There are some long-term implications that allow SPF to help in the fight against spam and viruses, but those aren't easily realized until most sites have SPF records.
The best short-term gains from SPF and the like are in joe-job control, and detecting phish emails.
For phishing, providied the site that's being spoofed has a SPF record, it will be easy to recognize the email from "security@paypal.com" didn't come ebay.
This still doesn't help with the web links contained in phish emails, but at least they will have to avoid forging the From: address, which makes them less effective.
I didn't mean to imply that this was a decision of the masses, or that most people would understand.
I meant it was an obvious decision for some people, and one that here on slashdot should be obvious.
Clearly "the masses" aren't all that attached to VHS, otherwise sales of tapes would be way too lucrative for Best Buy to drop them. Best Buy may or may not be evil, but they are definitely motivated by profit.
So, for the few odds and ends that still use VHS for buying new movies, I propose they exist in a few camps. I also suggest these camps likely decrease in size as you go down my list.
1) Those too cheap or lazy to buy a DVD player. DVD players are inexpensive now, but I've seen people re-use paper coffee filters to save money, so trust me, cheap knows no bounds.
2) Protesters of the DVD format.
3) Those with a TV/VCR combo as their only TV and can't use a DVD player with it due to macrovision on the input. (And others with similar setups where a RF modulator won't fix their problems)
4) Those who have some strange nostalgia for VHS. (includes collectors)
"What is the major reason for people still sticking with VHS?""
You mean besides the obvious? (consumer protest of DVD due to the region coding system.)
Admittedly VHS winds up having some of the same "features" but at least this is a byproduct of 2 different standards (PAL vs NTSC). It's not an intentionally designed feature like DVD region coding, and it's not as restrictive as DVD region coding is.
This vulnerability doesn't cause the payload to not be encrypted, it's a means of figuring out how to decrypt them without knowing the key.
Of course, the whole thing relies on you having message authentication (hmac-md5 or hmac-sha1) off. Something which was already known to be a bad idea.
With authentication off, someone can twiddle bits in the packet (without knowing their original state, but they can predictably flip a specific bit). From that, you look at the reply. If you do this enough times to fields that have predicable behavior, such as the TCP sequence number, you can gather enough information to figure out the encryption state and decrypt some of the packets in the stream.
To me, this whole thing is a gigantic "DUH". Almost crypto protocol which doesn't have good integrity protection is likely to be attacked this way. It's been done dozens of times.
This kind of attack is blatantly obvious. It's been written about many times and demonstrated against many different protocols in the past. It's why nearly every book on IPSEC I've seen warns that if you don't use a MAC, someone will break your crypto.
The only difference is that before it was a obvious theoretical weakness. Now it's one that's been demonstrated in practical application.
I agree on 1 and 2. Clearly if it tracked the cockpit with any decent accuracy it wasn't done by hand or by unsophisticated highscool pranksters.
Of course they never pointed out how accurately it was tracked. If it was just poping in and out of the cockpit on an intermittent basis, it could have been done by hand with a rifle scope or telescope to aid aiming.
However, power output wise, I must disagree about the truck mounted size. A class IIIa green laser pointer is visible hitting a target 2 miles away.
Sure you'd want something more powerful to be noticed clearly, a class IIIb device at least, but that at worst might make the laser itself the size of a pringles can instead of a laser pointer.
Now to accurately track it, the tracking gear might add a lot of size, but even that would be feasible to fit in a car trunk.
It's vaguely, and I do mean vaguely, Cathedral like because of it's development model.
However, I would still suggest that Linux is very much a Bazaar, but there are other projects which are even more so.
This really is a question of development model, not of Freedom however. And yes, Certainly windows is the ultimate closed-source Cathedral. But this is not about Windows.
Linux is kind of an "open monarchy", instead of an "open democracy" or "Open committee" that some OSS projects use.
On the other hand, I would not say that JCP is a prime example of such project. Java may point to it's committee nature as more Bazaar like, but quite frankly, I think at this level it's a trivial difference. Yes, they are a tiny fraction more bazaar like in development model, but only a tiny fraction. You now have a tiered committee deciding which code is acceptable, instead of one person. (twirls finger)
And of course, all of this is like say that the US government, with all it's rules and law officers, is more like Soviet communism of the 1970's when compared to Anarchy. Yes, that statement is true, but it doesn't mean that the two authoritarian governments are the same...
Like I said, it's definitely got it's drawbacks....
And yes, we've got a dresscode, much as I dislike it.
I don't particularly like that aspect, but there are some nice frills that offset it a bit. (always nice looking area, very nice public parks, gyms, pools, etc). And, most importantly, I'm 5 miles from work.
I'm willing to suffer some extra hours of paper pushing on the rare occasion I want repaint my house a different color in to save myself time in my everyday commute to work. (tradeoffs, gotta love em.)
"Sounds like a nice town. I'd love to see one like that sometime. Buried everything must be very aesthetically pleasing." Aesthetics is one of the nice features.. Lack of outages during storms is another good one.
The fact that the city is sufficiently picky about appearances that they've banned above ground lines does also have it's drawbacks. It's a whole city that's a "planned community", and at times getting approval for something like cutting down a tree that died due to disease can take up to two months of pushing paper through the advisory boards. If your timing is good you can get approval in 2-3 weeks, but if it's bad...
It's pretty much the same way out here. If you don't mark your lines, it's your problem...
However, in the article, the county is also complaining that the contractors aren't telling what happened when they dig up a line. That's a big problem.
The city I live in is all 100% buried lines. All power, phone, cable, gas and water is buried. No telephone poles anywhere. The only exception is the high-tension towers coming down into the substations.
Early this past spring, the electric utility ran new lines down the street to the distribution transformer at the end of the street.
All the utilities came out and painted lines all over the place indicating where buried lines were. However, about 1/2 the residents on my street wound up with severed phone or cable lines. You could count them, because they were repaired first with temporary lines that you could see running along people's yards, then buried later.
My cable was cut, as was my neighbor to the right. My neighbor to the left had their phone line cut.
No water, sewer or lines were hit, but we likely have copper and iron lines (early 70's placements).
Buried utilities are always a bit of a mess. If Florida expected no incidents like this they are fools at best. Very few utilities have good accurate maps that are 100% free of mistakes. Most are riddled with mistakes and lines get hit. Really, you need to prevent where possible, but hits are going to be common.
My guess is this was implemented by some firewall admin as a security measure to protect the site from foreign hackers.
Quite frankly, this kind of measure really does not work for a high-value target like this one. Any well organized hacker group is going to have control of plenty of cable modem boxes on US soil.
You'll slow them down a tiny bit, but not by much.
The IP-range restriction might help slightly against syn-floods, but really you're not reducing the potential IP space by all that much. The US is pretty heavily populated with IPs.
*shrug* more clueless security measures by someone net admin with a bright idea but not much deep thought about it. It happens all the time, like those sites blocking all emails with the word "vulnerability" as porn spam. yeah, not so useful.
Maybe someone needs to clue the FTC in to the existence ROKSO (Registry of Known Spammer Operations).
http://www.spamhaus.org/rokso/index.lasso
Not to be confused with spamhaus's dnsbl, ROKSO is a collection of evidence complete with personal names, business names, contact information, etc.
Clearly the information present there is quite substantial, and freely available to the FTC. Why pay $100k for information the comunity is already providing for free?
Re:Nothing's unpickable - how big a mess do you wa
on
Steel Bolt Hacking
·
· Score: 5, Interesting
For that matter, most structures surrounding locks aren't indestructible either. When you get down too it, someone can break into a lot of places by driving sledgehammer or truck through the door.
However, that makes lots of noise. It's hard to protect an office building from a bulldozer attack, but then again, it's pretty hard to sneak around with a bulldozer.
Really an attack involving strong acids isn't much more practical. Not many thieves want to walk around with a bottle of highly concentrated HCL hidden in their pocket. (think spillage while trying to run from the police)
Your best bet in any physical security is to try and make the thief do one or more of the following:
1) make a lot of noise (defeating stealth)
2) leave a lot of good evidence about the intrusion (defeating anonymity)
3) use specialized or expensive tools (defeating any financial gain)
4) use a tool too unwieldy or impractical to transport inconspicuously. (defeating stealth)
Of course, scale the measures to fit the value of what you're hiding.
Actually, If you read the FCC document, they are clearly NOT within their rights to demand this under current FCC policy.
Only the FCC can dictate one unlicensed network be shut down to favor another, even on leased/rented property and college campuses.
I think they might be OK if they demand ALL wireless points be shut down, including their own, but they aren't doing that. They are demanding that all wireless points, except their own, be shut down. At this point, they are attempting to resolve RFI issues on their own on a multi-tennant leased/rented property, and only the FCC has the authority to do this.
Read the FCC document, it's clearly applicable here.
Not really, at least not for Microsoft. Their past behavior seems to fall in line with the viewpoint that a Microsoft Standard is automatically "Industry Standard".
I think this largely comes from the view that if you're a what most people are using, you somehow become an industry standard, even though it's really a de facto standard not an industry one.
Word salad I can understand (if you bayes isn't aggressively trained at least).. I don't have problems with it, but my bayes is very heavily trained. (100-300 spams a day manual training)
What I don't understand is the base64 problem.. One of the first thing SA does is decode base64. Even "rawbody" rules get base64 decoding, so really base64 encoding shouldn't make a difference at all, as SA never examines the encoded text.
As for the intentional mis-spellings of V!agr0, check out antidrug.cf (use google) or wait for SA 3.0 which includes this set of rules as a part of the standard distribution.
Disclaimer: I am the author of antidrug, and thus do have a bias here.
I'm not sure which article it was, but perhaps it was referencing this study.
In it someone did phase-space analysis of the PRNGs used in DNS, and combined it with a birthday paradox style attack. In it, an attack on BIND 8 was shown to be 100% likely to succeed, BIND 9 20% and DJBDNS was 30%.
However, if you read the rest of the article, it points out that DJBDNS also uses a strongly random source port for the query, making it significantly more resistant to the attack, as the attacker would have to guess both the query ID and the source port simultaneously. (The two put together have about 1 billion possible combinations. The ID alone only has 64k.)
Unless there's some other DNS poisoning attack I'm unaware of, I think I'd prefer DJBDNS, as it's more resistant than bind 8 or bind 9, despite it's slightly less random output than bind 9.
(Note: bind 9 can be configured to use non-fixed query ports, but you'd need an kernel level random source-port patch to get good security out of this.)
Oh, I think Justin is used to floods now and again, so I doubt he'd "never have seen it coming".
For reference, taint.org is the weblog of Justin Mason, original author of SpamAssassin. Given SA's tendency to end up in the press, I'm sure taint.org has taken a couple beatings before.
Heck, taint.org has had a direct front-page listing on slashdot before., On July 12 spamassassin.taint.org was linked, which is at the same IP as taint.org.
Right now, the server seems to be handling the load just fine...
Also for reference, I happened to find a 1999 security patch to OpenBSD 2.4 which eliminates the use of windows in TCP reset packets.
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.4/co mm on/rst.patch
While that's not technically RFC compliant, it does avoid the problem.
It's also not too far off of the IETF recommendations (they recommend you send an ACK instead of drop, but both will fail to honor the off-sequence RST packet).
I'm not sure if 3.5 handles it the same way, but this is certainly good evidence that OpenBSD has in fact been aware of the problem for a long time. Perhaps other vendors should start watching OpenBSD's patches more closely.
ClamAV is a good step in the right direction, and it's incredibly great quality for freeware. I use it myself on my servers and it's wonderful. However, If you're looking to hit 100% of known viruses, clamav won't get you there.
The current stable release of clamav doesn't support OLE2 scanning, thus can't catch viruses in many MS Office documents. (0.66-0.68 have OLE2 disabled).
As far as why most ISPs aren't running clamav.. That's simple.. Load Average. Many ISPs are pushing their mailserver hardware pretty hard. As a result they don't have a lot of spare CPU onhand to do virus scanning.
At the ISP level, CPU time isn't free, it costs because you need better more powerful servers to process the same volume of mail. Admittedly PC hardware is cheap for desktops, and low-end server-grade stuff isn't outrageous, it's still an added cost that can't be ignored. Scanning is going to easily double the amount of CPU time per message compared with just store and deliver, so you've just doubled the cost of your inbound MX hardware (assuming you're doing load balancing and can just double the number of servers).
Sure it's money well spent, but it's not as inexpensive or free like it may seem at first glance.
Slashdot Mirror
I couldn't have said it better myself.
There are some long-term implications that allow SPF to help in the fight against spam and viruses, but those aren't easily realized until most sites have SPF records.
The best short-term gains from SPF and the like are in joe-job control, and detecting phish emails.
For phishing, providied the site that's being spoofed has a SPF record, it will be easy to recognize the email from "security@paypal.com" didn't come ebay.
This still doesn't help with the web links contained in phish emails, but at least they will have to avoid forging the From: address, which makes them less effective.
True, I didn't mean to imply this was the most common reason, just one that should be obvious to /. readers.
8 17418
See my reply to AC's nearly identical argument.
http://slashdot.org/comments.pl?sid=152729&cid=12
I didn't mean to imply that this was a decision of the masses, or that most people would understand.
I meant it was an obvious decision for some people, and one that here on slashdot should be obvious.
Clearly "the masses" aren't all that attached to VHS, otherwise sales of tapes would be way too lucrative for Best Buy to drop them. Best Buy may or may not be evil, but they are definitely motivated by profit.
So, for the few odds and ends that still use VHS for buying new movies, I propose they exist in a few camps. I also suggest these camps likely decrease in size as you go down my list.
1) Those too cheap or lazy to buy a DVD player. DVD players are inexpensive now, but I've seen people re-use paper coffee filters to save money, so trust me, cheap knows no bounds.
2) Protesters of the DVD format.
3) Those with a TV/VCR combo as their only TV and can't use a DVD player with it due to macrovision on the input. (And others with similar setups where a RF modulator won't fix their problems)
4) Those who have some strange nostalgia for VHS. (includes collectors)
Did I miss any?
"What is the major reason for people still sticking with VHS?""
You mean besides the obvious? (consumer protest of DVD due to the region coding system.)
Admittedly VHS winds up having some of the same "features" but at least this is a byproduct of 2 different standards (PAL vs NTSC). It's not an intentionally designed feature like DVD region coding, and it's not as restrictive as DVD region coding is.
Erm, dude.. this is slashdot.
:)
Don't hold your breath waiting on anyone here to get married
This vulnerability doesn't cause the payload to not be encrypted, it's a means of figuring out how to decrypt them without knowing the key.
9 -1085
Of course, the whole thing relies on you having message authentication (hmac-md5 or hmac-sha1) off. Something which was already known to be a bad idea.
With authentication off, someone can twiddle bits in the packet (without knowing their original state, but they can predictably flip a specific bit). From that, you look at the reply. If you do this enough times to fields that have predicable behavior, such as the TCP sequence number, you can gather enough information to figure out the encryption state and decrypt some of the packets in the stream.
To me, this whole thing is a gigantic "DUH". Almost crypto protocol which doesn't have good integrity protection is likely to be attacked this way. It's been done dozens of times.
Weaknesses using CRC32 as a cryptographically secure integrity check is how the classic SSH crc-compensation attack worked:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=199
Lack of integrity is part of why VTUN is considered insecure to the point of being broken:
http://off.net/~jme/vtun_secu.html
This kind of attack is blatantly obvious. It's been written about many times and demonstrated against many different protocols in the past. It's why nearly every book on IPSEC I've seen warns that if you don't use a MAC, someone will break your crypto.
The only difference is that before it was a obvious theoretical weakness. Now it's one that's been demonstrated in practical application.
By "using internet explorer safely" do you mean using it as a punchline?
:)
sorry, couldn't resist that, it's too funny to me
I agree on 1 and 2. Clearly if it tracked the cockpit with any decent accuracy it wasn't done by hand or by unsophisticated highscool pranksters.
Of course they never pointed out how accurately it was tracked. If it was just poping in and out of the cockpit on an intermittent basis, it could have been done by hand with a rifle scope or telescope to aid aiming.
However, power output wise, I must disagree about the truck mounted size. A class IIIa green laser pointer is visible hitting a target 2 miles away.
Sure you'd want something more powerful to be noticed clearly, a class IIIb device at least, but that at worst might make the laser itself the size of a pringles can instead of a laser pointer.
Now to accurately track it, the tracking gear might add a lot of size, but even that would be feasible to fit in a car trunk.
It's vaguely, and I do mean vaguely, Cathedral like because of it's development model.
However, I would still suggest that Linux is very much a Bazaar, but there are other projects which are even more so.
This really is a question of development model, not of Freedom however. And yes, Certainly windows is the ultimate closed-source Cathedral. But this is not about Windows.
Linux is kind of an "open monarchy", instead of an "open democracy" or "Open committee" that some OSS projects use.
On the other hand, I would not say that JCP is a prime example of such project. Java may point to it's committee nature as more Bazaar like, but quite frankly, I think at this level it's a trivial difference. Yes, they are a tiny fraction more bazaar like in development model, but only a tiny fraction. You now have a tiered committee deciding which code is acceptable, instead of one person. (twirls finger)
And of course, all of this is like say that the US government, with all it's rules and law officers, is more like Soviet communism of the 1970's when compared to Anarchy. Yes, that statement is true, but it doesn't mean that the two authoritarian governments are the same...
Or are they?
Like I said, it's definitely got it's drawbacks....
And yes, we've got a dresscode, much as I dislike it.
I don't particularly like that aspect, but there are some nice frills that offset it a bit. (always nice looking area, very nice public parks, gyms, pools, etc). And, most importantly, I'm 5 miles from work.
I'm willing to suffer some extra hours of paper pushing on the rare occasion I want repaint my house a different color in to save myself time in my everyday commute to work. (tradeoffs, gotta love em.)
"Sounds like a nice town. I'd love to see one like that sometime. Buried everything must be very aesthetically pleasing."
Aesthetics is one of the nice features.. Lack of outages during storms is another good one.
The fact that the city is sufficiently picky about appearances that they've banned above ground lines does also have it's drawbacks. It's a whole city that's a "planned community", and at times getting approval for something like cutting down a tree that died due to disease can take up to two months of pushing paper through the advisory boards. If your timing is good you can get approval in 2-3 weeks, but if it's bad...
It's pretty much the same way out here. If you don't mark your lines, it's your problem...
However, in the article, the county is also complaining that the contractors aren't telling what happened when they dig up a line. That's a big problem.
The city I live in is all 100% buried lines. All power, phone, cable, gas and water is buried. No telephone poles anywhere. The only exception is the high-tension towers coming down into the substations.
Early this past spring, the electric utility ran new lines down the street to the distribution transformer at the end of the street.
All the utilities came out and painted lines all over the place indicating where buried lines were. However, about 1/2 the residents on my street wound up with severed phone or cable lines. You could count them, because they were repaired first with temporary lines that you could see running along people's yards, then buried later.
My cable was cut, as was my neighbor to the right. My neighbor to the left had their phone line cut.
No water, sewer or lines were hit, but we likely have copper and iron lines (early 70's placements).
Buried utilities are always a bit of a mess. If Florida expected no incidents like this they are fools at best. Very few utilities have good accurate maps that are 100% free of mistakes. Most are riddled with mistakes and lines get hit. Really, you need to prevent where possible, but hits are going to be common.
My guess is this was implemented by some firewall admin as a security measure to protect the site from foreign hackers.
Quite frankly, this kind of measure really does not work for a high-value target like this one. Any well organized hacker group is going to have control of plenty of cable modem boxes on US soil.
You'll slow them down a tiny bit, but not by much.
The IP-range restriction might help slightly against syn-floods, but really you're not reducing the potential IP space by all that much. The US is pretty heavily populated with IPs.
*shrug* more clueless security measures by someone net admin with a bright idea but not much deep thought about it. It happens all the time, like those sites blocking all emails with the word "vulnerability" as porn spam. yeah, not so useful.
Hmm, Well, In this case one can't really say they are patenting something that's a script which is already used in NoCatAuth.
The patent was filed in 1999, not recently. As best I can tell NoCatAuth started in somewhere in 2001.
It doesn't take much research to find this out.
I agree, Many will do this for free..
Maybe someone needs to clue the FTC in to the existence ROKSO (Registry of Known Spammer Operations).
http://www.spamhaus.org/rokso/index.lasso
Not to be confused with spamhaus's dnsbl, ROKSO is a collection of evidence complete with personal names, business names, contact information, etc.
Clearly the information present there is quite substantial, and freely available to the FTC. Why pay $100k for information the comunity is already providing for free?
For that matter, most structures surrounding locks aren't indestructible either. When you get down too it, someone can break into a lot of places by driving sledgehammer or truck through the door.
However, that makes lots of noise. It's hard to protect an office building from a bulldozer attack, but then again, it's pretty hard to sneak around with a bulldozer.
Really an attack involving strong acids isn't much more practical. Not many thieves want to walk around with a bottle of highly concentrated HCL hidden in their pocket. (think spillage while trying to run from the police)
Your best bet in any physical security is to try and make the thief do one or more of the following:
1) make a lot of noise (defeating stealth)
2) leave a lot of good evidence about the intrusion (defeating anonymity)
3) use specialized or expensive tools (defeating any financial gain)
4) use a tool too unwieldy or impractical to transport inconspicuously. (defeating stealth)
Of course, scale the measures to fit the value of what you're hiding.
Actually, If you read the FCC document, they are clearly NOT within their rights to demand this under current FCC policy.
Only the FCC can dictate one unlicensed network be shut down to favor another, even on leased/rented property and college campuses.
I think they might be OK if they demand ALL wireless points be shut down, including their own, but they aren't doing that. They are demanding that all wireless points, except their own, be shut down. At this point, they are attempting to resolve RFI issues on their own on a multi-tennant leased/rented property, and only the FCC has the authority to do this.
Read the FCC document, it's clearly applicable here.
Not really, at least not for Microsoft. Their past behavior seems to fall in line with the viewpoint that a Microsoft Standard is automatically "Industry Standard".
I think this largely comes from the view that if you're a what most people are using, you somehow become an industry standard, even though it's really a de facto standard not an industry one.
Word salad I can understand (if you bayes isn't aggressively trained at least).. I don't have problems with it, but my bayes is very heavily trained. (100-300 spams a day manual training)
What I don't understand is the base64 problem.. One of the first thing SA does is decode base64. Even "rawbody" rules get base64 decoding, so really base64 encoding shouldn't make a difference at all, as SA never examines the encoded text.
As for the intentional mis-spellings of V!agr0, check out antidrug.cf (use google) or wait for SA 3.0 which includes this set of rules as a part of the standard distribution.
Disclaimer: I am the author of antidrug, and thus do have a bias here.
I'm not sure which article it was, but perhaps it was referencing this study.
In it someone did phase-space analysis of the PRNGs used in DNS, and combined it with a birthday paradox style attack. In it, an attack on BIND 8 was shown to be 100% likely to succeed, BIND 9 20% and DJBDNS was 30%.
However, if you read the rest of the article, it points out that DJBDNS also uses a strongly random source port for the query, making it significantly more resistant to the attack, as the attacker would have to guess both the query ID and the source port simultaneously. (The two put together have about 1 billion possible combinations. The ID alone only has 64k.)
Unless there's some other DNS poisoning attack I'm unaware of, I think I'd prefer DJBDNS, as it's more resistant than bind 8 or bind 9, despite it's slightly less random output than bind 9.
(Note: bind 9 can be configured to use non-fixed query ports, but you'd need an kernel level random source-port patch to get good security out of this.)
Oh, I think Justin is used to floods now and again, so I doubt he'd "never have seen it coming".
For reference, taint.org is the weblog of Justin Mason, original author of SpamAssassin. Given SA's tendency to end up in the press, I'm sure taint.org has taken a couple beatings before.
Heck, taint.org has had a direct front-page listing on slashdot before., On July 12 spamassassin.taint.org was linked, which is at the same IP as taint.org.
Right now, the server seems to be handling the load just fine...
Also for reference, I happened to find a 1999 security patch to OpenBSD 2.4 which eliminates the use of windows in TCP reset packets.
o mm on/rst.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.4/c
While that's not technically RFC compliant, it does avoid the problem.
It's also not too far off of the IETF recommendations (they recommend you send an ACK instead of drop, but both will fail to honor the off-sequence RST packet).
I'm not sure if 3.5 handles it the same way, but this is certainly good evidence that OpenBSD has in fact been aware of the problem for a long time. Perhaps other vendors should start watching OpenBSD's patches more closely.
so should they rename to hddcannon.ass-kicked.net?
But it is definitely an ADSL machine, woefuly under-prepared for a slashdotting.
Forward lookup of hddcannon.kicks-ass.net:
Host name: hddcannon.kicks-ass.net
IP address: 202.0.40.113
Alias(es): None
Reverse lookup of 202.0.40.113:
Host name: 202-0-40-113.adsl.paradise.net.nz
IP address: 202.0.40.113
Alias(es): None
Check out the SORBS DUL.. Works very well when used properly, well enough that it's standard in SpamAssassin.
s .sorbs.net/DUL-FAQ.html
(This list is the former dynablock list. Sorbs took it over when the maintainer wished to retire to do other things with his spare time)
http://www.dnsbl.sorbs.net/
http://www.dnsbl.u
ClamAV is a good step in the right direction, and it's incredibly great quality for freeware. I use it myself on my servers and it's wonderful. However, If you're looking to hit 100% of known viruses, clamav won't get you there.
The current stable release of clamav doesn't support OLE2 scanning, thus can't catch viruses in many MS Office documents. (0.66-0.68 have OLE2 disabled).
As far as why most ISPs aren't running clamav.. That's simple.. Load Average. Many ISPs are pushing their mailserver hardware pretty hard. As a result they don't have a lot of spare CPU onhand to do virus scanning.
At the ISP level, CPU time isn't free, it costs because you need better more powerful servers to process the same volume of mail. Admittedly PC hardware is cheap for desktops, and low-end server-grade stuff isn't outrageous, it's still an added cost that can't be ignored. Scanning is going to easily double the amount of CPU time per message compared with just store and deliver, so you've just doubled the cost of your inbound MX hardware (assuming you're doing load balancing and can just double the number of servers).
Sure it's money well spent, but it's not as inexpensive or free like it may seem at first glance.