[Top] [All Lists]

Re: Best practices to avoid virus and spam

2004-02-11 22:14:48

----- Original Message ----- 
From: "Keith Moore" <moore(_at_)cs(_dot_)utk(_dot_)edu>
To: "Keld Jørn Simonsen" <keld(_at_)dkuug(_dot_)dk>
Cc: "Keith Moore" <moore(_at_)cs(_dot_)utk(_dot_)edu>; 
Sent: Wednesday, February 11, 2004 10:47 PM
Subject: Re: Best practices to avoid virus and spam

No need for new protocols, closed networks etc. Maybe a need for some
RBL listing virus/spam infected machines, I don't know.

Third-party RBLs are a really, really, really bad idea.  They should be
categorized as Worst Practices.

... and then refuse to accept any new connections from that source IP for
period of time.

Is this the reason for your rational RBL being really bad?

Thats the problem there is no reliable way for SMTP at the protocal to
determine if a system is a spammer.   But even it did and you automatic
blacklisted it....

What period of time is this?  And how to you correct yourself?  How does the
system report you that it is fixed itself?

If anything, I suggest that we take what is REALITY and help standardize it,
by cleaning it up with reason response codes and also maybe, if possible,
consolidate the sites.   Some systems may want to just block up dialups or
open relays but not mailing list with no subcribe confirmations.   Take at
look at some of the response tables for the RBL sites.

Here is my take.  Two sides of the coins:

1) RBL are the BEST thing and ONLY thing available to makes the problem more
managable.  Systems that don't use RBL have big spam abuse problems.  You
might be able to manage them in other ways, but for the majority, it is a
god-send.  The fact that the GROWTH of these systems have sky-rocketed is
proof enough that it lot of people think it is a GOOD IDEA to solve the
problems that currently could not be addressed at SMTP.

2) Unfortunately, spammers LEARN from RBL databases which systems are open
relay/proxies.   Studies have shown on average a reported site will correct
the system within 30 days.   This is the double-edge sword of any central
registry system.

Lets face it,  the suggestion of throwing away the idea of RBL is not
reality or categorizing it a WORST PRACTICE is not going to stop it from
being used until you offer something that replaces it with the same

The rationale here is that the SMTP server doesn't want to waste bandwidth
or cpu cycles by sucking down a message that's going to be discarded
anyway, and it does want to avoid being interrupted by a compromised
machine or spammer's machine if it tries again later.

I agree.  But Keith until SMTP provides a standard and reliable way to do
this at the protocol level, RBL will remain to be the top method of stopping
spam.  They work! Knocking out atleast 60% of your connections. That is why
they exist in GREAT popularity.

In addition, the new wave is the networking of "intelligence"   What one
system learns can benefit others in the network.

I am just providing input so that this statement of yours is not taken
seriously as gospel.

Hector Santos, Santronics Software, Inc.