Re: compu.net dnsbl's

[Richard Ozer <ro...@ois-online.com>]

That's a pretty nasty way to deal with that problem. You'll mostly affect 
bystanders.

Why don't you just filter the requests and forget about them?

----- Original Message ----- 
From: "Bill Larson" <bl...@compu.net>
To: <us...@spamassassin.apache.org>
Cc: <SP...@PEACH.EASE.LSOFT.COM>
Sent: Friday, December 02, 2005 10:15 AM
Subject: compu.net dnsbl's


Over 2 years ago I shut down blackhole.compu.net and pm0-no-more.compu.net 
then announced the shutdown on the news.admin.net-abuse.email and several 
other mail and abuse related lists. As of today I am still logging several 
hundred requests per minute to it two years later. In one week I am going to 
start answering positive on every lookup to that domain. I don't want to do 
this however I am not going to  continue to bear the load for something that 
ceased to exist over two years ago. So basically check your mail servers and 
if you are using the blackhole.compu.net or pm0-no-more.compu.net dnsbls 
remove it asap! Thanks.

Bill Larson
Network Administrator
Compu-Net Enterprises
(931) 920-0043 

Re: compu.net dnsbl's

[Dan Hollis <go...@anime.net>]

On Thu, 1 Dec 2005, Richard Ozer wrote:
> That's a pretty nasty way to deal with that problem. You'll mostly affect 
> bystanders.
> Why don't you just filter the requests and forget about them?

Because he'll still get bombarded with the wasted traffic of useless dns 
requests.

-Dan

Re: compu.net dnsbl's

[mouss <us...@free.fr>]

Matt Kettler a écrit :
> 
> Really, that reduces the problem of network load on compu.net's servers, but it
> does nothing to make the misconfigured admins aware of the problem.
> 

true...

> I tend to strongly dislike the positive response method if done rapidly after
> shutdown.
> 
> However, in this case there's 2 years of the RBL being down without the
> misconfigured admins noticing they aren't hitting anything? I mean, come on,
> don't you audit your RBLs more often than that?

depends on whom are you talking about. many nets are managed by people 
who copy/paste and forget. you may say these nets only get what they 
deserve and you may be right. now, if you take the view point of a 
sender who is blocked for no reason, or that of a recipient who doesn't 
know he's missing mail....

> 
> And I'm not talking SA rules here. There's never been a compu.net RBL query
> built into SA, so these are sites that hand-added compu.net to their MTA's.
> 
> How often do you audit your MTA layer blocks, even if only by checking
> hitcounts? I do mine weekly with a small shell script, while that might be above
> average, I'd expect someone to notice that a RBL is not hitting at all in a 2
> year span...


there are unfortunately many "howtos" using unsafe dnsbls as examples 
(or other unsafe tests). These get used. you, I and a lot of people here 
know this is silly, but we are a minority. one of the "funny" things I 
heard of was an asian network where anti-asian rule were installed, 
because the admin just copied howtos (now, this has nothing to do with 
asian people of course. it's just an example showing that "bad" things 
really happen).

> 
> Not to mention the net effect being really no better than just publishing a
> positive reply.
> 
> A Positive reply will cut off all their inbound mail. They'll notice that pretty
> fast.

Yes, but I still want to get the list of those who use obsolete lists...


> A new DNSBL will cut off their ability to send mail to a few domains, which
> they'll eventually notice. In the meantime it increases load on compu.net even
> further, and has the recursive problem you mentioned.
> 

I think something is needed in the dnsbl "api". something like "if list 
is dead, all results are 255.255.255.255". this way, dnsbl lookup 
tools/libs/... can issue warnings to tell people to stop (or could 
recompile the kernel and install a new one:).

but as you say, may be a "positive response" is the right way...

Re: compu.net dnsbl's

[Matt Kettler <mk...@evi-inc.com>]

mouss wrote:
> Bill Larson a écrit :
> 
>> It's still load on the server or router I am giving plenty of time and
>> announcing it where spam consious system admin should see it and have
>> plenty of time to take action.
> 
> 
> I understand, but the "positive response" way is somewhat harsh.
> 
> can't you just make the ns record point to a silly entry?

Really, that reduces the problem of network load on compu.net's servers, but it
does nothing to make the misconfigured admins aware of the problem.

I tend to strongly dislike the positive response method if done rapidly after
shutdown.

However, in this case there's 2 years of the RBL being down without the
misconfigured admins noticing they aren't hitting anything? I mean, come on,
don't you audit your RBLs more often than that?

And I'm not talking SA rules here. There's never been a compu.net RBL query
built into SA, so these are sites that hand-added compu.net to their MTA's.

How often do you audit your MTA layer blocks, even if only by checking
hitcounts? I do mine weekly with a small shell script, while that might be above
average, I'd expect someone to notice that a RBL is not hitting at all in a 2
year span...

> if you wanna go the "positive reply" way, why not start by publishing a new dnsbl comprised of those who access your original dnsbl. this way, we can block them (so they know quickly that they're doing something bad). of course, this game may become recursive, so It's not a good idea. but I find it fun:) 

Not to mention the net effect being really no better than just publishing a
positive reply.

A Positive reply will cut off all their inbound mail. They'll notice that pretty
fast.

A new DNSBL will cut off their ability to send mail to a few domains, which
they'll eventually notice. In the meantime it increases load on compu.net even
further, and has the recursive problem you mentioned.

Re: compu.net dnsbl's

[mouss <us...@free.fr>]

Bill Larson a écrit :
> It's still load on the server or router I am giving plenty of time and 
> announcing it where spam consious system admin should see it and have 
> plenty of time to take action.

I understand, but the "positive response" way is somewhat harsh.

can't you just make the ns record point to a silly entry?

if you wanna go the "positive reply" way, why not start by publishing a 
new dnsbl comprised of those who access your original dnsbl. this way, 
we can block them (so they know quickly that they're doing something 
bad). of course, this game may become recursive, so It's not a good 
idea. but I find it fun:)


good luck...

Re: compu.net dnsbl's

[Bill Larson <bl...@compu.net>]

It's still load on the server or router I am giving plenty of time and 
announcing it where spam consious system admin should see it and have plenty 
of time to take action.

Bill Larson
Network Administrator
Compu-Net Enterprises

----- Original Message ----- 
From: "Richard Ozer" <ro...@ois-online.com>
To: "Bill Larson" <bl...@compu.net>; <us...@spamassassin.apache.org>
Sent: Thursday, December 01, 2005 12:29 PM
Subject: Re: compu.net dnsbl's


> That's a pretty nasty way to deal with that problem. You'll mostly affect 
> bystanders.
>
> Why don't you just filter the requests and forget about them?
>
> ----- Original Message ----- 
> From: "Bill Larson" <bl...@compu.net>
> To: <us...@spamassassin.apache.org>
> Cc: <SP...@PEACH.EASE.LSOFT.COM>
> Sent: Friday, December 02, 2005 10:15 AM
> Subject: compu.net dnsbl's
>
>
> Over 2 years ago I shut down blackhole.compu.net and pm0-no-more.compu.net 
> then announced the shutdown on the news.admin.net-abuse.email and several 
> other mail and abuse related lists. As of today I am still logging several 
> hundred requests per minute to it two years later. In one week I am going 
> to start answering positive on every lookup to that domain. I don't want 
> to do this however I am not going to  continue to bear the load for 
> something that ceased to exist over two years ago. So basically check your 
> mail servers and if you are using the blackhole.compu.net or 
> pm0-no-more.compu.net dnsbls remove it asap! Thanks.
>
> Bill Larson
> Network Administrator
> Compu-Net Enterprises
> (931) 920-0043