[Dshield] Whom do you trust?

Jon R. Kibler Jon.Kibler at aset.com
Thu Mar 6 22:38:57 GMT 2003


Okay, I am going to scrap previous comments and start fresh and try to address the issues raised.

First, there are at least a half dozen very good DNSBL that are free AND have a good reputation. We have been using/experimenting with various DNSBLs for several years, and we have a small set that we use. I cannot recall any instance where we have had false blocks from any of the following DNSBLs:
	monkeys.com
	njabl.org
	ordb.org
	relays.osirusoft.com (we do not use all of Osirusoft's DNSBLs)

OpenRBL.org maintains a tool that will check just about every public DNSBL and explain why someone is listed:
	http://openrbl.org/

NJABL.ORG is one of the most comprehensive DNSBLs, especially in terms of the information you can determine about a site in real-time. Specifically, it breaks out sites into the following categories:
	Verified Open Relay
	Dialup or other dynamic IP ranges
	Documented Spam Sources
	Multi-stage open relays
	Insecure formmail.cgi or similar scripts (acts as an open relay)
	Open proxy servers

We have found that only MONKEYS.COM is more effective in blocking spam than is NJABL.ORG -- and most blocks occur through open proxy server blocks.

MONKEYS.COM blocks on open proxy servers.

ORDB.ORG blocks on open relay servers.

RELAYS.OSIRUSOFT.COM replicates several of the other DNSBLs and maintains their own lists as well. (We have never had a problem with the subset of Osirusoft's DNSBLs we use, but we do not use all of their lists, such as the spamcop replicate.)

There are several other DNSBLs available, and my not commenting on them in no way should be considered as negative experience with any DNSBL not mentioned. That said, I will add that we do not use spamcop, because in our experience, they tend to "shoot first, ask questions later."


Regarding being tested by any of these organizations: I believe that it is GOOD that someone is testing for open relays and open proxies. IMHO, **ALL** ISPs should test **ALL** of their customers on a random basis -- at least weekly -- for insecure services, and deny access to their networks any system deemed insecure. This would make a MAJOR dent in the SPAM problem and make it much more difficult for hackers to exploit Ma's and Pa's insecure system.

We test EVERYONE that sends us mail -- anyone sending us mail is warned by our MTA's greeting that they will be tested, and that by contacting us, they grant us permission to test their system for insecure services. So far this week, this approach has identified 16 new open relays and 68 new open proxy servers used to send spam.

As far as DShield goes, I think that the IPs used by the well know open relay/open proxy DNSBL testing services should be somehow 'blocked' so that these systems do not generate inappropriate 'Fight-Back' messages which may give their ISPs an excuse to shut down these VERY useful services.

And that's my $0.02 worth on the subject.


Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA



More information about the list mailing list