[PLUG] The problem with DNS blacklists...

Ronald Chmara ronabop at gmail.com
Wed Aug 17 06:08:07 UTC 2011 

On Tue, Aug 16, 2011 at 10:09 PM, Michael C. Robinson
<plug_1 at robinson-west.com> wrote:
> 1)  How do I pick one where the expectation is that I will almost always
> block the spammers?

Age, reputation, match with task goals? I like spamhaus, YMMV.

> 2)  How do I use them from a Perl script working with actual packets
> thrown up to user space?

You seem to be re-creating milter+honeypot. Not that doing so is a bad
thing, but pulling past code might give you some great ideas.

> 3)  How can I keep this simple so that a novice Perl user will be able
> to do what I'm doing, granted, I need to get better with Perl?

CPAN it when done. Maintain it for the rest of your life, and find
others to maintain it.

> So how does one maintain a DNS blacklist?

Dynamically, based on what traffic you don't like.

> Do the IPs in the list have
> to be aged?

Depends on the source. A MX that hops IP's in a block can lead to an
easier IP range block. A "clean" block with a rogue MX is an often
annoyance where you accidentally "hosted" in a nest of spammers.

> Is it enough to have a web page where blocked site admins
> can send an email requesting clearance to get through?

Hell no.

In rough (but maybe inaccurate) order:
2001: Automated requests for approval.
2002: "retype these letters to be approved"
2003: "type the letters in this image to be approved"

Server admins are very much exploitable by social engineering. Captcha
adds machine engineering, but it's still trivial.

>  My blacklisting
> philosophy right now is simple, I blacklist any IP that spams me.

That's whack-a-mole.

What I am about to say is *hugely* controversial.

Re-read the above, please.

With that being said: You should blacklist any ISP that allows spammers.

This *WILL* cause collateral damage.

> A curious question, shouldn't I be able to look up any IP that is
> claiming to be a mail server via the DNS system?

Yes and no. A huge amount of systems are not DNS-listed. *Any* server
connected to the internet should be allowed to send mail. You can
decline mail from non-DNS listed systems...... This *WILL* cause
collateral damage. This *WILL* cause collateral damage. (Did I
stutter?)

> My thought is, I
> can ignore infected personal computers if there are no DNS records
> listing them as legitimate email servers for legitimate domains or
> better yet no IP records at all.

This *WILL* cause collateral damage.

That being said, if you can handle it, go for it.

-Bop

More information about the PLUG mailing list