[Dshield] DOS by Sorbs?

Chris Brenton cbrenton at chrisbrenton.org
Fri Dec 23 11:29:13 GMT 2005


On Thu, 2005-12-22 at 20:43 -0500, jayjwa wrote:
>
> If you run a mailserver, sooner or later you will see the "fun" that an RBL 
> can make for a postmaster.

Agreed. *How* many times has DShield ended up in one of these databases?
What about SecurityFocus for that matter? This certainly does not speak
too highly about the quality control involved. What if Johannes started
listing folks as hostile and as a site that should be blocked based on a
single quasi-anonymous DShield submission? <shutter>

> This is one of the biggest down falls about the concept of RBL's: they list 
> tons of false positives.

Totally agreed. It appears to be trivial to get someone listed and a
real pain in the butt for the target network to get off the list. Kind
of funny in a twisted sort of way. DoS someone by flooding their network
and we consider that to be criminal. DoS someone by listing them in
RBL's and its considered "a feature".

> I've never heard of a case where someone was warned, 
> or even told. Most people find out when they get complaints, as you did.

Seems to be a work load thing. The RBL administrator is trying to limit
their own work load and who cares if this makes more work for the target
postmaster or any postmaster trying to receive legitimate mail from that
site. Good example? Dynamic IP addresses. Are certain IP's listed as
dynamic because of testing or reports from the upstream? Not even close.
RBL folks will look for certain key words in the FQDN and make the
*assumption* the host must be a dynamic IP. 

For example, the person who started this thread resolves back to:
host-69-95-5-4.syr.choiceone.net

I'm guessing some RBL person saw the word "host" and just assumed this
*must* be a dynamic IP and listed it as such. I have exactly the same
problem with my network. I've even seen IP's on these lists that I know
for a fact are Cisco routers and have been for years. When exactly did
spammers start using IOS as a relay platform? Must have slept through
that advisory.

> RBL's are a classic example of the medicine being worse than the illness; 
> that's my (publically printable) feeling about RBL's.

The problem of folks getting incorrectly listed has been around for
years and RBL's refuse to implement the necessary quality control to
stop it from happening. I agree that RBL's have become as bad as the
problem they are trying to resolve, in many ways worse. Its one of those
"sounds good in concept but falls apart on implementation" ideas that
have well passed their time.

I personally refuse to take any effort to get unlisted. If we all did
that maybe the folks still trying to use RBL's would think twice due to
the amount of legitimate mail getting bounced. I know I've been able to
get quite a few sites to stop using RBL's this way. 

> -> In order for them to remove us from their black list, they want money. Is
> -> this blackmailing?
> 
> Sounds like it to me.

Its also enabling them. IMHO this is no different than paying a ransom
to someone DoSing your network with a flood of traffic, except of course
"it's a feature".

HTH,
Chris




More information about the list mailing list