[RndTbl] blocklists (was: Grey-listing in effect on MUUG server)

John Lange john.lange at open-it.ca
Fri Nov 17 13:58:12 CST 2006 

On Fri, 2006-11-17 at 11:31 -0600, Gilles Detillieux wrote:
> On 11/17/2006 10:49 AM, John Lange wrote:
> > On Fri, 2006-11-17 at 10:22 -0600, Tim Lavoie wrote:
> ...
> >> So far, so good. No spam in the spambox this morning, at all. Most
> >> were caught by the Spamhaus DNS blocklist I already use, but the
> >> greylist whacked the remainder. 
> > 
> > Would it not make sense to do it in the other order? Greylisting being
> > much less CPU intensive than other spam blocking methods.
> 
> I didn't think DNS blocklists were particularly CPU intensive.

I suppose not but I was under the assumption that it had to do more than
just a normal DNS lookup. Some of them do lookups based on email
content, not just IP based blocking.

> Has anyone ever compared the effectiveness and accuracy of the various 
> DNS blocklists?  I currently use these 3:
> 
> list.dsbl.org
> relays.ordb.org
> sbl.spamhaus.org

Since I ruled out using blocklists some time ago its possible things
have improved (but I doubt it).

For example, lets say there are some spam bots on an ISPs network. They
send out spam relayed through the ISPs mail server. Does this not mean
that the ISPs mail server will quickly find itself on a block list?

If the answer is "no", then the blocklist isn't accomplishing anything
since no spam is being blocked.

If the answer is "Yes", then my issue is that thousands of innocent mail
users on that ISP will be inconvenienced for absolutely no fault of
their own.

If on the other hand it is blocking based only on the actual IP of the
machine doing the sending then in the short term it might be acceptable.
However if the IPs don't expire automatically then you are simply back
to blocking innocent people.

This brings up another problem with block lists. What if you get a virus
and your machine gets hijacked to send spam? Bingo you are on a
blocklist and good luck getting removed especially since the average
user is not likely to have any clue they are even on the list.

Effectively you get double victimized. Not only does your computer
likely have to be rebuilt but you can no longer send mail.

Or in the case of an ISP, lets say they have a user with an insecure CGI
on their web site. Somehow they are relaying mail and again you end up
on a block list and its very hard to get off and at the same time
everyone else using that machine for mail is victimized.

And it is my understanding that the blocking is frequently done on
entire subnets or even entire ISPs. Again, lots of innocent victims of
this technique.

Its just my personal opinion but I don't like that particular tactic
since it has so many potential pitfalls and does so very little that
can't be done with other methods.

I have no doubt that its effective in reducing spam but just because
something works doesn't make it the correct approach.

For example we could eliminate all auto accidents by banning cars.

Or more relevantly, here is your perfect spam filter:

iptables -A INPUT --destination-port 25 -j DROP

Guaranteed to eliminate 100% of your spam ;)

John

More information about the Roundtable mailing list