rbldnsd blacklist question - SpamAssassin

This is a discussion on rbldnsd blacklist question - SpamAssassin ; Looking from opinions from people running rbl blacklists. I have a list that contains a lot of name based information. I'm about to add a lot more information to the list and what will happen is that when you look ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: rbldnsd blacklist question

  1. rbldnsd blacklist question

    Looking from opinions from people running rbl blacklists.

    I have a list that contains a lot of name based information. I'm about
    to add a lot more information to the list and what will happen is that
    when you look up a name you might get several results. For example, a
    hostname might be blacklisted, be in a URIBL list, be in a day old bread
    list, and a NOT QUIT list. So it might return 4 results like 127.0.0.2,
    127.0.0.6, 127.0.0.7, 127.0.0.8.

    Is this what would be considered "best practice". My thinking is that
    having one list that returns everything is very efficient.

    Thoughts?


  2. Re: rbldnsd blacklist question

    On Tue, 16 Sep 2008, Marc Perkel wrote:

    > Looking from opinions from people running rbl blacklists.
    >
    > I have a list that contains a lot of name based information. I'm about
    > to add a lot more information to the list and what will happen is that
    > when you look up a name you might get several results. For example, a
    > hostname might be blacklisted, be in a URIBL list, be in a day old bread
    > list, and a NOT QUIT list. So it might return 4 results like 127.0.0.2,
    > 127.0.0.6, 127.0.0.7, 127.0.0.8.
    >
    > Is this what would be considered "best practice". My thinking is that
    > having one list that returns everything is very efficient.


    Isn't general practice to bitmap the last octet if you're going to convey
    multiple pieces of information?

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    W-w-w-w-w-where did he learn to n-n-negotiate like that?
    -----------------------------------------------------------------------
    Tomorrow: the 221st anniversary of the signing of the U.S. Constitution


  3. Re: rbldnsd blacklist question

    John Hardin wrote:
    > On Tue, 16 Sep 2008, Marc Perkel wrote:
    >> Looking from opinions from people running rbl blacklists.
    >>
    >> I have a list that contains a lot of name based information. I'm
    >> about to add a lot more information to the list and what will happen
    >> is that when you look up a name you might get several results. For
    >> example, a hostname might be blacklisted, be in a URIBL list, be in a
    >> day old bread list, and a NOT QUIT list. So it might return 4 results
    >> like 127.0.0.2, 127.0.0.6, 127.0.0.7, 127.0.0.8.
    >>
    >> Is this what would be considered "best practice". My thinking is that
    >> having one list that returns everything is very efficient.

    > Isn't general practice to bitmap the last octet if you're going to
    > convey multiple pieces of information?


    If you have a situation where there might be more than one "answer" for
    a given query, and you are content with having a maximum of 7 possible
    answers, then... again, if both of these these things are true... then
    the best system by far is the following:

    ..2 = situation #1
    ..4 = situation #2
    ..8 = situation #3
    ..16 = situation #4
    ..32 = situation #5
    ..64 = situation #6
    ..128 = situation #7

    As multiple situations occur, add together the octets above. For
    example, .138 would mean that situations #1, #3, & #7 happened.

    That way, anywhere from one to all seven attributes can be encapsulated
    as one single number, with any combination of these being clearly
    decipherable.

    From a programming perspective, do the following:

    If octet >= 128 then
    #7 happened
    octet = octet - 128
    End If

    If octet >= 64 then
    #6 (also?) happened
    octet = octet - 64
    End If

    If octet >= 32 then
    #5 (also?) happened
    octet = octet - 23
    End If



    Which is a less fancy way of saying what John Hardin said about "bitmap
    the last octet"... but I thought that spelling it out this way might be
    helpful for some.

    --
    Rob McEwen
    http://dnsbl.invaluement.com/
    rob@invaluement.com
    +1 (478) 475-9032


  4. Re: rbldnsd blacklist question

    Marc Perkel wrote:
    > Looking from opinions from people running rbl blacklists.
    >
    > I have a list that contains a lot of name based information. I'm about
    > to add a lot more information to the list and what will happen is that
    > when you look up a name you might get several results. For example, a
    > hostname might be blacklisted, be in a URIBL list, be in a day old bread
    > list, and a NOT QUIT list. So it might return 4 results like 127.0.0.2,
    > 127.0.0.6, 127.0.0.7, 127.0.0.8.
    >
    > Is this what would be considered "best practice". My thinking is that
    > having one list that returns everything is very efficient.
    >
    > Thoughts?


    returning multiple results is easier to manage (you can point to a
    single dns entry and have a single TXT record) and to parse. for
    example, I could do (in postfix):

    check_rbl_client mark.example=127.0.0.3
    warn_if_reject check_rbl_client mark.example=127.0.0.4
    check_rbl_client mark.example

    some people use bitmasks instead. but this is harder to parse/implement.

    after all, spamhaus, sorbs, spamcop, .. don't use bitmasks.


  5. Re: rbldnsd blacklist question

    On Tue, 2008-09-16 at 20:12 +0200, mouss wrote:
    > Marc Perkel wrote:
    > > Looking from opinions from people running rbl blacklists.
    > >
    > > I have a list that contains a lot of name based information. I'm about
    > > to add a lot more information to the list and what will happen is that
    > > when you look up a name you might get several results. For example, a
    > > hostname might be blacklisted, be in a URIBL list, be in a day old bread
    > > list, and a NOT QUIT list. So it might return 4 results like 127.0.0.2,
    > > 127.0.0.6, 127.0.0.7, 127.0.0.8.
    > >
    > > Is this what would be considered "best practice". My thinking is that
    > > having one list that returns everything is very efficient.
    > >
    > > Thoughts?

    >
    > returning multiple results is easier to manage (you can point to a
    > single dns entry and have a single TXT record) and to parse. for
    > example, I could do (in postfix):
    >
    > check_rbl_client mark.example=127.0.0.3
    > warn_if_reject check_rbl_client mark.example=127.0.0.4
    > check_rbl_client mark.example
    >
    > some people use bitmasks instead. but this is harder to parse/implement.
    >
    > after all, spamhaus, sorbs, spamcop, .. don't use bitmasks.


    True, but uribl and surbl do. SpamAssassin makes it easy to use that
    syntax. I doubt I would use Marc's list as a postfix death penalty, but
    it's conceivable it might garner a point or two towards a SpamAssassin
    score.


    --
    Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
    Austin Energy
    http://www.austinenergy.com


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkjQADcACgkQGvhCU13z7IifDgCeOptmyThvP+ O3soEu8bWM1XYL
    jxIAn3obbQL41u0qJ8PKZZWNB4KCuxAq
    =KOf8
    -----END PGP SIGNATURE-----


  6. Re: rbldnsd blacklist question

    Marc Perkel wrote:
    > Looking from opinions from people running rbl blacklists.
    >
    > I have a list that contains a lot of name based information. I'm about
    > to add a lot more information to the list and what will happen is that
    > when you look up a name you might get several results. For example, a
    > hostname might be blacklisted, be in a URIBL list, be in a day old
    > bread list, and a NOT QUIT list. So it might return 4 results like
    > 127.0.0.2, 127.0.0.6, 127.0.0.7, 127.0.0.8.
    >
    > Is this what would be considered "best practice". My thinking is that
    > having one list that returns everything is very efficient.
    >
    > Thoughts?
    >


    +1 for bitmasking the data.

    --Blaine


  7. Re: Re: rbldnsd blacklist question

    John Hardin wrote:
    >
    On Tue,
    > 16 Sep 2008, Marc Perkel wrote:
    >
    >> Looking from opinions from people running rbl blacklists.
    >>
    >> I have a list that contains a lot of name based information. I'm
    >> about to add a lot more information to the list and what will happen
    >> is that when you look up a name you might get several results. For
    >> example, a hostname might be blacklisted, be in a URIBL list, be in a
    >> day old bread list, and a NOT QUIT list. So it might return 4 results
    >> like 127.0.0.2, 127.0.0.6, 127.0.0.7, 127.0.0.8.
    >>
    >> Is this what would be considered "best practice". My thinking is that
    >> having one list that returns everything is very efficient.

    >
    > Isn't general practice to bitmap the last octet if you're going to
    > convey multiple pieces of information?
    >


    Isnt it simple enough to write the zone file in 2 different formats and
    map them to 2 different zone names to support both bitmasked and
    multiple response if there is value in having both?

    URIBL uses bitmasks, but doesnt need to as we dont cross list domains to
    multiple lists.

    --
    Dallas Engelken
    dallase@uribl.com
    http://uribl.com


  8. Re: Re: rbldnsd blacklist question

    Rob McEwen wrote:
    >
    John
    > Hardin wrote:
    >> On Tue, 16 Sep 2008, Marc Perkel wrote:
    >>> Looking from opinions from people running rbl blacklists.
    >>>
    >>> I have a list that contains a lot of name based information. I'm
    >>> about to add a lot more information to the list and what will happen
    >>> is that when you look up a name you might get several results. For
    >>> example, a hostname might be blacklisted, be in a URIBL list, be in
    >>> a day old bread list, and a NOT QUIT list. So it might return 4
    >>> results like 127.0.0.2, 127.0.0.6, 127.0.0.7, 127.0.0.8.
    >>>
    >>> Is this what would be considered "best practice". My thinking is
    >>> that having one list that returns everything is very efficient.

    >> Isn't general practice to bitmap the last octet if you're going to
    >> convey multiple pieces of information?

    >
    > If you have a situation where there might be more than one "answer"
    > for a given query, and you are content with having a maximum of 7
    > possible answers, then...


    Why just 7? You have 2 other octets to use.. 127.X.Y.Z - X and Y
    dont have to be zeros...

    512 possibilities if you use all the bit on all 3 octets (but I'd avoid
    loopback 127.0.0.1).

    448 possibilities if you only count bit 1 settable on octet 2 and 3 (ie
    127.1.1.2)

    343 if you avoid setting bit 1 altogether on any octet (ie 127.2.2.2)

    --
    Dallas Engelken
    dallase@uribl.com
    http://uribl.com


+ Reply to Thread