Monitoring RBLs in Exchange 2003
|
From: Cliff Galiher - MVP on 10 Apr 2010 03:43 It depends on what you define as "false positives." I, for one, do not *want* to receive any email from any dynamic IP. A dynamic IP, by definition, is dynamic. Sure, a business may be sending email from a dynamic IP one day and that mail is legitimate, but then the next day (because the IP is dynamic) that IP gets assigned to a botnet-infected laptop. Why in the *world* should I accept email from any dynamic IP? EVER?!? In short, there is a cost to being in business. And a business should expect to pay for at *least* one of the following: 1) A static IP. You say there are a few static IPs on zen's XBL list. That list is built with ISP's cooperation so if an IP gets on there it is because the ISP has reported to zen that it is dynamic. In all my years of using zen (and I have a few clients that pay and rsync, so my stats are pretty accurate) I've seen *ONE* static mistakenly get on the list. And it was easily reported, confirmed with the ISP as a mistake, and removed. 2) If a business cannot get a static IP, either for financial reasons (which I'd almost be tempted to call shennanigans on) or because the ISP doesn't offer static (more common in some areas of the world where IP addresses are a sought-after commodity) then there are still inexpensive (and sometimes free via the ISP) mail relays. And the *relays* have static IPs so they also will not get hit by zen's inclusion of XBL. Non-businesses, similarly, still apply. If ta user sends through gmail then the gmail servers handle final delivery, and that is static. The only way the mail will appear to come from their dynamic address is if they set up an email server in their home *AND* are not sending through an authorized relay/mail-forwarder. ....now, remind me again why I should trust mail coming from a random home-user who decided to set up a mailserver from his home? Why should I assume that it isn't spam??? Part of the reasoning behind the XBL is assigning a level of trust, and dynamic IPs show a complete unwillingness form the sender to take any steps to add trust to their email. I, for one, have no problems blocking such email on a blanket basis. And as of yet, that has never caused an issue in receiving legitimate emails for myself or any of my clients. -Cliff "Milhouse Van Houten" <btvs(a)myrealbox.com> wrote in message news:#W5JJwG2KHA.3856(a)TK2MSFTNGP04.phx.gbl... > "Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in > message news:#vhI3LlyKHA.2644(a)TK2MSFTNGP04.phx.gbl... >> >> I believe instead of just using sbl.spamhaus.org, you may want to use >> zen.spamhaus.org, which combines all Spamhaus IP-based DNSBLs into one >> single comprehensive blocklist to make querying faster and simpler. It >> contains the SBL, SBLCSS, XBL, CBLand PBL blocklists. Since it's a >> consolidated list, use it alone without any of the other Spahaus RBLs. >> http://www.spamhaus.org/zen/index.lasso >> >> I like SpamRats, too, wihch works nicely. >> Spam Rats! >> www.spamrats.com/about.php > > I'm a little confused by the recommendations for zen.spamhaus.org that > I've seen here. Since every dynamic IP on the Internet is on the PBL list > (and some static too), and since not everyone is configured to > authenticate when sending mail (e.g. Comcast does not require SMTP > authentication on their server for mail sent *from Comcast's network*, and > there are millions of people on Comcast), aren't you setting yourself up > for guaranteed false positives? And not necessarily a few, either, > particularly if you get mail from non-business users. XBL can block all > sorts of people too, according to their FAQ, though it doesn't sound as > bad. > > It seems like the only safe one of Spamhaus's is the SBL, which deals with > known entities. > > Spamcop.net's doesn't exactly comfort either, with its statement "The SCBL > is aggressive and often errs on the side of blocking mail." I would think > that they'd want to err on the opposite side, but maybe that's just me, > with a reflex response to hearing from people who aren't getting their > mail. > > Finally, zen.spamhaus.org carries this warning, which I don't full > understand beyond it being yet another thing to worry about: "Because ZEN > includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH > outbound servers for your own customers (or you risk blocking your own > customers). Do not use ZEN in filters that do any �deep parsing� of > Received headers, or for anything other than checking IP addresses that > hand off to your mailservers." > > Am I missing something?
From: SuperGumby [SBS MVP] on 10 Apr 2010 05:50 I agree with most of what you say however look at the email address I use for 'that most important other list'. I continue to run my own server on DYNDNS. OK, it's the LoungeAN rather than a business network. I have never had a problem (that I was made aware of) by being on dynamic IP. Yes, business should consider the additional cost of Static IP. "Cliff Galiher - MVP" <cgaliher(a)gmail.com> wrote in message news:B54AEDF7-6ED0-4359-87A8-F2AAFCBD3966(a)microsoft.com... > It depends on what you define as "false positives." > > I, for one, do not *want* to receive any email from any dynamic IP. A > dynamic IP, by definition, is dynamic. Sure, a business may be sending > email from a dynamic IP one day and that mail is legitimate, but then the > next day (because the IP is dynamic) that IP gets assigned to a > botnet-infected laptop. Why in the *world* should I accept email from > any dynamic IP? EVER?!? > > In short, there is a cost to being in business. And a business should > expect to pay for at *least* one of the following: > > 1) A static IP. You say there are a few static IPs on zen's XBL list. > That list is built with ISP's cooperation so if an IP gets on there it is > because the ISP has reported to zen that it is dynamic. In all my years > of using zen (and I have a few clients that pay and rsync, so my stats are > pretty accurate) I've seen *ONE* static mistakenly get on the list. And > it was easily reported, confirmed with the ISP as a mistake, and removed. > > 2) If a business cannot get a static IP, either for financial reasons > (which I'd almost be tempted to call shennanigans on) or because the ISP > doesn't offer static (more common in some areas of the world where IP > addresses are a sought-after commodity) then there are still inexpensive > (and sometimes free via the ISP) mail relays. And the *relays* have > static IPs so they also will not get hit by zen's inclusion of XBL. > > Non-businesses, similarly, still apply. If ta user sends through gmail > then the gmail servers handle final delivery, and that is static. The > only way the mail will appear to come from their dynamic address is if > they set up an email server in their home *AND* are not sending through an > authorized relay/mail-forwarder. > > ...now, remind me again why I should trust mail coming from a random > home-user who decided to set up a mailserver from his home? Why should I > assume that it isn't spam??? > > Part of the reasoning behind the XBL is assigning a level of trust, and > dynamic IPs show a complete unwillingness form the sender to take any > steps to add trust to their email. I, for one, have no problems blocking > such email on a blanket basis. And as of yet, that has never caused an > issue in receiving legitimate emails for myself or any of my clients. > > -Cliff > > > "Milhouse Van Houten" <btvs(a)myrealbox.com> wrote in message > news:#W5JJwG2KHA.3856(a)TK2MSFTNGP04.phx.gbl... >> "Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >> message news:#vhI3LlyKHA.2644(a)TK2MSFTNGP04.phx.gbl... >>> >>> I believe instead of just using sbl.spamhaus.org, you may want to use >>> zen.spamhaus.org, which combines all Spamhaus IP-based DNSBLs into one >>> single comprehensive blocklist to make querying faster and simpler. It >>> contains the SBL, SBLCSS, XBL, CBLand PBL blocklists. Since it's a >>> consolidated list, use it alone without any of the other Spahaus RBLs. >>> http://www.spamhaus.org/zen/index.lasso >>> >>> I like SpamRats, too, wihch works nicely. >>> Spam Rats! >>> www.spamrats.com/about.php >> >> I'm a little confused by the recommendations for zen.spamhaus.org that >> I've seen here. Since every dynamic IP on the Internet is on the PBL list >> (and some static too), and since not everyone is configured to >> authenticate when sending mail (e.g. Comcast does not require SMTP >> authentication on their server for mail sent *from Comcast's network*, >> and there are millions of people on Comcast), aren't you setting yourself >> up for guaranteed false positives? And not necessarily a few, either, >> particularly if you get mail from non-business users. XBL can block all >> sorts of people too, according to their FAQ, though it doesn't sound as >> bad. >> >> It seems like the only safe one of Spamhaus's is the SBL, which deals >> with known entities. >> >> Spamcop.net's doesn't exactly comfort either, with its statement "The >> SCBL is aggressive and often errs on the side of blocking mail." I would >> think that they'd want to err on the opposite side, but maybe that's just >> me, with a reflex response to hearing from people who aren't getting >> their mail. >> >> Finally, zen.spamhaus.org carries this warning, which I don't full >> understand beyond it being yet another thing to worry about: "Because ZEN >> includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH >> outbound servers for your own customers (or you risk blocking your own >> customers). Do not use ZEN in filters that do any �deep parsing� of >> Received headers, or for anything other than checking IP addresses that >> hand off to your mailservers." >> >> Am I missing something? >
From: Leythos on 10 Apr 2010 09:20 In article <#W5JJwG2KHA.3856(a)TK2MSFTNGP04.phx.gbl>, btvs(a)myrealbox.com says... > I'm a little confused by the recommendations for zen.spamhaus.org that I've > seen here. Since every dynamic IP on the Internet is on the PBL list (and > some static too), and since not everyone is configured to authenticate when > sending mail (e.g. Comcast does not require SMTP authentication on their > server for mail sent *from Comcast's network*, and there are millions of > people on Comcast), aren't you setting yourself up for guaranteed false > positives? And not necessarily a few, either, particularly if you get mail > from non-business users. XBL can block all sorts of people too, according to > their FAQ, though it doesn't sound as bad. > > It seems like the only safe one of Spamhaus's is the SBL, which deals with > known entities. > While you COULD accept email from Dynamic ranges, there is no way that I'm going to let my own or my customers servers accept email from known dynamic ranges. Almost all email sent from a dynamic IP is spam, and for those on a Dynamic IP they are almost always provided with a means to relay through their providers servers. Zen is just one of several that I use in addition to the UTM spam filter in our firewalls. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address)
From: Cliff Galiher - MVP on 10 Apr 2010 19:04 SG: As I said, the XBL is built by *active* ISP participation. Spamhaus doesn't go out and search for dynamic IPs. They offer the XBL so that ISPs that *want* their dynamic IPs blocked can report their IP blocks. :) In short, if a dynamic IP is on the XBL list then it means that the ISP already doesn't want the person doing whatever they are doing to get blocked. That *also* means that the person getting blocked is probably also breaking a "terms of service" with their ISP so their problems are greater than being on the XBL list. They are at risk of having their service disconnected. Verizon, for example, is becoming increasingly aggressive in enforcing TOS on running servers on residential (aka dynamic IP) accounts. Comcast is not far behind. So yes SG, I'm not completely callous to the plight of some people who have unique situations. So I do know where you are coming from, but at the same time, if I started getting a ton of spam from dynamic IPs on an Austrailian ISP, I'd still want your ISP to be a bit proactive in controlling their network...including outbound filtering and adding residential connections to the XBL list. But so far, y'all don't seem to have a lot of spammers operating out there, so it is a non-issue. ;) -Cliff "SuperGumby [SBS MVP]" <not(a)your.nellie> wrote in message news:#Qv0INJ2KHA.4912(a)TK2MSFTNGP06.phx.gbl... > I agree with most of what you say however look at the email address I use > for 'that most important other list'. > > I continue to run my own server on DYNDNS. OK, it's the LoungeAN rather > than a business network. > I have never had a problem (that I was made aware of) by being on dynamic > IP. > > Yes, business should consider the additional cost of Static IP. > > "Cliff Galiher - MVP" <cgaliher(a)gmail.com> wrote in message > news:B54AEDF7-6ED0-4359-87A8-F2AAFCBD3966(a)microsoft.com... >> It depends on what you define as "false positives." >> >> I, for one, do not *want* to receive any email from any dynamic IP. A >> dynamic IP, by definition, is dynamic. Sure, a business may be sending >> email from a dynamic IP one day and that mail is legitimate, but then the >> next day (because the IP is dynamic) that IP gets assigned to a >> botnet-infected laptop. Why in the *world* should I accept email from >> any dynamic IP? EVER?!? >> >> In short, there is a cost to being in business. And a business should >> expect to pay for at *least* one of the following: >> >> 1) A static IP. You say there are a few static IPs on zen's XBL list. >> That list is built with ISP's cooperation so if an IP gets on there it is >> because the ISP has reported to zen that it is dynamic. In all my years >> of using zen (and I have a few clients that pay and rsync, so my stats >> are pretty accurate) I've seen *ONE* static mistakenly get on the list. >> And it was easily reported, confirmed with the ISP as a mistake, and >> removed. >> >> 2) If a business cannot get a static IP, either for financial reasons >> (which I'd almost be tempted to call shennanigans on) or because the ISP >> doesn't offer static (more common in some areas of the world where IP >> addresses are a sought-after commodity) then there are still inexpensive >> (and sometimes free via the ISP) mail relays. And the *relays* have >> static IPs so they also will not get hit by zen's inclusion of XBL. >> >> Non-businesses, similarly, still apply. If ta user sends through gmail >> then the gmail servers handle final delivery, and that is static. The >> only way the mail will appear to come from their dynamic address is if >> they set up an email server in their home *AND* are not sending through >> an authorized relay/mail-forwarder. >> >> ...now, remind me again why I should trust mail coming from a random >> home-user who decided to set up a mailserver from his home? Why should I >> assume that it isn't spam??? >> >> Part of the reasoning behind the XBL is assigning a level of trust, and >> dynamic IPs show a complete unwillingness form the sender to take any >> steps to add trust to their email. I, for one, have no problems blocking >> such email on a blanket basis. And as of yet, that has never caused an >> issue in receiving legitimate emails for myself or any of my clients. >> >> -Cliff >> >> >> "Milhouse Van Houten" <btvs(a)myrealbox.com> wrote in message >> news:#W5JJwG2KHA.3856(a)TK2MSFTNGP04.phx.gbl... >>> "Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in >>> message news:#vhI3LlyKHA.2644(a)TK2MSFTNGP04.phx.gbl... >>>> >>>> I believe instead of just using sbl.spamhaus.org, you may want to use >>>> zen.spamhaus.org, which combines all Spamhaus IP-based DNSBLs into one >>>> single comprehensive blocklist to make querying faster and simpler. It >>>> contains the SBL, SBLCSS, XBL, CBLand PBL blocklists. Since it's a >>>> consolidated list, use it alone without any of the other Spahaus RBLs. >>>> http://www.spamhaus.org/zen/index.lasso >>>> >>>> I like SpamRats, too, wihch works nicely. >>>> Spam Rats! >>>> www.spamrats.com/about.php >>> >>> I'm a little confused by the recommendations for zen.spamhaus.org that >>> I've seen here. Since every dynamic IP on the Internet is on the PBL >>> list (and some static too), and since not everyone is configured to >>> authenticate when sending mail (e.g. Comcast does not require SMTP >>> authentication on their server for mail sent *from Comcast's network*, >>> and there are millions of people on Comcast), aren't you setting >>> yourself up for guaranteed false positives? And not necessarily a few, >>> either, particularly if you get mail from non-business users. XBL can >>> block all sorts of people too, according to their FAQ, though it doesn't >>> sound as bad. >>> >>> It seems like the only safe one of Spamhaus's is the SBL, which deals >>> with known entities. >>> >>> Spamcop.net's doesn't exactly comfort either, with its statement "The >>> SCBL is aggressive and often errs on the side of blocking mail." I >>> would think that they'd want to err on the opposite side, but maybe >>> that's just me, with a reflex response to hearing from people who aren't >>> getting their mail. >>> >>> Finally, zen.spamhaus.org carries this warning, which I don't full >>> understand beyond it being yet another thing to worry about: "Because >>> ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP >>> AUTH outbound servers for your own customers (or you risk blocking your >>> own customers). Do not use ZEN in filters that do any 'deep parsing' of >>> Received headers, or for anything other than checking IP addresses that >>> hand off to your mailservers." >>> >>> Am I missing something? >> > >
From: Milhouse Van Houten on 11 Apr 2010 00:58
"Cliff Galiher - MVP" <cgaliher(a)gmail.com> wrote in message news:B54AEDF7-6ED0-4359-87A8-F2AAFCBD3966(a)microsoft.com... > > Non-businesses, similarly, still apply. If ta user sends through gmail > then the gmail servers handle final delivery, and that is static. The > only way the mail will appear to come from their dynamic address is if > they set up an email server in their home *AND* are not sending through an > authorized relay/mail-forwarder. > > ...now, remind me again why I should trust mail coming from a random > home-user who decided to set up a mailserver from his home? Why should I > assume that it isn't spam??? > Thanks. I think that's the crux of it: you're saying that a user needs to be running their own SMTP server, in the way you mentioned, to run afoul of PBL? If that's the only way, this doesn't seem like a big deal then. But I really don't get that sense from the FAQ, which lists different ways to get caught by this, mainly centered around client authentication settings. Considering that "all" dynamic IPs are on this list, and surely many people still use local mail clients and haven't delved into ultra-obscure optional sections of their mail account properties (you can't even use port 25, apparently, for "true" authentication, even though that port is still supported for sending mail from many ISPs), this still seems like a great way to catch legitimate mail. The FAQ does make a point to say that PBL "should not affect anyone sending mail with a normal mail program," because "most people use such a client to send their mail out through their company or ISP's mail server or webmail [and] they authenticate their access to those servers with a username and password." Most? Maybe, maybe not. http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20PBL |