North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RBLs in use

  • From: Chris Lewis
  • Date: Thu Nov 20 12:06:10 2003

Suresh Ramasubramanian wrote:

You need a fairly wide coverage of BLs.

# Open proxies - http://opm.blitzed.org and http://proxies.blackholes.easynet.nl
I would add the SORBS http and SORBS socks lists to this.

# Open relays - http://www.ordb.org
I'd add VISI to that too.

# Dialup and DSL/cable dynamic IPs - http://dynablock.easynet.nl

# Current spam sources - http://cbl.abuseat.org [strongly recommended]
CBL tends to list only open proxies and spam trojans, but there's a few "classic viri emitters" (ie: Yaha) and a _very_ small number of "grossly misconfigured mail servers" in it too. All of which you want to know about anyway.

What you can do is do zone downloads of the open relay/proxy/CBL lists above and correlate them to your own netblocks. _Very_ helpful in finding compromised systems.

With dynablock, you may want to audit it for accuracy against your IP allocations. They're responsive to update requests.

SBL/SPEWS identifies your spammers. But as Suresh says, be careful to interpret the SPEWS listings correctly, so you nail the spammer, not the collateral damage.

There are a lot more DNSBLs, but the above ones are the most respected, important and useful for your purposes. XBL & Spambag, for example, are too rabid to worry about. Anybody who uses them gets what they deserve.