Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Notes/Domino 6 and 7 Forum

Notes/Domino 6 and 7 Forum

  


RBL usage: some shared experience (long)
~Umberto Nongeroson 8.Jan.03 10:12 AM a Web browser
Domino Administrator 6.0 All Platforms


If you want to convince management, show them the money.

It is not too difficult to construct a model which shows the cost to your organisation of dealing with spam the way spammers themselves advocate; i.e. "just hit delete". Factors to consider are:

  • Your bandwidth - how much do you pay for it and what proportion of it is lost to spam?
  • Ditto storage.
  • Probably most significantly, how much of your users' time is wasted cleaning up. Even if only a few seconds per spam, if the spam volume is significant, this number soon adds up to real money. I did a calculation some time ago and found that c. 40% of all Internet mail was blocked at source by my Domino servers, using DNS block lists and other methods - I can count complaints about collateral kills on the fingers of one hand and have some left over.

Finally, in some jurisdictions it has been argued that you have a duty of care to your employees which extends to protecting them from material likely to offend, shock or traumatise. I have seen first hand real kiddie porn spam which, as the father of two young children myself, I found deeply shocking. Some of this stuff is faked, for example when one net porn operation wishes to damage another by creating the illusion that its rival is in the kiddie porn business. But my example was real - confirmed by the Internet watch Foundation.

Next, does your management understand that Internet mail is not a robust B2B messaging medium? Internet mail has been described by some as a postcard, readable by all sorts of anonymous and unauthorised persons while in transit or even after transmission in some cases. This has been compounded lately by a slew of new viruses which steal existing messages and broadcast them randomly to people who were not the intended recipient. This is like taking your original postcard and pinning it to a public bulletin board. So much for privacy. Again, I have seen this myself.

In this context (i.e. you should not be using Internet mail for business critical correspondence), is the loss of a small number of legitimate messages so bad?

Also bear in mind that, unlike some systems that drop mail silently, your Domino server will inform the sender exactly what happened to his/her message and you can even customise this information to include longer discourse on, say, a web page. I have a custom 554 message on my Domino hosts, so that when a mail is rejected due to block listing, the sender sees this:

554 LDV has rejected your email because the host which attempted to deliver it, 192.168.0.1, is listed in the block list at blocklist.org. Please see http://ldv.com/spam for more information.

Where this is a collateral kill, there is usually a good reason for it which the administrators of the remote system will be keen to know about and fix, for example an exploitable relay or proxy.

I had such a case recently where we started to reject all mail from a well known, global company which manufactures and sells branded capital goods of the type which most households own (I choose not to name them here, but they are a supplier and a customer of ours).

This company uses one of those third party companies that offers outside-the-perimiter virus scanning (let's call them acmescan, not their real name), so all inbound and outbound mail to/from them passes through acmescan's network.

A spammer hit upon the idea that, even though customers of acmescan have no publicly announced mail exchangers, they must be operating them to receive mail from acmescan and to send it back out to acmescan. Furthermore, as these mail exchangers are not publicly announced, the motivation of their administrators to secure them against abuse was not too high. All he had to do was send a batch of undeliverable messages to customers of acmescan and look at the headers of the resulting bounces to find the IPs of those mail exchangers and right there he had a list of potentially vulnerable mail relays to try.

So he did and managed to route a considerable body of spam through acmescan, via some of its customers.

Not surprisingly, this resulted in a Spamcop listing and we started to bounce all mail routed via acmescan. It did not take me long to spot what had happened and to assist our customer and acmescan in correcting the problem. Result - we still use the Spamcop block list to block mail and no mail routed via acmescan has been rejected since, or is likely to be in the future.

I think this deals with your first question - on to question 2.

"Best blackhole lists" depends on where you are, who you are and what you do. You really need to suck it and see. There are five classes of blackhole list you should consider:

  • Dial-ups - lists which include IP ranges known to be allocated to dial-up or dynamic users, for example DSL or cable. These should never be used for real email but are often abused for direct-to-MX spam runs. We use dun.dnsrbl.net which is good, but incomplete, so some direct-to-MX spam via DSL/dial-up still gets past it. MAPS has a dial up list that is probably more effective, but as you know, you pay for this service so you need a clear understanding of how much of your spam falls into this category.
  • Open relays and proxies. Loads of good lists here - we use list.dsbl.org (not the unconfirmed or multihop lists at dsbl.org) which includes relays and proxies, relays.ordb.org (relays only), and opm.blitzed.org (proxies).
  • Spamhausen - try SPEWS or the Spamhaus block list (the latter is only marginally less draconian). These lists are controversial, but I don't know why as I have never seen a single collateral kill, just endless, mindless spam.
  • Spam in progress - there is only one Spamcop. We use it. Some choose not to due to the slightly higher rate of collateral kills, but it was our use of it that fixed the problem I wrote about above.
  • Specific networks and countries - you can just fence off entire countries if your business circumstances permit. Look at blackholes.us - there are lists here that may be worth considering.

How can you whitelist?

You can't. This has been asked for on more than one occasion. Are you listening Lotus/IBM?

Any other issues?

Probably plenty, but only one that comes to mind right now. That is, read this article which gives some very useful insights.

The bottom line is:

  • DNSRBL blocking works (our spam is down to a handful per day, from a peak of nearly a thousand - and we only have c. 350 users).
  • You will get some collateral kills - this is simply inevitable, but choose your block lists well and the number will be small. Any collateral kills yo do get, you can use to help your organisation and its partners improve mutual security and trust - not such a terrible thing.
  • Spam is increasing, so you will need to do something and there are few cost effective alternatives to blocking.
  • Do you really want kiddie porn (or any porn) on your corporate servers?

Sorry for long post, but I hope this is helpful.




RBL usage: Please share your experi... (~Isaac Optoober... 7.Jan.03)
. . RE: RBL usage: Please share your ex... (~Sven Cistumiko... 8.Jan.03)
. . RE: RBL usage: Please share your ex... (~Lily Elgerotex... 8.Jan.03)
. . RBL usage: No experience yet, but w... (~Rebecca Cisfre... 18.Jan.03)
. . . . RE: RBL usage: No experience yet, b... (~Rebecca Dwovel... 8.Feb.03)
. . . . Been here? (WAS: RBL usage: No expe... (~Delores Dwonic... 18.Jan.03)
. . . . RE: RBL usage: No experience yet, b... (~Kelly Zekwebur... 20.Jan.03)
. . . . . . RBL usage: This is what I've seen s... (~Isaac Optoober... 20.Jan.03)
. . . . . . . . a partial workaround via the api (~Hal Prekroster... 22.Jan.03)
. . . . . . . . . . This will be great! (~Isaac Optoober... 23.Jan.03)
. . . . . . . . . . Nice job :-) (~Karl Eknuplopo... 22.Jan.03)
. . . . . . . . . . source code for intercept 1.4 (~Hal Prekroster... 22.Jan.03)
. . RE: RBL usage: Please share your ex... (~Dana Kiveluste... 27.Jan.03)
. . RBL usage: some shared experience (... (~Kelly Zekwebur... 8.Jan.03)
. . . . RE: RBL usage: some shared experien... (~Isaac Optoober... 8.Jan.03)
. . . . . . * ignore (~Tanita Eknizen... 8.Jan.03)
. . . . Yes you can "Whitelist" (~Yoshi Lopkiche... 8.Jan.03)
. . . . . . Forgive my frustation, but... (~Kelly Zekwebur... 8.Jan.03)
. . . . . . . . RE: Forgive my frustation, but... (~Yoshi Lopkiche... 8.Jan.03)
. . . . . . . . . . Interesting thought - I may just tr... (~Kelly Zekwebur... 9.Jan.03)
. . . . . . . . . . . . Back to the drawing board (~Kelly Zekwebur... 9.Jan.03)
. . . . . . . . . . . . . . RE: Back to the drawing board (~Naomi Deskrote... 9.Jan.03)
. . . . . . . . . . . . . . . . Thanks for your kind words (~Karl Eknuplopo... 10.Jan.03)
. . . . . . . . . . . . . . RE: Back to the drawing board (~Hal Prekroster... 15.Jan.03)
. . . . RE: RBL usage: some shared experien... (~Tanita Eknizen... 8.Jan.03)
. . . . . . Go ahead (~Karl Eknuplopo... 9.Jan.03)

Document Options






  Document options
Print this pagePrint this page

Search this forum

Forum views and search


  Forum views and search
Date (threaded)
Date (flat)
With excerpt
Category
Platform
Release
Advanced search

Member Tools


RSS Feeds

 RSS feedsRSS
All forum posts RSS
All main topics RSS