[122754] in North American Network Operators' Group
Re: Spamhaus...
daemon@ATHENA.MIT.EDU (James Hess)
Sat Feb 20 20:18:15 2010
In-Reply-To: <Pine.LNX.4.61.1002201853060.22812@soloth.lewis.org>
Date: Sat, 20 Feb 2010 19:17:39 -0600
From: James Hess <mysidia@gmail.com>
To: Jon Lewis <jlewis@lewis.org>
Cc: New Antispam Ninnies or Groaners <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Feb 20, 2010 at 6:25 PM, Jon Lewis <jlewis@lewis.org> wrote:
> it off to jail. =A0The questions of when/whether/and to who bounces shoul=
d be
> sent is a debate for spam-l or nanae.
I don't know about that. Bounce handling is not a question of spam filter=
ing.
Spam or not is orthogonal to the issue of forged return path. There
really should be nothing to debate, except in the context of a
protocol discussion, as the current internet standards are pretty
clear and specifically inflexible on how internet mail hosts must
handle error conditions. Just like TCP rfc793 is clear on how
internet mail hosts must handle connection establishment.
> cache probably won't help. =A0I know at least some of these orgs aggregat=
e
> queries either per RIR assigned CIDR or per ASN, so spreading the queries
> out isn't likely to get you around the issue.
When contacted by the DNSBl, perhaps you inform the end-users to make
DNSBL queries directly against DNSBL servers, directly from the mail
server which is in their SWIP'ed IP range. There is little else you
can do, isn't there?
> So, do you pay, and setup your own local copy of the zones? =A0Let them b=
lock
> your servers/network and let those of your customers who care make their =
own
> arrangements for continued access?
That depends on the importance of the DNSBL.
Spamhaus' description of rsync datafeed service on their web site
appears to be incompatible with an ISP setting up a local copy and
allowing customers to query.
When setting up a local copy of the zone, you pay by "Number of e-mail use=
rs".
See the problem? As an ISP serving a local copy of the zone to
customer mail servers, you don't know how many mailboxes they have.
Maybe i'm mistaken, but it appears each end user has to buy the
service for their own mail servers, and the ISP isn't allowed to
bypass that. For the purpose of the agreements with spamhaus, an ISP
customer is probably considered a third party, and making a rbldns
server available to them is disclosing spamhaus' secret DNSBL zone
information....
--
-J
