[Dshield] dshield-based RBLs?

Mark Tombaugh mtombaugh at alliedcc.com
Tue Jun 8 22:03:31 GMT 2004


On Tuesday 08 June 2004 2:19 pm, John Hardin wrote:
> I'd certainly consider it an indicator of a system *I* don't want to
> receive mail from...

Why not? The fact that their firewall administration isnt versed on egress 
filtering doesn't prove any "future crime" from that system or that 
particular address. 

I think the only effective way to deploy such a blacklist, if possible, would 
be to use inbound traffic filters for blacklisted hosts, but only on the 
ports the blacklisted host is accused of hitting. For example, if a host was 
blacklisted for carpet scanning port 21, only block all incoming tcp 21 from 
that address. Blocking incoming mail from addresses that send netbios traffic 
over the Internet doesn't make much sense to me. I would imagine you would 
wind up with several adverse side effects & false positives, a humongous 
list, and not much added security. JM2C,

-- 
Mark Tombaugh <mtombaugh at alliedcc.com>
Allied Computer Corporation <http://www.alliedcc.com>
USiHOST, iNC <http://www.usihost.com>




More information about the list mailing list