[62924] in North American Network Operators' Group
Re: monkeys.dom UPL being DDOSed to death
daemon@ATHENA.MIT.EDU (Jack Bates)
Wed Sep 24 11:49:15 2003
Date: Wed, 24 Sep 2003 10:48:44 -0500
From: Jack Bates <jbates@brightok.net>
To: "Geo." <georger@getinfo.net>
Cc: nanog@merit.edu
In-Reply-To: <EKECJMGPAACGOMIGLJJDCEGPDIAA.georger@getinfo.net>
Errors-To: owner-nanog-outgoing@merit.edu
Geo. wrote:
>
> There shouldn't be a need for any removal process. A server should be listed
> for as long as the spam continues to come from it. Once the spam stops the
> blacklisting should stop as well. That is how a dynamic list SHOULD work.
>
Depends on the type of listing. Open proxies and open relays are best
removed by request of owner once they are fixed or staled out after a
retest at a later time, although retests should be far and few between
(many use anything from 1-6 months). Just because spam is not
temporarily coming from an insecure host does not mean that the host has
been secured.
Direct Spam is difficult to automatically detect, and reports are not
always accurate (see SpamCop). It tends to be a very manual process. A
lot of work goes into maintaining a list like SBL or SPEWS.
Spam is also very transient which makes local detection of a spammer's
activities difficult. They may just be focusing on someone else for a
week or two before plastering your servers again. If you removed them,
they will do considerable damage before they get relisted via the manual
process (delay between first email received and first recipient
reporting can easily exceed hours).
The other issue with shared listings is what one considers acceptable or
unacceptable. Easynet, for example, lists a lot of mail senders which I
accept mail for due to user demand. They consider the email spam or
resource abuse (broken mailers) while I am meeting the demands of my
customers who are paying to receive the email. This isn't a collateral
damage issue. It is an issue of where a network decides to draw the line
on accepting or rejecting email.
-Jack
