[Dshield] dshield-based RBLs?

ed.truitt@etee2k.net ed.truitt at etee2k.net
Mon Jun 7 20:20:30 GMT 2004

Quoting "Johannes B. Ullrich" <jullrich at sans.org>:

> > Comments?
> Well, I am always a bit ambivalent about distributing large
> block lists like this. We do have our (very small) block list.
> I could setup a blocklist as a "trial", and see how it works.
> I will also have to check how to best filter such a blocklist.
> For example, many valid mail servers do attempt auth lookups
> and will show up for blocked port 113 requests. Some mail
> servers are even more aggressive and will scan each host connecting
> to them for open proxies. So a cas-by-ase whitelist is needed
> for these servers.
> Have to think about it. but overall, it looks like a lot
> of work to do it right. And there are enough bad RBL's already.

That's for sure.  I would tend to be leery of setting up an email RBL.  One more
issue would be that some of the bigger spammers (and even some non-spamming
folks who inadvertantly find themselves on an RBL) take their revenge by suing
the RBL owner, or by complaining to the local news media, and securing negative
publicity for the RBL owner.  Does DShield really need that type of headache?

The block list we do have, based on DShield data, is probably safe.  But, I
would argue against expanding it.


More information about the list mailing list