You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by jdow <jd...@earthlink.net> on 2009/12/20 09:28:07 UTC
The other side of whitelists - arbitrary blacklists
http://isc.sans.org/diary.html?storyid=7780
It can be quite frustrating to run an ISP and comply with the often
arbitrary, strange, and I suspect contradictory demands of the likes
of SORBS and Trend Micro. An ISP Abuse handler vents in this article.
{^_^}
Re: The other side of whitelists - arbitrary blacklists
Posted by Res <re...@ausics.net>.
On Sun, 20 Dec 2009, Per Jessen wrote:
>> SORBS would only put you in their DUL listing for anything resembling
>> hosts that are dynamic,
>
> AFAIK, also ranges that were "declared" to by dynamic, e.g. in whois
> info. I once had a range allocated which had previously been declared
> to be dynamic, and it was listed at SORBS.
Last I heard they had a script that checked 'probable ranges', anything
with static or an actual boxname, so to speak, was not included in the
DUL collection, they ran it over my previous employers ranges who did
DSL/Dial etc, they entered all but the ones they said wouldnt be, so it
worked, at least back then anyway (we did NOT object to our normal users
IP's being included, our only concern was our business clients who were
static-*.state.dsl.domain), if it included a normal boxname in a range
used by dynamics, then I'd say their script broke, and I'm sure they would
have found and fixed it pretty fast.
--
Res
"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
Re: The other side of whitelists - arbitrary blacklists
Posted by Per Jessen <pe...@computer.org>.
Res wrote:
> On Sun, 20 Dec 2009, jdow wrote:
>
>> http://isc.sans.org/diary.html?storyid=7780
>>
>> It can be quite frustrating to run an ISP and comply with the often
>> arbitrary, strange, and I suspect contradictory demands of the likes
>> of SORBS and Trend Micro. An ISP Abuse handler vents in this article.
>>
>
> SORBS would only put you in their DUL listing for anything resembling
> hosts that are dynamic,
AFAIK, also ranges that were "declared" to by dynamic, e.g. in whois
info. I once had a range allocated which had previously been declared
to be dynamic, and it was listed at SORBS.
/Per Jessen, Zürich
Re: The other side of whitelists - arbitrary blacklists
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Sun, 20 Dec 2009, jdow wrote:
>> http://isc.sans.org/diary.html?storyid=7780
>>
>> It can be quite frustrating to run an ISP and comply with the often
>> arbitrary, strange, and I suspect contradictory demands of the likes
>> of SORBS and Trend Micro. An ISP Abuse handler vents in this article.
On 20.12.09 21:04, Res wrote:
> SORBS would only put you in their DUL listing for anything resembling
> hosts that are dynamic, those who block based on spam only would never
> see this as an issue (had many a dealing with SORBS, for the most part
> they were understanding and co-operative - I say "were" because we have
> been lucky enough not to have had any need to interact with them in a
> good few years now, but Matthew knows I have a zero spam tolerance and
> effective policies)
>
> Can't comment on trend micro never used them, dont intend to, but to
> demand you must use mail/smtp is laughable, who the hell do they think
> they are to dictate that, the only losers there are trend micro users,
> and unless they change their policy, ultimately, it will be trend micro
> who lose.
They don't say you must use SMTP/mail. They just gather all possible
informations to have evidence of dynamically assigned addresses. SpamHaus
PBL does it (afaik) too. And some ISP's admins are too lazy, stupid or
incompetent to give ordinary users generic or dynamically looking addresses
which often cause this problem.
I have already meet case where it was not the blacklist but the smtp-level
filters who considered the DNS name being dynamically looking, or too
generic. So I'd be careful when saying who does the mistake here.
TrendMicro now owns the only one official RBL - the oldest DNS based
blacklist, which inclues DUL aka dial-up list. And I think I could trust
them.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: The other side of whitelists - arbitrary blacklists
Posted by Res <re...@ausics.net>.
On Sun, 20 Dec 2009, jdow wrote:
> http://isc.sans.org/diary.html?storyid=7780
>
> It can be quite frustrating to run an ISP and comply with the often
> arbitrary, strange, and I suspect contradictory demands of the likes
> of SORBS and Trend Micro. An ISP Abuse handler vents in this article.
>
SORBS would only put you in their DUL listing for anything resembling
hosts that are dynamic, those who block based on spam only would never
see this as an issue (had many a dealing with SORBS, for the most part they
were understanding and co-operative - I say "were" because we have been
lucky enough not to have had any need to interact with them in a good few
years now, but Matthew knows I have a zero spam tolerance and effective
policies)
Can't comment on trend micro never used them, dont intend to, but
to demand you must use mail/smtp is laughable, who the hell do they think
they are to dictate that, the only losers there are trend micro users,
and unless they change their policy, ultimately, it will be trend micro
who lose.
--
Res
"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
Re: The other side of whitelists - arbitrary blacklists
Posted by Michael Scheidell <sc...@secnap.net>.
On 12/22/09 2:49 PM, jdow wrote:
>
>
> I agree he could have included more information than he did without
> giving away names involved. One piece of wording suggests he is an
> admin at a box or rack rental place such as rackspace rather than a
> wire rental place; and, it's customers are meeting with the problems
> he's expected to clear up.
>
maybe its the TYPES of things that arbitrary blacklists do.
we had a vendor talk a marketing person into letting him plug his
(infected) laptop into the conference room ethernet jack.
yes, the IDS went crazy, and it took all of 60 seconds for the SOC
manager to turn the switchport off.
yes, in 60 seconds, godaddy had blacklisted our WHOLE CLASS C. (I
would not care if they blacklisted that ip, and we gave the marketing
person a week vacation to think about what they did, and we disabled the
networking jack in the conference room and took away all the cables)
godaddy refused to unblacklist our whole class c until we put a rdns on
the ip address that we would not normally use for anything.
oh, and it took them 72 hours to update their blacklist. less than 60
seconds to get on, more than 72 hours to get off.
typical? I don't know. I also know that back in the cabal days (tinc)
if you publicly insulted certain blacklist operators they would put you
on their list.
would trend force someone to change their dns to 'smtp'? don't know,
but we send to people with trend all the time and our dns isn't smtp*.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
Re: The other side of whitelists - arbitrary blacklists
Posted by mouss <mo...@ml.netoyen.net>.
jdow a écrit :
> At least one well respected ninja sort from this list is also a
> volunteer SANS Internet Storm Cellar operator. These folks do not seem
> to be in the least "inexperienced" in the ways of malware and malware
> delivery. That is why I take that diary entry at face value.
>
maybe I'm wrong, but I don't think writing on sans pages erquires much
more than "getting the article accepted", and those guys are good at
internet security, not necessarily at internet collaboration policies.
> I agree he could have included more information than he did without
> giving away names involved. One piece of wording suggests he is an
> admin at a box or rack rental place such as rackspace rather than a
> wire rental place; and, it's customers are meeting with the problems
> he's expected to clear up.
>
the problem is that he only says "he is right and they are wrong",
without giving us a chance to judge by ourseleves. as one of my
favourite math teachers used to say "toute proposition non justifée est
sans valeur" (translation attempt: unproven propositions have no value).
I personally dislike Trend and if asked, I could spend many paragraphs
insulting their stupidity. but the article seems to suggest that they
require "smtp/mail/..." in hostnames. This is simply not realistic. they
do accept mail from a lot of hosts which are not named "smtp/mail/...".
so the author lies (by omission or whatever, but that's it).
and regarding sorbs, wev'e seen a lot of attacks...
the fact that the article is published at SANS says nothing to me. I
personally have no idea of SANS publishing policy and process. I've seen
many "less than perfect" SANS articles (and I'm polite not to say
"stupid", ...).
Re: The other side of whitelists - arbitrary blacklists
Posted by jdow <jd...@earthlink.net>.
From: "mouss" <mo...@ml.netoyen.net>
Sent: Monday, 2009/December/21 15:47
> jdow a écrit :
>> http://isc.sans.org/diary.html?storyid=7780
>>
>> It can be quite frustrating to run an ISP and comply with the often
>> arbitrary, strange, and I suspect contradictory demands of the likes
>> of SORBS and Trend Micro. An ISP Abuse handler vents in this article.
>>
>
> from the text, there is no way to see whether the guy is right or wrong.
> there is no evidence.
>
> I doubt Trend Micro _require_ "smtp/mail/...". they may recommend it.
> but they certainly accept mail from a lot of servers whose name has no
> smtp/mail/... in it.
>
> as for sorbs, my experience is that they will easily unlist any host
> that was listed by error. (I am talking about duhl).
>
> so in my opinion, this is just blah blah blah blah.
>
> and yers, it is reasonable to block ad\d+\.$domain, because "ad"
> generally means "active directory", which has no business sending mail.
> sure, one should be free to name his mail server, but we are free to
> block what looks like a ratnet. this includes things like
> 2.3.4.5.static.example.com,however static it is. if you want to send mai
> in these spam days, the least we ask you is to "name" your server.
At least one well respected ninja sort from this list is also a
volunteer SANS Internet Storm Cellar operator. These folks do not seem
to be in the least "inexperienced" in the ways of malware and malware
delivery. That is why I take that diary entry at face value.
I agree he could have included more information than he did without
giving away names involved. One piece of wording suggests he is an
admin at a box or rack rental place such as rackspace rather than a
wire rental place; and, it's customers are meeting with the problems
he's expected to clear up.
{^_^}
Re: The other side of whitelists - arbitrary blacklists
Posted by mouss <mo...@ml.netoyen.net>.
jdow a écrit :
> http://isc.sans.org/diary.html?storyid=7780
>
> It can be quite frustrating to run an ISP and comply with the often
> arbitrary, strange, and I suspect contradictory demands of the likes
> of SORBS and Trend Micro. An ISP Abuse handler vents in this article.
>
from the text, there is no way to see whether the guy is right or wrong.
there is no evidence.
I doubt Trend Micro _require_ "smtp/mail/...". they may recommend it.
but they certainly accept mail from a lot of servers whose name has no
smtp/mail/... in it.
as for sorbs, my experience is that they will easily unlist any host
that was listed by error. (I am talking about duhl).
so in my opinion, this is just blah blah blah blah.
and yers, it is reasonable to block ad\d+\.$domain, because "ad"
generally means "active directory", which has no business sending mail.
sure, one should be free to name his mail server, but we are free to
block what looks like a ratnet. this includes things like
2.3.4.5.static.example.com,however static it is. if you want to send mai
in these spam days, the least we ask you is to "name" your server.