I just noted that some of my names used in RBL configurations are no longer
there/working. I removed them (and now there is unfortunately only one left).

What is the current status of RBLs?
Which one do you use?

TIA

--
Peter "EPLAN" LANGSTÖGER
Network and OpenVMS system specialist
E-mail Peter@LANGSTOeGER.at
A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist

On Tue, 26 Aug 2008 08:03:44 -0700, Peter 'EPLAN' LANGSTOeGER
wrote:

> I just noted that some of my names used in RBL configurations are no
> longer
> there/working. I removed them (and now there is unfortunately only one
> left).
>
> What is the current status of RBLs?
> Which one do you use?
>
> TIA
>

RBL domains to check:
ZEN.SPAMHAUS.ORG
SPAMCOP.NET
LIST.DSBL.ORG


--
PL/I for OpenVMS
www.kednos.com

Tom Linden wrote:
> On Tue, 26 Aug 2008 08:03:44 -0700, Peter 'EPLAN' LANGSTOeGER
> wrote:
>
>> I just noted that some of my names used in RBL configurations are no
>> longer
>> there/working. I removed them (and now there is unfortunately only one
>> left).
>>
>> What is the current status of RBLs?
>> Which one do you use?
>>
>> TIA
>>
>
> RBL domains to check:
> ZEN.SPAMHAUS.ORG
> SPAMCOP.NET
> LIST.DSBL.ORG

The list.dsbl.org zones are empty as according to their web page they
had a server failure according to http://www.dsbl.org/.

-John
wb8tyw@qsl.network
Personal Opinion Only

In article , "John E. Malmberg" writes:
>
>The list.dsbl.org zones are empty as according to their web page they
>had a server failure according to http://www.dsbl.org/.

But this was in June 08.
Should be filled up (a little bit) in the meantime...

But, you're right. Question is, if it grows again to full service
(as messages in the forum about "remove IP xxxx" are not expected there)

--
Peter "EPLAN" LANGSTÖGER
Network and OpenVMS system specialist
E-mail Peter@LANGSTOeGER.at
A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist

In article <48b43770@news.langstoeger.at>, peter@langstoeger.at (Peter
'EPLAN' LANGSTOeGER) writes:

> What is the current status of RBLs?
> Which one do you use?

I've been using Spamhaus as my only RBL for a while now. Seems to work
fine. I get a few thousand SMTP connection attempts per day. Perhaps 5
spam emails per day get through. Although something like this is
difficult to detect, I don't think false positives are a problem. I
have Client-In-RBL-Text: set in SMTP.CONFIG which gives basic
information and mentions a URL for more information. Any legitimate
user getting (wrongly?) rejected by the RBL should then know what is
going on. (Even if the user is legitimate, if he is, say, sending
directly from a volatile IP address (which would be OK if there was no
problem with spam), I think it is better to reject him and let him get
the information since he is probably being blocked by other people
without realising it.)

Phillip Helbig---remove CLOTHES to reply wrote:
>
> In article <48b43770@news.langstoeger.at>, peter@langstoeger.at (Peter
> 'EPLAN' LANGSTOeGER) writes:
>
> > What is the current status of RBLs?
> > Which one do you use?
>
> I've been using Spamhaus as my only RBL for a while now. Seems to work
> fine. I get a few thousand SMTP connection attempts per day. Perhaps 5
> spam emails per day get through. Although something like this is
> difficult to detect, I don't think false positives are a problem.

Actually, false positives are a *BIG* problem! Fortunately, on the VMS
systems we just de-implemented, all of the important pages were sent by
HTTP using WGET (Thanx, SMS, for a very useful solution!)

*ALL* of the AIX pages are sent via SMTP, and our paging provider uses
spamhaus, also. SO, when we get a lone PC inside the firewall that gets
infected due to unsafe surfing and starts blasting spam all over he
known universe, our physician and other caregivers as well as our
technical people stop getting important message by pager.

So yes, false positives are all too common and immediately become a
*HUGE* problem!

D.J.D.

David J Dachtera wrote:
> Phillip Helbig---remove CLOTHES to reply wrote:
>> In article <48b43770@news.langstoeger.at>, peter@langstoeger.at (Peter
>> 'EPLAN' LANGSTOeGER) writes:
>>
>>> What is the current status of RBLs?
>>> Which one do you use?
>> I've been using Spamhaus as my only RBL for a while now. Seems to work
>> fine. I get a few thousand SMTP connection attempts per day. Perhaps 5
>> spam emails per day get through. Although something like this is
>> difficult to detect, I don't think false positives are a problem.
>
> Actually, false positives are a *BIG* problem! Fortunately, on the VMS
> systems we just de-implemented, all of the important pages were sent by
> HTTP using WGET (Thanx, SMS, for a very useful solution!)
>
> *ALL* of the AIX pages are sent via SMTP, and our paging provider uses
> spamhaus, also. SO, when we get a lone PC inside the firewall that gets
> infected due to unsafe surfing and starts blasting spam all over he
> known universe, our physician and other caregivers as well as our
> technical people stop getting important message by pager.
>
> So yes, false positives are all too common and immediately become a
> *HUGE* problem!

I posted at least a year ago that some of the dsbl.org testers had
discovered a virus - spambot infection that was not detectable by the
commercial virus scanners at the time.

The only way to detect this infection is to monitor attempts to send
e-mail directly through a firewall instead of through the designated
SMTP gateway.

Of course in some areas of this country, having a system infected with a
virus where an unknown bot-master was on in control, anyone who's
personal data could have been accessed needs to be notified.

And these days, it must be assumed that if a PC was infected with a
virus, the purpose was to inject a remote control program for various
criminal activities.

http://www.spamhaus.org/news.lasso?article=636

A corporate firewall should be detecting and setting off security alarms
when a non-mail server attempts to make a direct SMTP connection through it.

Another techique to use is a Samba Server configured to look like a
vulnerable PC to see what systems attempt to infect it.

And Corporate/Educational network owners should consider being
suspicious of any outgoing e-mail with reply-to addresses for any of the
free/demo e-mailers:

hotmail.com, live.com, live.ca, live.co.uk, live.*

aol.com, games.com, aim.com, aol.*

voila.fr, myway.com, gazeta.pl

yahoo.com, rocketmail.com, ymail.com, yahoo.*

gmail.com, googlemail.com

The only e-mails that I have seen outside of mailing list traffic with
explicit reply-to addresses of the above have been Nigerian 419 scam
variants where it appears that the scammer has somehow aquired the
e-mail credentials of a legitimate user on the network, and is using
remote authenticated access.

-John
wb8tyw@qsl.network
Personal Opinion Only

In article <48BB5589.405762E9@spam.comcast.net>, David J Dachtera
writes:

> Phillip Helbig---remove CLOTHES to reply wrote:
> >
> > In article <48b43770@news.langstoeger.at>, peter@langstoeger.at (Peter
> > 'EPLAN' LANGSTOeGER) writes:
> >
> > > What is the current status of RBLs?
> > > Which one do you use?
> >
> > I've been using Spamhaus as my only RBL for a while now. Seems to work
> > fine. I get a few thousand SMTP connection attempts per day. Perhaps 5
> > spam emails per day get through. Although something like this is
> > difficult to detect, I don't think false positives are a problem.
>
> Actually, false positives are a *BIG* problem! Fortunately, on the VMS
> systems we just de-implemented, all of the important pages were sent by
> HTTP using WGET (Thanx, SMS, for a very useful solution!)

In my case, after setting up the Spamhaus RBL, I didn't miss any
expected emails, from which I concluded that (in my case) false
positives (meaning non-spam which is handled as spam) weren't a problem.

"John E. Malmberg" wrote:
>
> David J Dachtera wrote:
> > Phillip Helbig---remove CLOTHES to reply wrote:
> >> In article <48b43770@news.langstoeger.at>, peter@langstoeger.at (Peter
> >> 'EPLAN' LANGSTOeGER) writes:
> >>
> >>> What is the current status of RBLs?
> >>> Which one do you use?
> >> I've been using Spamhaus as my only RBL for a while now. Seems to work
> >> fine. I get a few thousand SMTP connection attempts per day. Perhaps 5
> >> spam emails per day get through. Although something like this is
> >> difficult to detect, I don't think false positives are a problem.
> >
> > Actually, false positives are a *BIG* problem! Fortunately, on the VMS
> > systems we just de-implemented, all of the important pages were sent by
> > HTTP using WGET (Thanx, SMS, for a very useful solution!)
> >
> > *ALL* of the AIX pages are sent via SMTP, and our paging provider uses
> > spamhaus, also. SO, when we get a lone PC inside the firewall that gets
> > infected due to unsafe surfing and starts blasting spam all over he
> > known universe, our physician and other caregivers as well as our
> > technical people stop getting important message by pager.
> >
> > So yes, false positives are all too common and immediately become a
> > *HUGE* problem!
>
> I posted at least a year ago that some of the dsbl.org testers had
> discovered a virus - spambot infection that was not detectable by the
> commercial virus scanners at the time.
>
> The only way to detect this infection is to monitor attempts to send
> e-mail directly through a firewall instead of through the designated
> SMTP gateway.
>
> Of course in some areas of this country, having a system infected with a
> virus where an unknown bot-master was on in control, anyone who's
> personal data could have been accessed needs to be notified.
>
> And these days, it must be assumed that if a PC was infected with a
> virus, the purpose was to inject a remote control program for various
> criminal activities.
>
> http://www.spamhaus.org/news.lasso?article=636
>
> A corporate firewall should be detecting and setting off security alarms
> when a non-mail server attempts to make a direct SMTP connection through it.

....and there in lies the rub: too many vendor-managed proprietary
(non-Windows) systems where the vendor is unwilling to "play by the
house rules".

> Another techique to use is a Samba Server configured to look like a
> vulnerable PC to see what systems attempt to infect it.
>
> And Corporate/Educational network owners should consider being
> suspicious of any outgoing e-mail with reply-to addresses for any of the
> free/demo e-mailers:
>
> hotmail.com, live.com, live.ca, live.co.uk, live.*
>
> aol.com, games.com, aim.com, aol.*
>
> voila.fr, myway.com, gazeta.pl
>
> yahoo.com, rocketmail.com, ymail.com, yahoo.*
>
> gmail.com, googlemail.com

Note: "should consider being suspicious of", but should not block
arbitrarily.

D.J.D.

David J Dachtera wrote:
> "John E. Malmberg" wrote:
>>
>> A corporate firewall should be detecting and setting off security alarms
>> when a non-mail server attempts to make a direct SMTP connection through it.
>
> ...and there in lies the rub: too many vendor-managed proprietary
> (non-Windows) systems where the vendor is unwilling to "play by the
> house rules".

If the system is supposed to send e-mail, then it can be let through the
firewall.

If it is not supposed to send e-mail, and it attempts to, don't you
think someone should find out why?

>> Another techique to use is a Samba Server configured to look like a
>> vulnerable PC to see what systems attempt to infect it.
>>
>> And Corporate/Educational network owners should consider being
>> suspicious of any outgoing e-mail with reply-to addresses for any of the
>> free/demo e-mailers:
>>
>> hotmail.com, live.com, live.ca, live.co.uk, live.*
>>
>> aol.com, games.com, aim.com, aol.*
>>
>> voila.fr, myway.com, gazeta.pl
>>
>> yahoo.com, rocketmail.com, ymail.com, yahoo.*
>>
>> gmail.com, googlemail.com
>
> Note: "should consider being suspicious of", but should not block
> arbitrarily.

It depends what is more important to the business:

Delivery of personal e-mails to non-business addresses through the
businesses e-mail servers/firewalls or the delivery of messages/pages
that are critical to the business.

Or if it is important for the business to know if criminals have access
to private business and personal records.

-John
Personal Opinion Only

In article , "John E. Malmberg" writes:
>
> If it is not supposed to send e-mail, and it attempts to, don't you
> think someone should find out why?

We've had a lot of problems deploying COTS products that send
out notifications via email, from systems that the security folks
think shouldn't be "mail servers".

So "supposed to" is in the eye of the beholder.

In article ,
koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
> In article , "John E. Malmberg" writes:
>>
>> If it is not supposed to send e-mail, and it attempts to, don't you
>> think someone should find out why?
>
> We've had a lot of problems deploying COTS products that send
> out notifications via email, from systems that the security folks
> think shouldn't be "mail servers".
>
> So "supposed to" is in the eye of the beholder.

Not really. Those particular devices should be sending their email to
the real mailserver which should be the only one communicating with mail
servers in the the outside world. If network/system managers, in particular
ISP's, followed this rule 99% of SPAM cold be dealt with in ver short order.

bill


--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include

On Sep 4, 6:37 pm, billg...@cs.uofs.edu (Bill Gunshannon) wrote:
> In article ,
> koeh...@eisner.nospam.encompasserve.org (Bob Koehler) writes:
>
> > In article , "John E. Malmberg" writes:
>
> >> If it is not supposed to send e-mail, and it attempts to, don't you
> >> think someone should find out why?
>
> > We've had a lot of problems deploying COTS products that send
> > out notifications via email, from systems that the security folks
> > think shouldn't be "mail servers".
>
> > So "supposed to" is in the eye of the beholder.
>
> Not really. Those particular devices should be sending their email to
> the real mailserver which should be the only one communicating with mail
> servers in the the outside world. If network/system managers, in particular
> ISP's, followed this rule 99% of SPAM cold be dealt with in ver short order.
>
> bill
>
> --
> Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
> billg...@cs.scranton.edu | and a sheep voting on what's for dinner.
> University of Scranton |
> Scranton, Pennsylvania | #include

Enforcing "email from recognised SMTP servers only" would indeed get
rid of much spam instantly, and is a tactic already used by some folks
to reject *incoming* mail, but it would also break hundreds of little
convenience Windows apps that have their own mailsenders built in, and
inconvenience millions of their users. Log watchers, webcam watchers,
etc, anything which sends notification by email when something
"interesting" happens, using its own built-in mail server; they would
all need their user/installer to actually know their ISP's SMTP server
address so they could do the setup properly. How many PC users
actually know or care much about that kind of thing?

In article <8c328cb8-33b0-42e2-b590-5aab5a7b2670@w1g2000prk.googlegroups.com>,
johnwallace4@yahoo.co.uk writes:
> On Sep 4, 6:37 pm, billg...@cs.uofs.edu (Bill Gunshannon) wrote:
>> In article ,
>> koeh...@eisner.nospam.encompasserve.org (Bob Koehler) writes:
>>
>> > In article , "John E. Malmberg" writes:
>>
>> >> If it is not supposed to send e-mail, and it attempts to, don't you
>> >> think someone should find out why?
>>
>> > We've had a lot of problems deploying COTS products that send
>> > out notifications via email, from systems that the security folks
>> > think shouldn't be "mail servers".
>>
>> > So "supposed to" is in the eye of the beholder.
>>
>> Not really. Those particular devices should be sending their email to
>> the real mailserver which should be the only one communicating with mail
>> servers in the the outside world. If network/system managers, in particular
>> ISP's, followed this rule 99% of SPAM cold be dealt with in ver short order.
>>
>
> Enforcing "email from recognised SMTP servers only" would indeed get
> rid of much spam instantly, and is a tactic already used by some folks
> to reject *incoming* mail, but it would also break hundreds of little
> convenience Windows apps that have their own mailsenders built in, and
> inconvenience millions of their users.

So, because windows did something wrong we shold allow Email to further
degenerate? I think not. :-)

> Log watchers, webcam watchers,
> etc, anything which sends notification by email when something
> "interesting" happens, using its own built-in mail server;

....... should be sending their emails to a legitimate email server which
could then deliver it to the recipient. As it's supposed to be!!!

> they would
> all need their user/installer to actually know their ISP's SMTP server
> address so they could do the setup properly. How many PC users
> actually know or care much about that kind of thing?

Who cares. It's not the users setting things up wrong that is causing
the problem, it is the ISP's and even some corporate systems managers
who don't know what they are doing. If the ISP sets their firewall up
to block non-MTA machines from connecting to port 25, the problem goes
away. If the user really wants to use advanced features of these toys,
they need to learn how to do it right. Period, end of story. We have
rules for just about evrything we do in life today, from driving to
keeping a pet and everything in between. A lot of these rules are
very inconvenient (like picking up after your dog or driving the right
way on a one way street). But you still have to do them. Networking
shouldn't be any different. And it doesn't even take new laws to make
it happen. It just takes competence.

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include

>> Log watchers, webcam watchers,
>> etc, anything which sends notification by email when something
>> "interesting" happens, using its own built-in mail server;

*Server* ?? I set up my cheap Zyxel DSL modem/router to send
notifications to me, but it not a *server*. It uses whatever mail
server it get's after doing a DSN-MX lookup on the receiver
address, and that should be the official SMTP server of my
ISP, as far as I understand.

Why whould anything just needing to *send* a mail have a
smtp *server* implementation ?

Jan-Erik.

In article <6iakmbFpl207U2@mid.individual.net>, billg999@cs.uofs.edu
(Bill Gunshannon) writes:

> Not really. Those particular devices should be sending their email to
> the real mailserver which should be the only one communicating with mail
> servers in the the outside world. If network/system managers, in particular
> ISP's, followed this rule 99% of SPAM cold be dealt with in ver short order.

Indeed. And, conversely, blocking email from machines which are not
mail servers will get rid of 99% of SPAM. Many people do this, so even
if someone is sending non-SPAM from such a machine, I think it is better
to reject the connection AND TELL HIM ABOUT IT than to accept it.

In article
<8c328cb8-33b0-42e2-b590-5aab5a7b2670@w1g2000prk.googlegroups.com>,
johnwallace4@yahoo.co.uk writes:

> Enforcing "email from recognised SMTP servers only" would indeed get
> rid of much spam instantly, and is a tactic already used by some folks
> to reject *incoming* mail, but it would also break hundreds of little
> convenience Windows apps that have their own mailsenders built in, and
> inconvenience millions of their users. Log watchers, webcam watchers,
> etc, anything which sends notification by email when something
> "interesting" happens, using its own built-in mail server; they would
> all need their user/installer to actually know their ISP's SMTP server
> address so they could do the setup properly. How many PC users
> actually know or care much about that kind of thing?

Perhaps true. On the other hand, such machines are the source of most
SPAM today, taken over by viruses etc sending spam without the owner
knowing, and without sending too many from one machine within a given
time (a characteristic some folks used to use to identify possible
sources of spam). I think it would be a good idea that if such little
convenience apps were to be used, the user would have to enter the name
of a mailserver.

In article <6iapk6Fphr6oU3@mid.individual.net>, billg999@cs.uofs.edu
(Bill Gunshannon) writes:

> > Enforcing "email from recognised SMTP servers only" would indeed get
> > rid of much spam instantly, and is a tactic already used by some folks
> > to reject *incoming* mail, but it would also break hundreds of little
> > convenience Windows apps that have their own mailsenders built in, and
> > inconvenience millions of their users.
>
> So, because windows did something wrong we shold allow Email to further
> degenerate? I think not. :-)
>
> > Log watchers, webcam watchers,
> > etc, anything which sends notification by email when something
> > "interesting" happens, using its own built-in mail server;
>
> ....... should be sending their emails to a legitimate email server which
> could then deliver it to the recipient. As it's supposed to be!!!
>
> > they would
> > all need their user/installer to actually know their ISP's SMTP server
> > address so they could do the setup properly. How many PC users
> > actually know or care much about that kind of thing?
>
> Who cares. It's not the users setting things up wrong that is causing
> the problem, it is the ISP's and even some corporate systems managers
> who don't know what they are doing. If the ISP sets their firewall up
> to block non-MTA machines from connecting to port 25, the problem goes
> away. If the user really wants to use advanced features of these toys,
> they need to learn how to do it right. Period, end of story. We have
> rules for just about evrything we do in life today, from driving to
> keeping a pet and everything in between. A lot of these rules are
> very inconvenient (like picking up after your dog or driving the right
> way on a one way street). But you still have to do them. Networking
> shouldn't be any different. And it doesn't even take new laws to make
> it happen. It just takes competence.

Amen, brother!

In article ,
=?ISO-8859-1?Q?Jan-Erik_S=F6derholm?=
writes:

> >> Log watchers, webcam watchers,
> >> etc, anything which sends notification by email when something
> >> "interesting" happens, using its own built-in mail server;
>
> *Server* ?? I set up my cheap Zyxel DSL modem/router to send
> notifications to me, but it not a *server*. It uses whatever mail
> server it get's after doing a DSN-MX lookup on the receiver
> address, and that should be the official SMTP server of my
> ISP, as far as I understand.
>
> Why whould anything just needing to *send* a mail have a
> smtp *server* implementation ?

You use "server" to mean "receiving end". A more general use, intended
here, is "handles traffic". Thus, incoming server and outgoing server.
You are sending your email TO the proper receiving server (via MX), but
it is still coming from your machine, not an "official email server".
Technically, there is no problem with your scheme, but in practice, such
machines on dial-up, volatile IP addresses are the main source of spam,
and are thus blocked by more and more people.

Many STMP servers are neither senders nor receivers, but relays.

Phillip Helbig---remove CLOTHES to reply wrote:

> such
> machines on dial-up, volatile IP addresses are the main source of spam,

I do have a hard time thinking that *dial up* has
that much to do with modern spam, has it ?

Jan-Erik.