ietf-asrg
[Top] [All Lists]

Re: [Asrg] 7. Best Practices - DNSBLs - Article

2003-08-11 13:45:35
On Mon, Aug 11, 2003 at 03:14:14PM -0400, Yakov Shafranovich wrote:
This is something that should be reflected in the BCPs for mail 
administrators - investigate the blacklist before you use it.

Don't know if this qualifies for a BCP ...
We use our own DNSBL. We do also use other DNSBLs but the messages are
tagged only. This tagging is used as a decision aid:
  if we get spam and the IP is listed in other DNSBLs as well, we add
  it to your own DNSBL right away.
this saves some work.

(I have no concrete proof for that, maybe others can check some data and
see if they notice something similar)
I have the impression DNSBLs get abused for finding open relays.
Motivation: checking IP  ranges for relay open mailserver or open
   proxies is a time consuming task and you need email addresses to
   receive the relayed messages at.
Strategy: Do port scans for hosts listening on port 25. Make a list of
   all those IP Addresses.
   Now use a tool that abuses 0wned hosts and do distributed sumbissions
   of these IP's to the various DNSBLs for testing.
Result: After some hours/days do DNS lookups and see if the IP got
   blocked. If it is blocked the IP is vulnerable, add it to your list
   of vulnerable host and qickly start abusing it.
Downside: they use a blacklisted IP for spamming. However from my
   personal observation most DNSBLs are used for informational purposes
   and not for hard blocks, so the amount of spam they get through is
   large enough and pays off the gain of having others do the dirty work
   (with a white hat on).

I had this idea, when I installed a new machine in an old IP block on a
IP that hasn't been in use for at least 6 years. After a few minutes I
saw the first port scan on port 25 and about an hour later there was a
second one. Only 4-5 hours later the host was scanned by three DNSBLs.
IIRC the first scan was from a ATT dialin and the second one was from a
RoadRunner IP.

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg