Educause Security Discussion mailing list archives
Re: Blacklists - URL and IP
From: Bill Kyle <bill.kyle () JHU EDU>
Date: Thu, 16 Jun 2005 14:58:38 -0400
On Thursday 16 June 2005 12:22 pm, Joe St Sauver wrote:
Hi Dennis, #Does anyone use blacklists to shut out suspected malicious URL's and IP #addresses? Are you thinking of something like using SURBL (www.surbl.org) in conjunction with SpamAssassin 3.0.4 to look at URI's in the the body of the message? Or did you just want a connect-time blacklist? (If the latter, check out the SBL+XBL list from www.spamhaus.org and the NJABL list from www.njabl.org) #It appears that hackers have been spoofing our email addresses as they #are unable to break through our security products - Cyber Secure Hard #Disk Drives. # #In particular they seem to like to break into other security company #computers and send emails to us showing that they are spoofing our #addresses from Fortress Technologies, Symantec, McAfee . etc. We would #like to make sure that we don't end up on lists erroneously. So are you trying to deal with backscatter (non-delivery notices for mail you didn't send), or are you attempting to protect your reputation w.r.t. spoofed mail that makes it through to its recipient (albeit not from you/your users)? If the latter scenario, you may want to check out SPF (see the excellent white paper by Meng Weng Wong at http://spf.pobox.com/whitepaper.pdf ). Regards, Joe
Joe, It would be nice if people checked SPF records in DNS... However, in my experience there are not many places checking SPF records. Here at Hopkins our enterprise mail relays do not check for SPF records ( I have ask and been told it is planned for some time in the future ). Earlier this year some spammer decided to use my domain for fake from addresses. I would get one or two non-delivery notices a week. Going into around the forth week I reported the hijacked system to the ISP in Korea. In less that two hours I received notice the system had be disabled. And, that must have pissed off the spammer because the next day I had over twelve thousand (12,000) messages in my in-box caused by non-delivery and of course my favorite, 'We are returning this mail because it is spam,' because this just spams the victim of a forged from address. Maybe my SPF records reduced the flood of mail in to my in-box, but there sure are a large number of major sites that do not check DNS for SPF records. I believe in SPF records, it is that I do not think they help much now. I will keep 'reminding' our enterprise mail administrators about the need to check mail going through our relays for SPF records and just dropping spam without a reject message that causes additional clutter in the Ether. -- Best wishes, Bill Kyle Sr. Systems Software Architect 410.516.3364 Johns Hopkins Network Security Johns Hopkins University and Medical Institutions -- From: "Spam Catcher" <spam-catcher () adept org> To: spam-catcher () adept org Don't send email to the address listed here or you will be added to a blacklist! It is a TRAP for address harvesters.
Current thread:
- Blacklists - URL and IP Dennis Meharchand, CEO Valt.x (Jun 16)
- <Possible follow-ups>
- Re: Blacklists - URL and IP Joe St Sauver (Jun 16)
- Re: Blacklists - URL and IP Bill Kyle (Jun 16)
- Re: Blacklists - URL and IP James Riden (Jun 16)
- Re: Blacklists - URL and IP Information Security (Jun 16)
- Re: Blacklists - URL and IP Joe St Sauver (Jun 16)
- Re: Blacklists - URL and IP Dave Koontz (Jun 16)
- Re: Blacklists - URL and IP Graham Toal (Jun 17)
- Re: Blacklists - URL and IP Dave Koontz (Jun 23)
- Re: Blacklists - URL and IP Valdis Kletnieks (Jun 23)