Re: Blacklists - URL and IP

[Bill Kyle <bill.kyle () JHU EDU>]

On Thursday 16 June 2005 12:22 pm, Joe St Sauver wrote:
> Hi Dennis,
>
> #Does anyone use blacklists to shut out suspected malicious URL's and IP
> #addresses?
>
> Are you thinking of something like using SURBL (www.surbl.org) in
> conjunction with SpamAssassin 3.0.4 to look at URI's in the the body of
> the message? Or did you just want a connect-time blacklist? (If the
> latter, check out the SBL+XBL list from www.spamhaus.org and the NJABL
> list from www.njabl.org)
>
> #It appears that hackers have been spoofing our email addresses as they
> #are unable to break through our security products - Cyber Secure Hard
> #Disk Drives.
> #
> #In particular they seem to like to break into other security company
> #computers and send emails to us showing that they are spoofing our
> #addresses from Fortress Technologies, Symantec, McAfee . etc. We would
> #like to make sure that we don't end up on lists erroneously.
>
> So are you trying to deal with backscatter (non-delivery notices for
> mail you didn't send), or are you attempting to protect your
> reputation w.r.t. spoofed mail that makes it through to its recipient
> (albeit not from you/your users)?
>
> If the latter scenario, you may want to check out SPF (see the excellent
> white paper by Meng Weng Wong at http://spf.pobox.com/whitepaper.pdf ).
>
> Regards,
>
> Joe

Joe,

It would be nice if people checked SPF records in DNS... However, in my 
experience there are not many places checking SPF records. Here at Hopkins 
our enterprise mail relays do not check for SPF records ( I have ask and been 
told it is planned for some time in the future ).

Earlier this year some spammer decided to use my domain for fake from 
addresses. I would get one or two non-delivery notices a week. Going into 
around the forth week I reported the hijacked system to the ISP in Korea. In 
less that two hours I received notice the system had be disabled. And, that 
must have pissed off the spammer because the next day I had over twelve 
thousand (12,000) messages in my in-box caused by non-delivery and of course 
my favorite, 'We are returning this mail because it is spam,' because this 
just spams the victim of a forged from address. Maybe my SPF records reduced 
the flood of mail in to my in-box, but there sure are a large number of major 
sites that do not check DNS for SPF records.

I believe in SPF records, it is that I do not think they help much now. I will 
keep 'reminding' our enterprise mail administrators about the need to check 
mail going through our relays for SPF records and just dropping spam without 
a reject message that causes additional clutter in the Ether.

-- 
Best wishes,
Bill Kyle
Sr. Systems Software Architect
410.516.3364
Johns Hopkins Network Security
Johns Hopkins University and Medical Institutions

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org

Don't send email to the address listed here or you will be added
to a blacklist!  It is a TRAP for address harvesters.