spf-discuss
[Top] [All Lists]

RE: Solving throwaway domains using RHSBLs not whois

2003-10-09 16:53:24
How is that decentralized?  That's just one zone, copied to many others.
The central zone can be attacked, and so can the duplicates.  Any means
that makes available the IP addresses of the duplicate servers also
makes the addresses available to attackers.

SPF is still better in this respect.  (So is message signing, of
course.)

-- arlie


-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of RKML
Sent: Thursday, October 09, 2003 7:06 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Solving throwaway domains using RHSBLs not
whois


So why not incorporate an indirect Zone transferred blacklists of
domains that are not allowed and therefore would not be damagable to
DDoS.

Rudy K.


----- Original Message ----- 
From: "Arlie Davis" <arlie(_at_)sublinear(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, October 09, 2003 6:20 PM
Subject: RE: [spf-discuss] Solving throwaway domains using RHSBLs not
whois


Centralized black-lists, such as what you propose/mention, are 
vulnerable to DDoS attacks from the spammers.  We've already seen 
SEVERAL domains that maintained spam blacklists wiped out by DDoS 
attacks.  If we move to a centralized black-list server, it will be 
continuously attacked by the spammers.

Although I have a lot of doubts about SPF, its distributed nature is 
definitely a strength.

-- arlie


-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Meng 
Weng Wong
Sent: Thursday, October 09, 2003 12:25 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Solving throwaway domains using RHSBLs not 
whois


On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
| 
| With regard to whois, or using it to score throw-away domain
| detection, I advise against it. That's not what the whois database
is 
| designed for and they simply were not built with the performance 
| considerations that this would require.
| 

Suggestions that we use "whois" are on the right track but there are 
better technical approaches; specifically, the RHSBL.

from http://www.securitysage.com/guides/postfix_uce_rhsbl.html

    An RHSBL, like an RBL, is usually available via DNS, but contains 
a list
    of domain names (as opposed to IP addresses) that can be checked 
against
    the client domain of an email, as well as the domain portion 
(after the
    @) of the sender and recipient addresses.

Here's how they work:

    20031009-12:22:17 mengwong(_at_)dumbo:~% dnsip 
amazingoffersdirect.net.spamdomains.blackholes.easynet.nl
    127.0.0.2
    20031009-12:22:24 mengwong(_at_)dumbo:~% dnsip 
yahoo.com.spamdomains.blackholes.easynet.nl

    20031009-12:22:33 mengwong(_at_)dumbo:~%

See the bottom of http://www.sdsc.edu/~jeff/spam/cbc.html for a number

of RHSBLs.  They will gain in prominence as SPF is adopted.

To date, RHSBLs return either a DECLINE or NEGATIVE opinion.  In the 
future I predict we will see RHSBLs published by major ISPs that 
return KNOWN, UNKNOWN, NEGATIVE, and DECLINE, constituting a weak 
reputation scheme.  Even finer grain is possible with "started sending

mail N days ago".

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription, 
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡