[rbldnsd] how to make public (DNS)RBL?

Chris. cth at fastmail.ca
Sun May 17 04:03:54 MSD 2009 

On Sat, 16 May 2009 20:42:31 +0000 (UTC), Chris. wrote...

> On Sat, 16 May 2009 12:31:31 -0400, Steven Champeon wrote...
> 
>> on Sat, May 16, 2009 at 10:16:18AM +0000, Chris. wrote:
>> 
>> <snip completely unrelated but nevertheless bizarre Javascript story>
>> 
>>> So if I understand you correctly, if any "admins" attempt to use
>>> my system, they'll have no idea whether the lists are good, or bad.
>> 
>> No, if you expect anyone to use it, you need to publish a set of
>> criteria by which you list IPs. Nothing to do with hype - if
>> anything, Jon and Dave and the rest have been trying to point out to
>> you that blocking 1/4 of the Internet isn't a bold claim, it's
>> probably a sensible course to take given million-host botnets, but
>> it's *irrelevant* in the context of this discussion. I could provide
>> you with a DNSBL that lists five hundred thousand IPs, but if they're
>> all legit mail hosts, you'll end up with a high FP rate should you
>> use that list to block inbound mail. Go, now, and read the BCP I
>> sent.
> 
> LOL. Sorry. I'm afraid I've been a bit overburdened lately, and as a
> consequence, I'm a bit detached, and /reactive/ - see; "knee jerk".
> Henceforth, I do solemnly swear to read the responses in these
> threads. Then walk away from the console, and wait no less than 1hr.
> before responding. Gah! Now, in retrospect it all seems so clear. I
> feel terrible, and am very grateful for all the thoughtful responses -
> even tho I didn't recognize all of them.
> 
> ...and now, a direct response to the response(s), as they were
> intended. :) Steven, thank you for the pointer (article) - I
> /actually/ understood that, and I /was/ looking for it. - /really/
> 
> I have read all of it (again) and actually /do/ have a layout - just
> not yet in print. I'll post them (or a link) here today, or early
> tomorrow. Actually, it occurs to me just now, that I'd rather provide
> a bit more /articulated/ version here in response. It'll be a bit
> more terse, as the readers have a better understanding, so I can
> use a different language. Those were "props" to the subscribers here,
> in case it wasn't noticed. :)
> I'm in the middle of a "build session/marathon" as I write this.
> So since it hasn't yet been an hour, I'm going to break it off here,
> and honor my oath, and report back with a /direct/ response to
> the yours (and some of the others like it). Consider this one
> a well deserved apology. :)
> 
> Back in about an hour...

I'm back. Here's a rough outline on filtering practices employed:

DATA is filtered/categorized in the (roughly) following fashion:

I should preface this by saying that I have a /highly/ sophisticated
system that has been in constant development for some 25yrs. That said...

Audit trails are maintained, I possess/maintained a /painfully/ detailed
account regarding all listings - in other words, if I've been under attack
I /always/ know the origin, as well as the /complete/ trail to the final
destination (me/my network)

If attacked, I add the entire trail in the following fashion:
o origin - nabuse
o trail: (those deflected from, or used to proxy the attack) - unmantaind,
  or hacked

o hacked: IP's belonging to computers that have been hacked, or are easily
  compromised - hacked

o unmaintained: addresses (typically blocks) that are registered but unused,
  or those those that are registered but still belong in bogon - unmaintained

o never: addresses that were "scarfed up" from failed companies that never
  returned their blocks (most of which came from the days when IP's were free -
  I miss those days) - never

o dynamic: dynamic blocks used by ISP/providers, typically for dialup, or short
  term leases/dhcp - dynamic

o spammer: IP's lodging dictionary attacks against my MX's, IP's from which I
  receive actual UCE - spammer

o test: the lights are on, and nobodys home - test

The names chosen are all tentative. I used them for R&D for the past 1+ years
of testing rbldnsd, and development of my system

How do you define "attack"?
o These are defined by actions such as pinging for the sake of developing time
  tables/strategies for launching smurf, of spoofs.

o ssh attempts, which can/do include brute force/dictionary attacks, or otherwise.

o sweeps; port scans, or incessant attempts against known services.

This is not /yet/ an "all inclusive" list, but covers the bulk of criteria that
one would most probably be interested.
I should also note that I keep current with the bogon, and the list(s) always
reflect the current state.

Feel free to inquire further. :)

If you would care to contact me off list regarding this - please feel free.

On that subject:
@mjt
It has always been my intention to limit thread to subjects specific to rbldnsd.
But it appears because of the ultimate goal of my use of rbldnsd, some /deviation/ is
required. I promise to do my best to keep it "on track", but will be happy to start
my own mailing list against one of my own @ address. Point being, I don't want you
to think that I'm attempting to abuse your list.

Thank you, and everyone else involved.

Sincerely,
 Chris

> 
> --Chris
> 
>> 
>> /me resists urge to also school you on DHTML, which is not the same
>> as Javascript, and certainly wasn't around in 1994. ;)
>> 
>> At any rate, I think this troll is full to bursting, and we should
>> all just let him go off and sit under another bridge.
>> 
>> Steve
>> 
>> --
>> hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w:
>> http://hesketh.com/ antispam news, solutions for sendmail, exim,
>> postfix: http://enemieslist.com/
>> _______________________________________________ rbldnsd mailing list
>> rbldnsd at corpit.ru
>> http://www.corpit.ru/mailman/listinfo/rbldnsd
> _________________________________________________________________
> http://fastmail.ca/ - Fast Secure Web Email for Canadians
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
_________________________________________________________________
    http://fastmail.ca/ - Fast Secure Web Email for Canadians

More information about the rbldnsd mailing list