[65295] in North American Network Operators' Group
Re: RBLs in use
daemon@ATHENA.MIT.EDU (Chris Lewis)
Thu Nov 20 12:04:23 2003
Date: Thu, 20 Nov 2003 12:06:35 -0500
From: "Chris Lewis" <clewis@nortelnetworks.com>
Cc: nanog@merit.edu
In-Reply-To: <3FBCE4CA.4020609@outblaze.com>
Errors-To: owner-nanog-outgoing@merit.edu
Suresh Ramasubramanian wrote:
> You need a fairly wide coverage of BLs.
> # Open proxies - http://opm.blitzed.org and
> http://proxies.blackholes.easynet.nl
I would add the SORBS http and SORBS socks lists to this.
> # Open relays - http://www.ordb.org
I'd add VISI to that too.
> # Dialup and DSL/cable dynamic IPs - http://dynablock.easynet.nl
>
> # Current spam sources - http://cbl.abuseat.org [strongly recommended]
CBL tends to list only open proxies and spam trojans, but there's a few
"classic viri emitters" (ie: Yaha) and a _very_ small number of "grossly
misconfigured mail servers" in it too. All of which you want to know
about anyway.
What you can do is do zone downloads of the open relay/proxy/CBL lists
above and correlate them to your own netblocks. _Very_ helpful in
finding compromised systems.
With dynablock, you may want to audit it for accuracy against your IP
allocations. They're responsive to update requests.
SBL/SPEWS identifies your spammers. But as Suresh says, be careful to
interpret the SPEWS listings correctly, so you nail the spammer, not the
collateral damage.
There are a lot more DNSBLs, but the above ones are the most respected,
important and useful for your purposes. XBL & Spambag, for example, are
too rabid to worry about. Anybody who uses them gets what they deserve.
