SA level), we have purchased
the data feed. At the MTA level, our two filter servers are doing an
average well over three(3) million queries per day.
-------
_|_
(_| |