Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

At 11:19 PM -0500 3/2/07, Stephanie Erin Daugherty wrote:

I'll agree that its a horrible idea. At one point, a DNSBL couldeffectively stop a lot of spam. Now, most DNSBL operators and DNSBLusers have realized that the technology long ago ceased to be usefulin stopping all but the most persistent and long-lived spam sources,and compromised hosts.


That is not consistent with the evidence I have on hand.

I deal with multiple receiving sites (corporate and microdomain) andknow of none where the CBL fails to reject over 2/3 of all SMTPconnections or has ever had a detectable false positive rate greaterthan 1 per million rejections over a period of over a month, with thefalse positives coming in very brief episodes (commonly describableas the consequences of ill-considered NAT designs.) For most sites,the reject rate is usually in the 75-80%.

The Spamhaus XBL and Zen lists enhance that performance by 5-10% byaggregating the CBL with additional lists, and while I've used themfor relatively short times (< 6 months) on anything but very smallsites, I've been unable to find any increase in false positives.

As a first cut against spam, applied without having to examineanything other than the connecting IP, DNSBL's remain extremelyuseful.

So, you might ask, what are DNSBL's still useful for? Mainly, four things:
* Keeping track of compromised hosts, because they present a threatto the internet as a whole.* Keeping track of hosts that shouldn't be sending mail - machineson networks where servers aren't allowed for instance.


That's basically the model of the Spamhaus XBL and PBL.

* Brute-force education of end users and server administrators aboutcommunity standards of security and acceptable behavior on theinternet.* Bringing the problems that allow spam and other network abuse tothe wallets of those who can do something about it.
It's that last one that's the big one.

Yes, but I think you've missed another application. Applying theSpamhaus SBL as a "URIBL" by checking body URI domain parts forresolution to SBL-listed address space is usefully effective againstspam that makes it past CBL and its derivatives. The numbersfluctuate wildly (10-40% of what gets past traditional DNSBLapplication) based on fluctuations of DNSBL effectiveness and spammerbehavior.

Unfortunately, there are some providers who wouldn't kick spammersoff their network, if not for the fact that DNSBLs would soon forcethem out of business.

I think that's an appealing story that does not always describereality. I know there are some providers who respond to listings, butthere are some who simply don't, and are unimpeded by that for years.The entity formerly known as UUNet (finally seeming to clean up a bitsince the VZ acquisition,) the 'new' AT&T (i.e. SBC,) Comcast, andthe Chinese Internet oligopoly seem impervious to the supposedbusiness impact of DNSBL's.

DNSBLs are unfortunately very good at this one thing - making "notmy problem" a big enough issue that ignoring security, permittingabusive behavior, or ignoring the basic principles of the internetbecomes costly enough to become a problem worth fixing.


Not for all providers.

As a DNSBL operator, I don't like this aspect of it, but it's thesame principle as behind things like the infamous UDP(http://www.stopspam.org/faqs/udp.html).

The UDP worked better when it was applied than anything in email canbecause the news network is built on a fundamental building block ofexplicit and strictly bilateral agreements to pass traffic. Sitesthat have agreements with everyone they accept mail from don't havemajor spam problems.

Ultimately, a DNSBL does not stop spam.


But, they do. I see DNSBL's stopping most spam at multiple sites.


--

Bill Colebill(_at_)scconsult(_dot_)com



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg