Checking for dead DNSBls
Another Saturday, another spam entry. Today I decided to look at our logs to see if some of the DNSBls we check had either gone away or weren't giving us any hits. Since our software checks DNSBls in sequence instead of in parallel, removing useless DNSBls both reduces query volume and speeds things up slightly.
(In general, it's wise to do this periodically unless you're current
news.admin.net-abuse.email and other information sources, and
already know about any changed or decommissioned DNSbls.)
This time around, I didn't find any. The closest to not being used is
runners-up, but I decided not to remove any of them.
I also considered shuffling the order of the checks, but decided
against it on policy reasons. I would rather reject a SMTP connection
for a clear neutral reason like 'open proxy' rather than something
more contentious, like 'listed in Spews', even if being listed in
Spews is several times more likely than being listed in
opm.blitzed.org stays before Spews in our
This isn't a completely loss; although I wasn't able to remove anything and this blog entry is a bit boring as a result, at least I checked.
For information, here is the raw numbers:
161697 total rejections 17995 class bl-cbl 2385 class bl-spews 2250 class bl-sbl 2071 class bl-dsbl 1510 class bl-sdul 886 class bl-ordb 779 class bl-njabl 305 class bl-opm
21900 DNS unknown: APNIC bad rDNS 16729 DNS unknown: Korean bad rDNS 7774 dynamic comcast.net ?? 6403 dynamic XXX-YYY comcast.net 6228 dynamic rr.com cablemodems 3187 DNS unknown: LACNIC bad rDNS 2985 dynamic rogers.com 2888 DNS unknown: Chinese bad rDNS 2564 dynamic verizon 2522 DNS unknown: misc bad rDNS 2436 DNS noforward: LACNIC bad rDNS
The CBL figures will be somewhat distorted by last week's experiment in promoting it to the front of the checklist, as recounted in CBLStats-2005-06-27.
And IP-level rejections:
Host/Mask Packets Bytes 22.214.171.124 5409 260K 126.96.36.199 4690 215K 188.8.131.52 4580 220K 184.108.40.206/24 4310 213K 220.127.116.11 3761 181K 18.104.22.168/11 3297 168K 22.214.171.124 2536 152K 126.96.36.199/10 2529 129K 188.8.131.52/12 2173 112K
There's some new faces this week, including a very persistent IP address in Israel. I'm vaguely startled that 184.108.40.206 is still hammering away (and more startled that it doesn't seem to be on the CBL or other lists of open proxies; just what is going on with that machine?).