Slashdot Mirror
Choosing a Good DNSBL
stry_cat submitted a story about selecting a good DNSBL. It talks about some of the problems with DNS blacklists and the sorts of things that you should be looking for. Things like Speed, Selection Criteria, and Goals make the list. And of course not requiring payment to be removed from the blacklist.
http://stats.dnsbl.com/
Or, for commentary:
http://www.dnsbl.com/
Absolutely the best resource on the topic.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Greylisting kills a lot of stuff too.
Those are the only two that work for me (located in North America).
Excuse me, but please get off my Pennisetum Clandestinum, eh!
This seems like as good a place to ask as any. Can mostly email-based DNSBLs be used to try and block comment spammers? I'd love to reduce the load I get from comment spammers trying to spam my website.
I've been contemplating using an existing DNSBL, but all the well-known ones are focused on email spam. I expect that comment spambots and email spambots mostly overlap, but I'm not sure how effective such a measure would be.
You are in a maze of twisty little relative jumps, all alike.
I used to work in the abuse department of an ISP which had been blacklisted by SORBS. SORBS require a "donation" to get your IP range off their list, and since we refused to hand over extortion money to these gangsters, there was no way for us to deal with them. Despite our best efforts, we also found that there was no way to get in contact with them, and as such no way to help our customers.
Doing a Google search for information about this lot brought up so many horror stories that I can't fathom how so many people ended up using their "service". It got to the stage where if we had a customer having trouble with SORBS blocking their mail, the only advice we could give was to contact their recipient via other means and ask them to stop using these thugs to filter mail.
Choosing a good DNSBL (or three!) is definitely important, but IMHO, you should NEVER run DNSBL's without building a local override into the system. We run our own DNSWL (dns whitelist) which is consulted before hitting on BLs... if a customer has had problems with one of their contacts being blacklisted, we can selectively add their IP to the list.
Unrelated to the above, I would also recommend looking at ironport systems if this is a commercial project with a decent sized budget. (I am not affiliated, just a happy customer).
A couple of 30-somethings embark on the ultimate roadtrip
They all have issues; all of them create headaches for administrators of legitimate e-mail servers at one time or another.
DNSBLs are subject to the whims of some of the most unreliable and whiny schmucks on the face of the planet. NEVER under any circumstances use a single DNSBL as an absolute block. Use it to increment a score along the lines of Spam Assassin that will eventually hit a threshold, preferably with a minimal content-based component. Don't even think about using multiple hits on multiple lists as a gauge of spam-worthiness. The amount of inbreeding and sharing among lists is disgustingly high. Not even the Spamhaus aggregate is trustworthy these days.
Spammers can get around blacklists anyways. They're about as effective as locking a door made of tissue paper. The number of false positives is high. The amount of spam blocked is negligible. My suggestion is to abandon the idea altogether.
DNS BL? DNS blacklist. Same number of syllables. DNS makes sense since it is only three syllables instead of "do-main name ser-vice (or Sys-tem)" which is 5 syllables.
But BL for Blacklist? Nah.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
No...
It's how quick the maintainers of this particular DNSBL responding to your request to remove your ass from the list when they choose to blacklist you.
We've multiple MTAs for a single mail domain, because when an attacker found some way to relay or bounce-back one of our MTA and cause it to be backlisted by major DNSBL on earth, we still have other MTAs take up the job.
Then we could spend the rest of the week to ask for removing that MTA from their DNSBL, by email, or worse, by forum.
Trust me, it's painful.
Greetings, sir,
Allow me to introduce myself. I'm a representative of the Consortium of Common Sense. I've noticed you recently posted to an Internet-based conversation, complaining about the reduction of a nine-letter word to two letters via acronym. Your post referenced such things as numbers of syllables.
Please look at your desk now, and slam your head down as hard as you can on it. Do you feel those weird little indentations in your forehead?
THEY'RE CALLED KEYS - DID YOU NOT REALIZE THAT THINGS ARE TYPED, NOT SPOKEN, ON THE INTERNET?
Thank you. Please let us know if you have any other ridiculous complaints.
- Consortium for Common Sense
I seldom trust the results of a single RBL. The best technique, and what SpamAssassin does, is to check against a ton of them. I myself have gotten my own server listed on a handful of blacklists, but not from sending out email. I just happened to be in the same Class C block as another server that had been a relay over a year ago. This became a problem with mail servers that would block your mail off of a single BL hit. I gave up trying to negotiate with the BL and my SP (Rackspace) and just changed the default outgoing IP on my load balancer -- probably not an option many people stumble across.
Just make sure that despite using them, you don't trust them as absolute.
But back on topic, I've always been a big fan of SpamCop.
I don't bother with blacklists. It's easier to just eliminate all traffic from whole countries. I get a spam from China. I look up the ISP. I block all traffic to/from that entire ISP's block. Done. Same thing for former Soviet states, and other such places. It works amazingly well. Of course, this doesn't help with zombified PC's, but neither does a DNS black list.
I don't respond to AC's.
...unless you have to.
There is a lot of truth to the OP's statements. However, unless you have the budget for a commercial spam filtering application, there are not a lot of good solutions.
Spamassassin is great for what it does, but in high volume environments, you will be throwing so much hardware, bandwidth and electricity at the problem that you'll either give up on filtering at all or break down and buy a commercial solution.
DNSBL's give you a bit of breathing room between the two extremes. Our environment has about a 98% spam catch rate currently with commercial solutions. We have about 150 connections per second AVERAGE.
Our infrastructure could just barely keep up with this load when we were using DNSBL's only. Had we tried to use a spamassassin style tool, we'd have needed quite a bit more infrastructure to handle all of the increased filtering. DNS lookups are pretty cheap compared to the amount of CPU required for context / content filtering.
DNSBL's definitely generate too many false positives, but when the alternative is buying 10x the hardware or having mail take 1-2 hours to be delivered during peak times, I'll take the false positives.
A couple of 30-somethings embark on the ultimate roadtrip
Actually, using a blacklist that is purely dynamic IP's works quite well for zombies. I won't recommend one in particular, but there are several lists with just this purpose.
A couple of 30-somethings embark on the ultimate roadtrip
no one has (yet) mentioned using the missing rDNS sendmail hack. i block about 100,000 messages and servers per week using a combination of send_pause, blacklists, spamcop, iptables and the rDNS hack. rDNS routinely accounts for more than 50% of the spam that never makes it to my server.
any mail server that doesn't have an rDNS lookup, in this day and age, is imho not worth accepting messages from.
When you recognize love in another and realize how precious it is, everything else seems so insignificant.
For a site with low, static email traffic, this is a great method. Otherwise, I wouldn't wish the resulting pain on anyone.
Now... if I could selectively gray-list such hosts, then that may help a lot.
Method of processing duck feet
I have had very good luck using Spamhaus and cbl.abuseat.org. I use it to outright block spam and have never had a problem with legitimate email. I go one step further, however, and block several countries. I don't know anybody in those countries, like China, Russia and Nigeria, so I just block them entirely. That has also made a huge difference.
-Aaron
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
I use the list to score how long e-mail is greylisted and scoring in spamassassam. DNSBL are notorious for being political and having false positives. So a scoring system works better. Low scores for the worst offenders and higher spam scores for the better DNSBL.
Anyone have any experience with fake MX records?
I find the idea sort of intriguing, but I have doubts that it'll work for long in the ever-escalating arms race of spam...
My English teacher once told me that two positives don't make a negative. Two words for her: Yeah, right.
Actually, I don't think APEWS really know what they are. The proponents seem to be unable to decide whether its punative or simply a blocking list, but remember, most of the children on NANAE have nothing to do with it. The official statement is just that it's a list to use as you wish.
Checking the logs from my domain last night...
Spam blocking by site:
zen.spamhaus.org: 314
dnsbl.sorbs.net: 28
bl.spamcop.net: 40
psbl.surriel.com: 24
Not bad a for a single-user domain.
Interested in open source engine management for your Subaru?
Http:BL is a system that allows website administrators to take advantage of the data generated by Project Honey Pot in order to keep suspicious and malicious web robots off their sites. Project Honey Pot tracks harvesters, comment spammers, and other suspicious visitors to websites. Http:BL makes this data available to any member of Project Honey Pot in an easy and efficient way.
There are plugins for WordPress, phpBB, and many others. Use http://www.projecthoneypot.org?rf=32167 if you want to give me some credit when you register. Or not, whatever.
Another class of anti-spam tool that can benefit from greylist info is things like TMDA, those annoying autoresponders that say "I don't know who you are, so click this link/captcha/etc. to prove you're not a spammer". Humans don't like the things, but if you occasionally get mail from spam-heavy places like China, it gives them a way to get through to you that's better than just blocking, and it can be pretty low-CPU, unlike running SpamAssassin.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There are two reasons for a blacklist. Reason 1 is simply to identify probable spam sources. Reason 2 is political. It's a boycott of certain organisations whose policies the maintainer decides are reprehensible. Make sure you use the right sort. If you agree with the political motivations of the maintainer, use the second type by all means but make sure you know the reason things are being blocked.
The problem with several DNSBLs is that they are the second type masquerading as the first type. Since most probable spam sources correspond well to those organisations with reprehensible policies, they tend to be difficult to distinguish. You will often find that some otherwise legitimate emails are blocked because the ISP is also hosting a phishing website, or hosting a company involved in some sort of mail fraud. This is all well and good unless you're under the impression that the BL will block spam.
FEATURE(`dnsbl', `sbl-xbl.spamhaus.org', `"550 Rejected: Your IP address has been used to send spam. " $&{client_addr} " listed at sbl-xbl.spamhaus.org"')
FEATURE(`dnsbl', `list.dsbl.org', `"550 Rejected: Your IP address has been used to send spam. " $&{client_addr} " listed at list.dsbl.org"')
FEATURE(`dnsbl', `cn.ascc.dnsbl.bit.nl', `"550 Rejected: Due to a high volume of spam we do not accept mail from China. " $&{client_addr} " listed at cn.ascc.dnsbl.bit.nl"')
FEATURE(`dnsbl', `korea.services.net', `"550 Rejected: Due to a high volume of spam we do not accept mail from Korea. " $&{client_addr} " listed at korea.services.net"')
FEATURE(`dnsbl', `web.dnsbl.sorbs.net', `"550 Rejected: Your IP address is known to host a web site containing security holes which can be used to send spam. " $&{client_addr} " listed at web.dnsbl.sorbs.net"')
FEATURE(`dnsbl', `spam.dnsrbl.net', `"550 Rejected: Your IP address has been used to send spam. "$&{client_addr} " listed at spam.dnsrbl.net"')
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I misconfigured my catchall on one of my domains and received about 500 bounces in a matter of 5 or 6 minutes. All from fake names in my domain. I'm pissed enough when one of my real names gets forged, so these fake names steamed me. I checked all of my domains after that.
I have found that my customers don't want me to block spam. I would get complaints from customers not getting their mail from hosts that are being blocked. So I use Spamassassin to tag the spam and filters on my clients to delete it. Yep, I have to process all that spam and yep the customers have to download all that spam, but I don't get any phone calls anymore.
The above is not worth reading.
TMDA Autoresponders - One of the most annoying and effective anti-spam tools is autoresponders that say "I don't recognize your address - respond to this mail and prove you're a human". You could integrate this with a DNSBL - if the mail's not whitelisted, and it's on some DNSBLs, then maybe it gets a TMDA test instead of bit-bucket. It's lower CPU than SpamAssassin.
I originally thought of this back when Open Relays were the popular spam threat - if you get a DNS MX request from an open relay, tell them that the IP address for spambait.yourdomain.com is some other open relay's address. That would let them spend their time sending mail to each other. But spammers moved on to open proxies and then zombies, so that opportunity went away.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There are also people combining greylists with DNSBLs - senders from blacklisted addresses get told to wait much longer than non-blacklisted addresses, or they get told to wait and non-blacklisted addresses don't.
Even if you're going to also reject on DNSBLs, this'll let you be less aggressive about it, e.g. use SpamHaus's list of known big spammers, then greylist, and use the other DNSBLs only as SpamAssassin weight, or greylist first, then use Spamhaus on the people who called back; you could also do some analysis to see how many of the greylist rejects are covered by people from which RBLs.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
To truly make blacklists useful, you've got to filter not only mail coming from IP addresses listed within them, but also mail containing URL's that resolve to IP addresses listed within them. Once you implement this, you will see a *dramatic* drop in spam. Spammers can move their delivery systems from place to place, but at some point they've got to advertise a web site. Yes, the stock spam will still get through, as well as some others, but over the years I've spent administering (and developing) email systems, this was the single most effective thing I've ever seen.
/etc/mail/spamassassin/local.cf and add these lines:
Happily, these tests are already present in SpamAssassin; they're just not scored highly enough. Here's a nice easy way to fix that. Edit your
# High score for URL's whose IP addresses are in rbl
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_SBL 10
score URIBL_SC_SURBL 10
score URIBL_WS_SURBL 10
Restart spamd, and you will immediately see a large drop in spam.
Tired of FB/Google censorship? Visit UNCENSORED!
My company has been getting some bounceback emails from certain clients who rely too heavily on this blacklist. I go to their site and find out that not only are listing my companies network, but a large portion of MCI's commercial data circuits as well. It appears they simply gather these entries from other sources and then increase the scope of the listing to include a stupidly large number of IPs (mainly the entire upstream provider). As SANS noted, they were blocking just about the entire AT&T network. They don't identify who they are, they have no method of being contacted, and they are incredibly careless. Anyone who relies on an APEWS or SPEWS blocklist for anything will be very sorry they did. They are beyond useless. There are some reputable blocklists that, when used correctly and with a combinatino of other filtering methods, can provide positive results. These idiots are not among that group.
here's the bl's that i am using with sendmail that would go into your siteconfig.mc file -- that through trial and error -- i have found have zero false positive hit rate... n.b. that the XXX.r.mail-abuse.com (RBL) & XXX.q.mail-abuse.com (QIL) bl's require that you to have a subscription to Trend Micro Advanced Email Reputation Services at http://us.trendmicro.com/us/products/enterprise/ne twork-reputation-services/index.html -- you can get a free trial at https://nssg.trendmicro.com/download/trial/trial-s ervices.php?id=66 --
s s=" $&{client_addr}')
i n=" $`'&{RHS}')
i n=" $`'&{RHS}')
s s=" $&{client_addr}')
make sure you select "Email Reputation Services, Advanced". you would then replace the "XXX" in the below with the activation code they would send you:
FEATURE(dnsbl, `XXX.r.mail-abuse.com.', `"550 Mail from " $&{client_addr} " BLOCKED/RBL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addre
FEATURE(dnsbl, `zen.spamhaus.org.', `"550 Mail from " $&{client_addr} " BLOCKED/ZEN; see http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')
FEATURE(dnsbl, `bhnc.njabl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/BHNC; see http://www.njabl.org/lookup?" $&{client_addr}')
FEATURE(dnsbl, `bl.spamcop.net.', `"550 Mail from " $&{client_addr} " BLOCKED/COP; see http://www.spamcop.net/w3m?action=checkblock&ip=" $&{client_addr}')
FEATURE(dnsbl, `list.dsbl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/DSBL; see http://www.dsbl.org/listing?" $&{client_addr}')
FEATURE(rhsbl, `dsn.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/DSN; MX of domain dose not accept bounces in violation of RFC 821/2505/2821, see http://www.rfc-ignorant.org/tools/lookup.php?doma
FEATURE(rhsbl, `bogusmx.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/BMX; MX of domain contains bogus address information in violation of RFC 1035/3330, see http://www.rfc-ignorant.org/tools/lookup.php?doma
FEATURE(dnsbl, `XXX.q.mail-abuse.com.', `"450 Mail from " $&{client_addr} " BLOCKED/QIL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addre
FEATURE(dnsbl, `safe.dnsbl.sorbs.net.', `"450 Mail from " $&{client_addr} " BLOCKED/SAFE; see http://www.dnsbl.sorbs.net/lookup.shtml?" $&{client_addr}')
i also use the http://hcpnet.free.fr/milter-greylist greylisting package as well as spamassassin with some custom score tweaks available at http://iconia.com/user_prefs. all this keeps my mailbox as well as other users at a college radio station and a commercial asp with lots of public email addresses on their respective websites relatively spam free.
respectfully submitted,
geoff goodfellow
You're not being blocked. MCI's being blocked.
APEWS does not block spam, or even spammers. APEWS blocks ISPs that allow spammers, and MCI is (was?) one of those.
And APEWS doesn't collect data from anywhere. They run spamtraps. Mail get sent to them to a spamtrap, they start blocking. As mail continues to come in, they continue blocking and add more and more IPs, until they encompass entire companies, and then companies that prove those companies connectivity, and then companies that provide those companies connectivity, until the spammer, or the company hosting them, or someone in the chain, is removed from the internet. (An interesting open question is where this stops, upsteams. No one knows if it would cross the huge peering agreements among the big boys, but luckily it's not gotten to that point.)
And there's absolutely no reason for them to want contact from you. You are not the problem, you cannot solve the problem, you are unrelated to the problem. MCI is (was?) the problem, for continuing to host someone. They are the only ones who can solve it, so it's recommended you contact them.
If corporations are people, aren't stockholders guilty of slavery?
I'd always thought that it was an IP based rbl - blocking the ip address, and not the domain name. As such, it's identifying servers ( or bots, whatever ) that are behaving badly. Which sounds good to me.
I'm assuming you are part of APEWS since you pretty much recited verbatim what's in their rather useless FAQ? While they may run spamtraps, it has already been proven by SANS that they DO COLLECT DATA from other sources and use that to construct their blocklists. I would go read the SANS diary post. You can not defend them by claiming they use only spam traps when it has been proven they do not. If (and that's a big if) someone on an MCI data circuit (or any hot for that matter) was the problem, there is nothing stopping APEWS from listing only the IP block registered to the offender, as that info is readily available from ARIN. To list the entire MCI block, comprised of thousands of companies, is beyond stupid. As SANS pointed out, they are also listing the entire AT&T network. They took a /32 listings SANS had at http://isc.incidents.org/ipsascii.html and rolled it up to /17s. You think blocking 32,000 hosts in responce to a single IP address being listed somewhere else is helping anything?
MCI is not the problem, as you say. APEWS and people who rely on it are the problem. The list is not the least bit accurate and whoever runs it doesn't seem to want to take responsibility for their bad practices. It's garbage, period.
I see the spammers are out in force to day, to see this modded up to +5.
SORBS does not ask for donations for a mere delisting. All you have to do is submit a request to their automated request system, and you will be delisted. I have actually done this for a customer of ours who got a false positive listing. 48 hours later, listing gone, and most of that was propagation delay.
Mart"I know I will be modded down for this": where's the option '-1, Asking for it'?
I would suggest that you are uninformed, and do not run a high volume mail system.
I'm responsible for a mid-sized mail system that receives an average of 10,000,000 connection requests per day. A good RBL is worth a lot to my employer.
We use Spamhaus xbl-sbl, and Trend Micro's Network Reputation Service - which is a combination of the more static RBL+ (of MAPS fame) and the highly dynamic QIL list.
Together, they drop approximately 92% of inbound connections to the SMTP server farm. This is a lot cheaper, computationally and financially, than using the lists later on in a content filtering stage. Without these RBLs, we would require ten times the CPU power to move and filter the messages that the dropped connections would undoubtedly attempt to deliver.
The RBLs allow us to provide customers with good to excellent filtering, at a tenth of the infrastructure cost that would be required without them, subscription cost to the two lists included. When we use a standard server build that runs approximately $15k/system, plus another $10k/system to rack, power, and cool it over it's lifetime (~3yrs) that's almost $450k saved over 3 years! And I'm not counting the bandwidth saved here, which is a substantial savings when buying international transit in Australia.
But the best part about the whole thing is the recorded number of complaints. I'm up to 10 in the past year. Even if the reported to unported ratio is 100:1, that's pretty excellent given the size of our customer base, and it's makeup - a lot of businesses that will complain if mail is blocked. Most problems were due to the QIL being a bit trigger-happy with listing other major Australian ISPs. No worries - it can be configured to whitelist by country, ISP, and arbitrary IP ranges. Fantastic.
Only a couple of complaints from people running mail servers behind DSL, in a residential (marked as dynamic) range. To these people I have one message: pay up to get a static (aka. business) grade service, co-locate your mail server, or get a real provider to be your mail host. Most spam comes from zombies sitting behind dynamic IP blocks - this is why they get dropped.
The final nicety from subscribing to these lists is while their support is good if you're a non-customer trying to be delisted (6-12hrs, tested prior to subscribing), their support is excellent when you're a customer. Quick to get spam evidence, quick to fix problematic listings of our systems _if the work has been done to clear the source_!
In summary:
1. spam still gets through the system. Now seeing 3-4% of connection attempts resulting in a delivery to a customer mailbox. Without the two RBLs on the front end, much more spam is seen because content filters are far from perfect.
2. Contrary to your assertion, list sharing is quite low: about 50% of the addresses are common between the two lists. In other words, we get about 60% connections dropped per list, for an aggregate of that 92% figure. If you assume that some spam sources are prolific, it indicates quite a bit of novel collection on the part of each.
3. A well run list isn't run by a schmuck. It's run by a company, with customers who pay it to do a good job and err towards reducing false positives. If you want schmuck, use SORBS.
Why is MCI not the problem? If MCI continues to provide Internet connectivity to known spammers, then yes, MCI *is* part of the problem. The object of a list like APEWS (and before them, SPEWS) is to remove the spammers from the Internet, not just to play whack-a-mole with individual IP blocks. I'll even take it one step further - if you knowingly and intentionally continue to pay an ISP that knowingly and intentionally providers spammers Internet connectivity, then you too are part of the problem, and I would be quite happy to refuse mail from you.
If you dont like how a particular DNSBL works, then dont use it, no one is forcing you to. Others that do like how it works may choose to use it, and don't have to listen to your arguments about it. The *senders* of mail dont get to choose what lists apply to them, the *recipient* does. (and by recipient, I mean the owner of the server that receives the email, or whatever admin they might delegate that authority to, not necessarily any individual mailbox user - however that would be a matter of the contract between the individual mailbox users and the owner of the server and would be of no concern to some random sender of email)
Other lists do work the way you describe (only listing the actual spammer IP's), although since ISP's move spammers around (and once an ISP is know to be 'friendly' to spammers more spammers sign up with them), they arent terribly effective.
You mean I should look at the diary post...the one in the article...that doesn't mention APEWS at all? Why would I do that?
As for the SANS diary that you did not provide any link to, but I nevertheless managed to find, that claims that APEWS is taking data from SANS...there is no 'proof' there whatsoever, just an assertation. (And it would be damn easy to prove it, by putting, for example, some invalid IPs on the list and see if they get listed by APEWS.) There's absolutely no evidence at all.
The fact that APEWS apparently listed an incident report from SANS as a reason for blocking is due to the fact that APEWS does not expose its spamtraps, so all incident reports are taken from other people. No, you can't claim copyright on posting someone else's spam, and SANS is an ass for even attempting it, because the whole damn point of publicly posting spam is for other people to cite it as evidence of spamming behavior. But there are, yet again, absolutely no links or evidence provided that even what I just said actually happened, much less that something unethical happened. (Nor can you, to cover all bases, claim copyright on factual lists of IP addresses.)
I've decided to sum the discussion so far:
You: APEWS blocks too much, including address that aren't spamming that are hooked to the same ISP as spammers.
Me: APEWS doesn't say it blocks addresses that are spamming, it says it blocks ISPs that allow spammers.
You: Ha, you're obviously working for APEWS because that's in the FAQ and everyone knows that! Plus, I'm going to continue to whine they don't behave the way that I want them to behave instead of the way they clearly state they behave.
My response:
The list is near 100% accurate for a list of spam-allowing ISPs. It is an incredibly bad idea to actually block on such a list. When I used their predecessor, SPEWS, I used it as part of a scoring system, like any responsible person would, to assign a specific negative weight to email from spam-allowing ISPs, which, combined with other indicators, allowed me to detect spam. And I resent your idea that merely because morons use APEWS incorrectly that APEWS is being 'irresponsible'.
You'll notice that APEWS doesn't recommend blocking based on it or provide any directions whatsoever to do so.
You know, there are DNSBLs out there that list all IPs in a country, one for each country. Is that 'irresponsible', or is it, as I call it, 'useful information that allows me to build an anti-spam system', despite the whining of people who tried to email other fools that decided to block all of Mexico?
If corporations are people, aren't stockholders guilty of slavery?
Using an RBL lets an untrustworthy third party censor email being sent to your users.
/Mike
Do not use one.
-- "So, what's the deal with Auntie Gerschwitz et all?"
good for them
you obviously don't realize spammers don't spam through thier own isp's
{unless total morons[who arn't the souce of the problem]}
they use their internet connections to remotely operate their bot-nets and have them send the spam/harvest the addresses etc
so yes by not disconnecting the criminal they ARE enabling the crime
same as by not cancelling spamvertised websites / e-mail addresses / domains used in spam/phishes/419 fraud etc they also are enabling the spammer to profit from illegal activity
This is a timely article for me. I have been infrequently researching DNSBLs for a few years now, and I am almost finished documenting my findings here: http://www.asspsmtp.org/wiki/DNSBL Its a wiki page for an anti-spam filter that I help develop and maintain this web site for - but the article is completely neutral POV and devoid of any product references. Its my assessment of the DNSBLs that I use and recommend. I would appreciate any thoughtful feed back on the article or recommendations for anything I may have missed. My username on the site is "ME2". Thanks!