So why not incorporate an indirect Zone transferred blacklists of domains that
are not allowed and therefore would not be damagable to DDoS.
Rudy K.
----- Original Message -----
From: "Arlie Davis" <arlie(_at_)sublinear(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, October 09, 2003 6:20 PM
Subject: RE: [spf-discuss] Solving throwaway domains using RHSBLs not whois
Centralized black-lists, such as what you propose/mention, are
vulnerable to DDoS attacks from the spammers. We've already seen
SEVERAL domains that maintained spam blacklists wiped out by DDoS
attacks. If we move to a centralized black-list server, it will be
continuously attacked by the spammers.
Although I have a lot of doubts about SPF, its distributed nature is
definitely a strength.
-- arlie
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Meng
Weng Wong
Sent: Thursday, October 09, 2003 12:25 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Solving throwaway domains using RHSBLs not whois
On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
|
| With regard to whois, or using it to score throw-away domain
| detection, I advise against it. That's not what the whois database is
| designed for and they simply were not built with the performance
| considerations that this would require.
|
Suggestions that we use "whois" are on the right track but there are
better technical approaches; specifically, the RHSBL.
from http://www.securitysage.com/guides/postfix_uce_rhsbl.html
An RHSBL, like an RBL, is usually available via DNS, but contains a
list
of domain names (as opposed to IP addresses) that can be checked
against
the client domain of an email, as well as the domain portion (after
the
@) of the sender and recipient addresses.
Here's how they work:
20031009-12:22:17 mengwong(_at_)dumbo:~% dnsip
amazingoffersdirect.net.spamdomains.blackholes.easynet.nl
127.0.0.2
20031009-12:22:24 mengwong(_at_)dumbo:~% dnsip
yahoo.com.spamdomains.blackholes.easynet.nl
20031009-12:22:33 mengwong(_at_)dumbo:~%
See the bottom of http://www.sdsc.edu/~jeff/spam/cbc.html for a number
of RHSBLs. They will gain in prominence as SPF is adopted.
To date, RHSBLs return either a DECLINE or NEGATIVE opinion. In the
future I predict we will see RHSBLs published by major ISPs that return
KNOWN, UNKNOWN, NEGATIVE, and DECLINE, constituting a weak reputation
scheme. Even finer grain is possible with "started sending mail N days
ago".
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù11{�W]?Ú
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦ç�?2b¥yÈbox(_dot_)com
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com