ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 2. Improving Blacklists and Reputation Services

2004-02-09 23:13:10
from [Walter Dnes] [Permanent Link] 
On Mon, Feb 09, 2004 at 03:30:17PM -0500, Yakov Shafranovich wrote


All of this implies that reputation services such as blacklists will 
continue to exist. However, a major problem has been with these services 
is that they provide a binary yes/no answer.


  There is no inherent binary limitation of today's de-facto DNSbl
implementations.  DNSbls have have approximately 16 million possible
responses in the 127.0.0.0/8 CIDR.  And furthermore, they can return
multiple records for one query (which is the querying software's
responsibility to handle properly).  Quite a few DNSbls have an
"aggregate zone", which can return multiple multiple values.  An example
is dnsbl.sorbs.net.  Here's a comment from my blocklist entries...

#        dnsbl.sorbs.net aggregate return codes are:
#   http.dnsbl.sorbs.net    127.0.0.2
#  socks.dnsbl.sorbs.net    127.0.0.3
#   misc.dnsbl.sorbs.net    127.0.0.4
#   smtp.dnsbl.sorbs.net    127.0.0.5
#   spam.dnsbl.sorbs.net    127.0.0.6
#    web.dnsbl.sorbs.net    127.0.0.7
#  block.dnsbl.sorbs.net    127.0.0.8
# zombie.dnsbl.sorbs.net    127.0.0.9
#    dul.dnsbl.sorbs.net    127.0.0.10
#badconf.rhsbl.sorbs.net    127.0.0.11
# nomail.rhsbl.sorbs.net    127.0.0.12

  Another example is zz.countries.nerd.dk.  A query on an IP address
will return 127.0.X.Y where (X * 256) + Y == ISO country code of the
country where the IP address in question is hosted.

  In both of the above cases, the idea is to reduce DNS traffic.  Rather
than querying half-a-dozen of the sub-zones, I query the master zone,
and check for any returned values which I want to use.  Similarly, I
could do multiple queries to cn.countries.nerd.dk, tw.countries.nerd.dk,
kr.countries.nerd.dk, etc, etc.  But it's less-bandwidth intensive at
both ends to use the master zone.  There is nothing preventing this type
of response being interpreted in a different manner that includes
granularity.


Many commercial ISPs would like to make the decisions themselves.
Filters such as SpamAssasin would probably be better off basing data
on a larger scale than a simple yes or no.


  SPEWS already has a "level 1" and "level 2" response.  Is this along
the lines that you're thinking of ?  Similarly, Spamhaus has multiple
lists, with one (ROKSO) reserved for blatant, unrepentant spammers.
Between coded numeric valus, and separate subzones for various degrees
of spamming, the granularity you are looking for is already available
in real-life.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 1a. Inventory of Problems - Spoofed mail addresses, Walter Dnes
Next by Date:  Re: [Asrg] 2. Improving Blacklists and Reputation Services, Walter Dnes
Previous by Thread:  Re: [Asrg] 2. Improving Blacklists and Reputation Services, Chris Lewis
Next by Thread:  Re: [Asrg] 2. Improving Blacklists and Reputation Services, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]