Mailing List Archive: SPF: Discuss

Re: Solving throwaway domains using RHSBLs not whois

Index | Next | Previous | View Threaded

erik at arbat

Oct 9, 2003, 11:51 AM

Post #1 of 4 (327 views)
Permalink

Re: Solving throwaway domains using RHSBLs not whois

On Thu, Oct 09, 2003 at 12:25:03PM -0400, Meng Weng Wong wrote:
>
> To date, RHSBLs return either a DECLINE or NEGATIVE opinion. In the
> future I predict we will see RHSBLs published by major ISPs that return
> KNOWN, UNKNOWN, NEGATIVE, and DECLINE, constituting a weak reputation
> scheme. Even finer grain is possible with "started sending mail N days
> ago".

Including the information on which person/company registered the
domain would be even more useful. If the big registrars would feed
that information into a DNS-based database then that would be useful
too. If only some of the Registrars did so that would also tell
us something (esp. about the ones that don't).

I guess we have to have something like SPF working first before
it becomes attractive/useful/necessary.

--
Erik Corry erik [at] arbat
A: Because it messes up the order in which people normally read text.
Q: Why is top-replying such a bad thing?
A: Top-replying.
Q: What is the most annoying thing in email?

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

arlie at sublinear

Oct 9, 2003, 3:20 PM

Post #2 of 4 (318 views)
Permalink

RE: Solving throwaway domains using RHSBLs not whois [In reply to]

Centralized black-lists, such as what you propose/mention, are
vulnerable to DDoS attacks from the spammers. We've already seen
SEVERAL domains that maintained spam blacklists wiped out by DDoS
attacks. If we move to a centralized black-list server, it will be
continuously attacked by the spammers.

Although I have a lot of doubts about SPF, its distributed nature is
definitely a strength.

-- arlie

-----Original Message-----
From: owner-spf-discuss [at] v2
[mailto:owner-spf-discuss [at] v2] On Behalf Of Meng Weng Wong
Sent: Thursday, October 09, 2003 12:25 PM
To: spf-discuss [at] v2
Subject: [spf-discuss] Solving throwaway domains using RHSBLs not whois

On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
|
| With regard to whois, or using it to score throw-away domain
| detection, I advise against it. That's not what the whois database is
| designed for and they simply were not built with the performance
| considerations that this would require.
|

Suggestions that we use "whois" are on the right track but there are
better technical approaches; specifically, the RHSBL.

from http://www.securitysage.com/guides/postfix_uce_rhsbl.html

An RHSBL, like an RBL, is usually available via DNS, but contains a
list
of domain names (as opposed to IP addresses) that can be checked
against
the client domain of an email, as well as the domain portion (after
the
@) of the sender and recipient addresses.

Here's how they work:

20031009-12:22:17 mengwong [at] dumb:~% dnsip
amazingoffersdirect.net.spamdomains.blackholes.easynet.nl
127.0.0.2
20031009-12:22:24 mengwong [at] dumb:~% dnsip
yahoo.com.spamdomains.blackholes.easynet.nl

20031009-12:22:33 mengwong [at] dumb:~%

See the bottom of http://www.sdsc.edu/~jeff/spam/cbc.html for a number
of RHSBLs. They will gain in prominence as SPF is adopted.

To date, RHSBLs return either a DECLINE or NEGATIVE opinion. In the
future I predict we will see RHSBLs published by major ISPs that return
KNOWN, UNKNOWN, NEGATIVE, and DECLINE, constituting a weak reputation
scheme. Even finer grain is possible with "started sending mail N days
ago".

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

rkml at cyberglobe

Oct 9, 2003, 4:06 PM

Post #3 of 4 (317 views)
Permalink

Re: Solving throwaway domains using RHSBLs not whois [In reply to]

So why not incorporate an indirect Zone transferred blacklists of domains that are not allowed and therefore would not be damagable to DDoS.

Rudy K.

----- Original Message -----
From: "Arlie Davis" <arlie [at] sublinear>
To: <spf-discuss [at] v2>
Sent: Thursday, October 09, 2003 6:20 PM
Subject: RE: [spf-discuss] Solving throwaway domains using RHSBLs not whois

> Centralized black-lists, such as what you propose/mention, are
> vulnerable to DDoS attacks from the spammers. We've already seen
> SEVERAL domains that maintained spam blacklists wiped out by DDoS
> attacks. If we move to a centralized black-list server, it will be
> continuously attacked by the spammers.
>
> Although I have a lot of doubts about SPF, its distributed nature is
> definitely a strength.
>
> -- arlie
>
>
> -----Original Message-----
> From: owner-spf-discuss [at] v2
> [mailto:owner-spf-discuss [at] v2] On Behalf Of Meng Weng Wong
> Sent: Thursday, October 09, 2003 12:25 PM
> To: spf-discuss [at] v2
> Subject: [spf-discuss] Solving throwaway domains using RHSBLs not whois
>
>
> On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
> |
> | With regard to whois, or using it to score throw-away domain
> | detection, I advise against it. That's not what the whois database is
> | designed for and they simply were not built with the performance
> | considerations that this would require.
> |
>
> Suggestions that we use "whois" are on the right track but there are
> better technical approaches; specifically, the RHSBL.
>
> from http://www.securitysage.com/guides/postfix_uce_rhsbl.html
>
> An RHSBL, like an RBL, is usually available via DNS, but contains a
> list
> of domain names (as opposed to IP addresses) that can be checked
> against
> the client domain of an email, as well as the domain portion (after
> the
> @) of the sender and recipient addresses.
>
> Here's how they work:
>
> 20031009-12:22:17 mengwong [at] dumb:~% dnsip
> amazingoffersdirect.net.spamdomains.blackholes.easynet.nl
> 127.0.0.2
> 20031009-12:22:24 mengwong [at] dumb:~% dnsip
> yahoo.com.spamdomains.blackholes.easynet.nl
>
> 20031009-12:22:33 mengwong [at] dumb:~%
>
> See the bottom of http://www.sdsc.edu/~jeff/spam/cbc.html for a number
> of RHSBLs. They will gain in prominence as SPF is adopted.
>
> To date, RHSBLs return either a DECLINE or NEGATIVE opinion. In the
> future I predict we will see RHSBLs published by major ISPs that return
> KNOWN, UNKNOWN, NEGATIVE, and DECLINE, constituting a weak reputation
> scheme. Even finer grain is possible with "started sending mail N days
> ago".
>
> -------
> Sender Permitted From: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
> http://v2.listbox.com/member/?listname@½§ÅvÂ¼ð¦¾Øß´ëù11{W]’Ú
>
> -------
> Sender Permitted From: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname@½§ÅvÂ¼ð¦çš2b¥yÈbox.com
>

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@½§ÅvÂ¼ð¦¾Øß´ëù1Ií-»Fqx.com

arlie at sublinear

Oct 9, 2003, 4:53 PM

Post #4 of 4 (316 views)
Permalink

RE: Solving throwaway domains using RHSBLs not whois [In reply to]

How is that decentralized? That's just one zone, copied to many others.
The central zone can be attacked, and so can the duplicates. Any means
that makes available the IP addresses of the duplicate servers also
makes the addresses available to attackers.

SPF is still better in this respect. (So is message signing, of
course.)

-- arlie

-----Original Message-----
From: owner-spf-discuss [at] v2
[mailto:owner-spf-discuss [at] v2] On Behalf Of RKML
Sent: Thursday, October 09, 2003 7:06 PM
To: spf-discuss [at] v2
Subject: Re: [spf-discuss] Solving throwaway domains using RHSBLs not
whois

So why not incorporate an indirect Zone transferred blacklists of
domains that are not allowed and therefore would not be damagable to
DDoS.

Rudy K.

----- Original Message -----
From: "Arlie Davis" <arlie [at] sublinear>
To: <spf-discuss [at] v2>
Sent: Thursday, October 09, 2003 6:20 PM
Subject: RE: [spf-discuss] Solving throwaway domains using RHSBLs not
whois

> Centralized black-lists, such as what you propose/mention, are
> vulnerable to DDoS attacks from the spammers. We've already seen
> SEVERAL domains that maintained spam blacklists wiped out by DDoS
> attacks. If we move to a centralized black-list server, it will be
> continuously attacked by the spammers.
>
> Although I have a lot of doubts about SPF, its distributed nature is
> definitely a strength.
>
> -- arlie
>
>
> -----Original Message-----
> From: owner-spf-discuss [at] v2
> [mailto:owner-spf-discuss [at] v2] On Behalf Of Meng Weng Wong
> Sent: Thursday, October 09, 2003 12:25 PM
> To: spf-discuss [at] v2
> Subject: [spf-discuss] Solving throwaway domains using RHSBLs not
> whois
>
>
> On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
> |
> | With regard to whois, or using it to score throw-away domain
> | detection, I advise against it. That's not what the whois database
is
> | designed for and they simply were not built with the performance
> | considerations that this would require.
> |
>
> Suggestions that we use "whois" are on the right track but there are
> better technical approaches; specifically, the RHSBL.
>
> from http://www.securitysage.com/guides/postfix_uce_rhsbl.html
>
> An RHSBL, like an RBL, is usually available via DNS, but contains
> a list
> of domain names (as opposed to IP addresses) that can be checked
> against
> the client domain of an email, as well as the domain portion
> (after the
> @) of the sender and recipient addresses.
>
> Here's how they work:
>
> 20031009-12:22:17 mengwong [at] dumb:~% dnsip
> amazingoffersdirect.net.spamdomains.blackholes.easynet.nl
> 127.0.0.2
> 20031009-12:22:24 mengwong [at] dumb:~% dnsip
> yahoo.com.spamdomains.blackholes.easynet.nl
>
> 20031009-12:22:33 mengwong [at] dumb:~%
>
> See the bottom of http://www.sdsc.edu/~jeff/spam/cbc.html for a number

> of RHSBLs. They will gain in prominence as SPF is adopted.
>
> To date, RHSBLs return either a DECLINE or NEGATIVE opinion. In the
> future I predict we will see RHSBLs published by major ISPs that
> return KNOWN, UNKNOWN, NEGATIVE, and DECLINE, constituting a weak
> reputation scheme. Even finer grain is possible with "started sending

> mail N days ago".
>
> -------
> Sender Permitted From: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡
>
> -------
> Sender Permitted From: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡
>

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads