O.T. milter-link - reject phishing & spam

Ken A ka at pacific.net
Thu Jun 29 16:27:12 IST 2006



Stephen Swaney wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Ken A
>> Sent: Wednesday, June 28, 2006 8:03 PM
>> To: MailScanner discussion
>> Subject: Re: O.T. milter-link - reject phishing & spam
>>
>>
>>
>> Ken A wrote:
>>>
>>> Steve Freegard wrote:
>>>> Hi Ken,
>>>>
>>>> Ken A wrote:
>>>>> Is the URIBL in your graph just a generic term here, or are you using
>>>>> milter-link with URIBL rather than SURBL, or both? I was just testing
>>>>> using SURBL, but might drop a couple more in and see how it goes...
>>>> It's a generic term -- I use all three URI lists (in the following
>>>> order):
>>>>
>>>> sbl-xbl.spamhaus.org
>>>> multi.surbl.org
>>>> black.uribl.com
>>>>
>>>> The spamhaus test is slightly different from the other two lists -- it
>>>> lists the IP addresses of spamvertised web servers and seems to work
>>>> the best of all three lists.
>>> Seems like that could be risky when considering a shared hosting
>>> environment, where there are hundreds of sites on a single IP. Wouldn't
>>> you be punishing them all?
>> for example..
>>
>> # host humboldt.edu
>> humboldt.edu has address 137.150.145.17
>> # host 17.145.150.137.sbl-xbl.spamhaus.org
>> 17.145.150.137.sbl-xbl.spamhaus.org has address 127.0.0.4
>>
>> That's Humboldt State University in Northern California.
>> I wonder if they host student sites, or have an open relay script..
>> :-(
>>
>> Another one..
>> #host alumni.net
>> alumni.net has address 66.240.255.123
>> # host 123.255.240.66.sbl-xbl.spamhaus.org
>> 123.255.240.66.sbl-xbl.spamhaus.org has address 127.0.0.4
>>
>> This is a alumni networking site claiming 4 million members..
>> They aren't on any other lists, probably another site on the same ip is
>> being exploited to send spam. I think maybe just the sbl might be safer,
>> at least for an ISP environment.
>>
>> Thanks,
>> Ken A.
>> Pacific.Net
> 
> Ken,
> 
> I don't dispute your analysis or data but our service bureau scanners and
> all of our client's (Mostly UK, EU and US sites) have been blocking at the
> MTA level on sbl-xbl.spamhaus.org since it came into being. Maybe it's just
> luck but we've never had a single complaint of blocked email from a client
> or user that had email blocked because of an sbl-xbl.spamhaus.org listing.
> 
> Many of our ISP and ASP clients would be unable to process the email they
> receive if they didn't block or drop on sbl-xbl.spamhaus.org at the MTA
> level. We are seeing some of our IPS client sites where the attempted spam /
> junk delivery rate is 95% of all incoming email. They have just got to block
> as much as possible at the MTA level or they are out of business! 
> 
> My hats off to the people who maintain the sbl-xbl.spamhaus.org list. We
> should all tip our hats and support as best we can all of the good folks who
> create and maintain all of the lists and tools we use every day to stop
> #@!&*@#$! spam, viruses, phishing attacks, etc., etc.
> 
> These are the people who are really keeping the Internet up, running and
> open for business. 

Steve,

I Agree completely. The team at spamhaus does a great job. Using 
spamhaus sbl-xbl to block the connecting IP in your MTA makes a lot of 
sense. But, that's a lot different than using xbl to block with 
milter-link given the realities of shared IPs addresses, and open 
proxies that often land such IPs on the cbl.

That's just my thinking on this, since we happen to host more than one 
site on a shared IP. I certainly don't have the large scale operation 
you do, so perhaps I'm just a bit off target with my theoretical look at 
this, as is often the case, especially before the 2nd cup... :-)

Ken A.
Pacific.Net




> Just my 2p / 2c
> 
> Steve
> 
> Stephen Swaney
> Fort Systems Ltd.
> stephen.swaney at fsl.com
> www.fsl.com
> 


More information about the MailScanner mailing list