[PLUG] The problem with DNS blacklists...
Ronald Chmara
ronabop at gmail.com
Wed Aug 17 06:08:07 UTC 2011
On Tue, Aug 16, 2011 at 10:09 PM, Michael C. Robinson
<plug_1 at robinson-west.com> wrote:
> 1) How do I pick one where the expectation is that I will almost always
> block the spammers?
Age, reputation, match with task goals? I like spamhaus, YMMV.
> 2) How do I use them from a Perl script working with actual packets
> thrown up to user space?
You seem to be re-creating milter+honeypot. Not that doing so is a bad
thing, but pulling past code might give you some great ideas.
> 3) How can I keep this simple so that a novice Perl user will be able
> to do what I'm doing, granted, I need to get better with Perl?
CPAN it when done. Maintain it for the rest of your life, and find
others to maintain it.
> So how does one maintain a DNS blacklist?
Dynamically, based on what traffic you don't like.
> Do the IPs in the list have
> to be aged?
Depends on the source. A MX that hops IP's in a block can lead to an
easier IP range block. A "clean" block with a rogue MX is an often
annoyance where you accidentally "hosted" in a nest of spammers.
> Is it enough to have a web page where blocked site admins
> can send an email requesting clearance to get through?
Hell no.
In rough (but maybe inaccurate) order:
2001: Automated requests for approval.
2002: "retype these letters to be approved"
2003: "type the letters in this image to be approved"
Server admins are very much exploitable by social engineering. Captcha
adds machine engineering, but it's still trivial.
> My blacklisting
> philosophy right now is simple, I blacklist any IP that spams me.
That's whack-a-mole.
What I am about to say is *hugely* controversial.
Re-read the above, please.
With that being said: You should blacklist any ISP that allows spammers.
This *WILL* cause collateral damage.
> A curious question, shouldn't I be able to look up any IP that is
> claiming to be a mail server via the DNS system?
Yes and no. A huge amount of systems are not DNS-listed. *Any* server
connected to the internet should be allowed to send mail. You can
decline mail from non-DNS listed systems...... This *WILL* cause
collateral damage. This *WILL* cause collateral damage. (Did I
stutter?)
> My thought is, I
> can ignore infected personal computers if there are no DNS records
> listing them as legitimate email servers for legitimate domains or
> better yet no IP records at all.
This *WILL* cause collateral damage.
That being said, if you can handle it, go for it.
-Bop
More information about the PLUG
mailing list