Checking for dead DNSBls

July 3, 2005

Another Saturday, another spam entry. Today I decided to look at our logs to see if some of the DNSBls we check had either gone away or weren't giving us any hits. Since our software checks DNSBls in sequence instead of in parallel, removing useless DNSBls both reduces query volume and speeds things up slightly.

(In general, it's wise to do this periodically unless you're current on and other information sources, and already know about any changed or decommissioned DNSbls.)

This time around, I didn't find any. The closest to not being used is, with and as runners-up, but I decided not to remove any of them.

I also considered shuffling the order of the checks, but decided against it on policy reasons. I would rather reject a SMTP connection for a clear neutral reason like 'open proxy' rather than something more contentious, like 'listed in Spews', even if being listed in Spews is several times more likely than being listed in So stays before Spews in our checks.

This isn't a completely loss; although I wasn't able to remove anything and this blog entry is a bit boring as a result, at least I checked.

For information, here is the raw numbers:

 161697 total rejections
  17995 class bl-cbl
   2385 class bl-spews
   2250 class bl-sbl
   2071 class bl-dsbl
   1510 class bl-sdul
    886 class bl-ordb
    779 class bl-njabl
    305 class bl-opm


  21900 DNS unknown: APNIC bad rDNS
  16729 DNS unknown: Korean bad rDNS
   7774 dynamic ??
   6403 dynamic XXX-YYY
   6228 dynamic cablemodems
   3187 DNS unknown: LACNIC bad rDNS
   2985 dynamic
   2888 DNS unknown: Chinese bad rDNS
   2564 dynamic verizon
   2522 DNS unknown: misc bad rDNS
   2436 DNS noforward: LACNIC bad rDNS

The CBL figures will be somewhat distorted by last week's experiment in promoting it to the front of the checklist, as recounted in CBLStats-2005-06-27.

And IP-level rejections:

Host/Mask           Packets   Bytes          5409    260K           4690    215K           4580    220K       4310    213K           3761    181K         3297    168K         2536    152K          2529    129K         2173    112K

There's some new faces this week, including a very persistent IP address in Israel. I'm vaguely startled that is still hammering away (and more startled that it doesn't seem to be on the CBL or other lists of open proxies; just what is going on with that machine?).

Written on 03 July 2005.
« What shouldn't be a method function
There's two sorts of large systems »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 3 02:29:52 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.