OT : : FW: [spamtools] HELP: Decomissioning a DNS anti-spam list

[Michele Neylon :: Blacknight Solutions]

Just saw this on spamtools and thought *some* people might find it of
interest

-----Original Message-----
From: owner-spamtools at lists.abuse.net
[mailto:owner-spamtools at lists.abuse.net]On Behalf Of Ronald F. Guilmette
Sent: 19 March 2004 20:55
To: spamtools at lists.abuse.net
Subject: [spamtools] HELP: Decomissioning a DNS anti-spam list


[[ NOTE:  I have been trying to post the message below to the bind-users
   list, where it is arguably more on-topic, but non-subscribers are not
   allowed to post, and my subscription request is still pending on what
   I can only assume must be some sort of manual approval.  So I appeal
   to the wise sages here, in the meantime. ]]


As some of you may know, up until last September, I ran a couple of
DNS-based anti-spam lists.  As some of you may also know, I ceased
doing that back in September, because I was DDoS'd by what I can only
assume must have been spammers.

Anyway, I posted (in various places) an announcement back in September
that I was shutting down my lists, and I posted a final ``end of life''
announcement for the lists also about a month and a half ago.

Now, finally, I am _really_ trying to perform a final decommissioning of
my former anti-spam DNS lists.  (But as the old saying goes, ``No good
deed goes unpunished.'')

The problem is that no matter what I do, I cannot seem to stop the
ongoing torrent of queries against the zones, which are coming from
literally thousands of different sites:

XX /140.105.16.62/51.30.135.194.proxies.relays.monkeys.com/A/IN/E
XX /206.13.30.10/68.200.213.209.proxies.relays.monkeys.com/A/IN/E
XX /216.17.138.239/219.206.32.204.proxies.monkeys.com/PTR/IN/E
XX /212.101.192.70/10.215.3.217.proxies.relays.monkeys.com/A/IN/E
XX /206.13.30.27/68.200.213.209.proxies.relays.monkeys.com/A/IN/E
XX /206.222.1.3/214.133.43.217.formmail.relays.monkeys.com/A/IN/E
XX /206.222.1.3/214.133.43.217.proxies.relays.monkeys.com/A/IN/E
XX /140.239.96.4/216.213.229.217.proxies.relays.monkeys.com/A/IN/E
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /68.156.116.28/246.66.98.24.proxies.monkeys.com/PTR/IN/E
XX /213.131.64.2/82.170.67.66.formmail.relays.monkeys.com/A/IN/E
XX /213.131.64.2/82.170.67.66.proxies.relays.monkeys.com/A/IN/E
XX /198.216.32.3/237.168.92.67.proxies.relays.monkeys.com/A/IN
XX /140.239.96.4/53.43.174.200.proxies.relays.monkeys.com/A/IN/E
XX /200.21.139.9/204.78.41.213.proxies.relays.monkeys.com/A/IN/E
XX /216.17.138.239/219.206.32.204.formmail.monkeys.com/PTR/IN/E
XX /200.152.96.5/116.142.230.195.proxies.relays.monkeys.com/A/IN
XX /216.144.34.125/137.251.62.66.formmail.relays.monkeys.com/A/IN
XX /216.144.34.125/137.251.62.66.proxies.relays.monkeys.com/A/IN
XX /212.174.99.12/181.185.233.200.proxies.relays.monkeys.com/A/IN
XX /196.25.96.130/52.141.112.82.proxies.relays.monkeys.com/PTR/IN
XX /212.174.99.12/142.111.215.81.proxies.relays.monkeys.com/A/IN
XX /216.74.18.36/107.77.8.67.proxies.relays.monkeys.com/A/IN
XX /207.228.8.7/163.164.63.66.formmail.relays.monkeys.com/A/IN
XX /63.148.157.4/69.43.70.64.proxies.relays.monkeys.com/A/IN
XX /207.228.8.7/163.164.63.66.proxies.relays.monkeys.com/A/IN
XX /62.53.231.14/149.126.213.66.proxies.relays.monkeys.com/ANY/IN
XX /68.156.116.28/246.66.98.24.formmail.monkeys.com/PTR/IN/E
XX /64.55.216.5/216.213.229.217.proxies.relays.monkeys.com/A/IN/E
XX /217.20.160.162/2.142.207.64.proxies.relays.monkeys.com/AAAA/IN/E
XX /216.74.18.35/124.25.173.67.proxies.relays.monkeys.com/A/IN
XX /216.220.96.3/114.133.8.201.formmail.relays.monkeys.com/A/IN/E
XX /209.164.29.37/5.140.182.207.proxies.relays.monkeys.com/A/IN/E
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /64.55.216.5/53.43.174.200.proxies.relays.monkeys.com/A/IN/E
XX /66.153.44.26/31.248.148.216.proxies.relays.monkeys.com/A/IN
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /212.101.192.71/10.215.3.217.proxies.relays.monkeys.com/A/IN/E
XX /140.105.17.182/51.30.135.194.proxies.relays.monkeys.com/A/IN/E
...
and on and on, ad infinitum.

I have _very little_ bandwidth at my disposal, and now I need to reclaim
that bandwidth for other purposes.  But these ongoing queries are sucking
up more than half of the meager bandwidth that I have.

I have tried everything that I can think of to stop this flood of
bogus queries already, and nothing has worked.  Nothing I have tried
has even had any noticable effect.  I've tried setting the relevant
NS records to point into oblivion (specifically into the 224/8 space).
I have also tried pointing the NS records back to the very same name
servers elsewhere that are the most frequent ongoing troublemakers,
i.e. most frequent queriers of my defunct anti-spam zones.  Now I am
trying the following NS record:

*.relays.monkeys.com.   IN      NS      localhost.monkeys.com.

where `localhost.monkeys.com' resolves to 127.0.0.1 (in the hopes that
those name servers that are annoying me now will end up just querying
themselves, instead of me) but so far even this doesn't seem to be
working very well.

Oh!  And I should mention that I also tried this:

*.relays.monkeys.com.   IN      A       127.0.0.2
                        IN      TXT     "See http://www.monkeys.com/dnsbl/"

i.e. ``blacklist the Universe'', but even that only produced very limited
success in terms of getting people to stop sending queries here for the
dead and defunct anti-spam zones.

So can anybody help me with this?  There has GOT to be some way of de-
commissioning a zone such that further queries against the zone will not
be a huge burden on _my_ bandwidth.  I just need somebody to tell me
what it is.

Or is this impossible?  Is the design of the DNS protocol so ill-conceived
as to make this kind of decomissioning impossible?

Please help me, and educate me.


--
Email scanned by Blacknight for viruses and dangerous content.
Visit http://www.blacknight.ie for more information