North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: monkeys.dom UPL being DDOSed to death

  • From: Jack Bates
  • Date: Wed Sep 24 11:51:11 2003

Geo. wrote:

There shouldn't be a need for any removal process. A server should be listed
for as long as the spam continues to come from it. Once the spam stops the
blacklisting should stop as well. That is how a dynamic list SHOULD work.

Depends on the type of listing. Open proxies and open relays are best removed by request of owner once they are fixed or staled out after a retest at a later time, although retests should be far and few between (many use anything from 1-6 months). Just because spam is not temporarily coming from an insecure host does not mean that the host has been secured.

Direct Spam is difficult to automatically detect, and reports are not always accurate (see SpamCop). It tends to be a very manual process. A lot of work goes into maintaining a list like SBL or SPEWS.

Spam is also very transient which makes local detection of a spammer's activities difficult. They may just be focusing on someone else for a week or two before plastering your servers again. If you removed them, they will do considerable damage before they get relisted via the manual process (delay between first email received and first recipient reporting can easily exceed hours).

The other issue with shared listings is what one considers acceptable or unacceptable. Easynet, for example, lists a lot of mail senders which I accept mail for due to user demand. They consider the email spam or resource abuse (broken mailers) while I am meeting the demands of my customers who are paying to receive the email. This isn't a collateral damage issue. It is an issue of where a network decides to draw the line on accepting or rejecting email.

-Jack