-----BEGIN PGP SIGNED MESSAGE-----
Tony Finch wrote:
"Chris Lewis" <clewis(_at_)nortel(_dot_)com> wrote:
Tony Finch wrote:
Yes, blacklists do this already, though they are binary not ternary.
That's not necessarily true. Many DNSBLs are already multi-valued
(zen.spamhaus.org presently has 6 independent "flags"), and they can be
constructed to be more sophisticated with as many as 2^24 values on a
single return, and/or being used in scoring.
AFAIK all the multi-value blacklists are combinations of multiple
underlying binary blacklists, and exist to reduce the number of
DNS lookups needed to do multiple blacklist lookups.
There are exceptions. One of the regional DNSBLs returns (encoded)
country codes in the A, rather than answering binary questions like "is
this IP in china?". I could build that myself[+]. I have seen
experimentations with DNSBLs that return message counts and other
non-binary info. Several of my internal DNSBLs are computed from
scores. I could just as easily publish the scores themselves rather
than a binary "did it exceed the threshold?". The latter is
operationally easier for us.
Historically, most DNSBLs return binary values (or a set of binary
values). But they don't have to, and some don't.
Secondly, obviously, you don't have to treat the binary values as
individually definitive. SpamAssassin scores DNSBL hits - only block if
some combination of DNSBLs are hit. We score DNSBL hits (all but one of
them is threshold level scores. The one remaining is a bit pointless at
the moment, but we want the hit metrics and we'll add more sub-threshold
scoring DNSBLs in future).
[+] Come to think about it, I already do. I internally serve up an
"asn" zone that contains the ASN, cidr allocation, country, state, owner
domain, abuse address as TXT records. It's served as a subdomain via
our internal rbldnsd DNSBL servers. It's currently used for composing
metrics like "What country, ASN, domain is this crap coming from?", but
I could have the filters consulting it, and tell it to, say, nuke
particular ASNs, owner domains etc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Asrg mailing list