O.T. milter-link - reject phishing & spam

Fri Jun 30 18:42:44 IST 2006

Ken A spake the following on 6/29/2006 8:27 AM:
> 
> 
> Stephen Swaney wrote:
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>> bounces at lists.mailscanner.info] On Behalf Of Ken A
>>> Sent: Wednesday, June 28, 2006 8:03 PM
>>> To: MailScanner discussion
>>> Subject: Re: O.T. milter-link - reject phishing & spam
>>>
>>>
>>>
>>> Ken A wrote:
>>>>
>>>> Steve Freegard wrote:
>>>>> Hi Ken,
>>>>>
>>>>> Ken A wrote:
>>>>>> Is the URIBL in your graph just a generic term here, or are you using
>>>>>> milter-link with URIBL rather than SURBL, or both? I was just testing
>>>>>> using SURBL, but might drop a couple more in and see how it goes...
>>>>> It's a generic term -- I use all three URI lists (in the following
>>>>> order):
>>>>>
>>>>> sbl-xbl.spamhaus.org
>>>>> multi.surbl.org
>>>>> black.uribl.com
>>>>>
>>>>> The spamhaus test is slightly different from the other two lists -- it
>>>>> lists the IP addresses of spamvertised web servers and seems to work
>>>>> the best of all three lists.
>>>> Seems like that could be risky when considering a shared hosting
>>>> environment, where there are hundreds of sites on a single IP. Wouldn't
>>>> you be punishing them all?
>>> for example..
>>>
>>> # host humboldt.edu
>>> humboldt.edu has address 137.150.145.17
>>> # host 17.145.150.137.sbl-xbl.spamhaus.org
>>> 17.145.150.137.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>
>>> That's Humboldt State University in Northern California.
>>> I wonder if they host student sites, or have an open relay script..
>>> :-(
>>>
>>> Another one..
>>> #host alumni.net
>>> alumni.net has address 66.240.255.123
>>> # host 123.255.240.66.sbl-xbl.spamhaus.org
>>> 123.255.240.66.sbl-xbl.spamhaus.org has address 127.0.0.4
>>>
>>> This is a alumni networking site claiming 4 million members..
>>> They aren't on any other lists, probably another site on the same ip is
>>> being exploited to send spam. I think maybe just the sbl might be safer,
>>> at least for an ISP environment.
>>>
>>> Thanks,
>>> Ken A.
>>> Pacific.Net
>>
>> Ken,
>>
>> I don't dispute your analysis or data but our service bureau scanners and
>> all of our client's (Mostly UK, EU and US sites) have been blocking at
>> the
>> MTA level on sbl-xbl.spamhaus.org since it came into being. Maybe it's
>> just
>> luck but we've never had a single complaint of blocked email from a
>> client
>> or user that had email blocked because of an sbl-xbl.spamhaus.org
>> listing.
>>
>> Many of our ISP and ASP clients would be unable to process the email they
>> receive if they didn't block or drop on sbl-xbl.spamhaus.org at the MTA
>> level. We are seeing some of our IPS client sites where the attempted
>> spam /
>> junk delivery rate is 95% of all incoming email. They have just got to
>> block
>> as much as possible at the MTA level or they are out of business!
>> My hats off to the people who maintain the sbl-xbl.spamhaus.org list. We
>> should all tip our hats and support as best we can all of the good
>> folks who
>> create and maintain all of the lists and tools we use every day to stop
>> #@!&*@#$! spam, viruses, phishing attacks, etc., etc.
>>
>> These are the people who are really keeping the Internet up, running and
>> open for business. 
> 
> Steve,
> 
> I Agree completely. The team at spamhaus does a great job. Using
> spamhaus sbl-xbl to block the connecting IP in your MTA makes a lot of
> sense. But, that's a lot different than using xbl to block with
> milter-link given the realities of shared IPs addresses, and open
> proxies that often land such IPs on the cbl.
> 
> That's just my thinking on this, since we happen to host more than one
> site on a shared IP. I certainly don't have the large scale operation
> you do, so perhaps I'm just a bit off target with my theoretical look at
> this, as is often the case, especially before the 2nd cup... :-)
> 
As an administrator of a shared ip site, it would be up to you to drop or fix
whoever got you listed and apply for a release of the IP from spamhaus.
I know that our shoulders get heavy with the burdens of being a sysadmin, but
that is the level that needs to resolve it.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!