Checking for dead DNSBls

July 3, 2005

Another Saturday, another spam entry. Today I decided to look at our logs to see if some of the DNSBls we check had either gone away or weren't giving us any hits. Since our software checks DNSBls in sequence instead of in parallel, removing useless DNSBls both reduces query volume and speeds things up slightly.

(In general, it's wise to do this periodically unless you're current on news.admin.net-abuse.email and other information sources, and already know about any changed or decommissioned DNSbls.)

This time around, I didn't find any. The closest to not being used is opm.blitzed.org, with dnsbl.njabl.org and relays.ordb.org as runners-up, but I decided not to remove any of them.

I also considered shuffling the order of the checks, but decided against it on policy reasons. I would rather reject a SMTP connection for a clear neutral reason like 'open proxy' rather than something more contentious, like 'listed in Spews', even if being listed in Spews is several times more likely than being listed in opm.blitzed.org. So opm.blitzed.org stays before Spews in our checks.

This isn't a completely loss; although I wasn't able to remove anything and this blog entry is a bit boring as a result, at least I checked.

For information, here is the raw numbers:

 161697 total rejections
  17995 class bl-cbl
   2385 class bl-spews
   2250 class bl-sbl
   2071 class bl-dsbl
   1510 class bl-sdul
    886 class bl-ordb
    779 class bl-njabl
    305 class bl-opm

Also:

  21900 DNS unknown: APNIC bad rDNS
  16729 DNS unknown: Korean bad rDNS
   7774 dynamic comcast.net ??
   6403 dynamic XXX-YYY comcast.net
   6228 dynamic rr.com cablemodems
   3187 DNS unknown: LACNIC bad rDNS
   2985 dynamic rogers.com
   2888 DNS unknown: Chinese bad rDNS
   2564 dynamic verizon
   2522 DNS unknown: misc bad rDNS
   2436 DNS noforward: LACNIC bad rDNS

The CBL figures will be somewhat distorted by last week's experiment in promoting it to the front of the checklist, as recounted in CBLStats-2005-06-27.

And IP-level rejections:

Host/Mask           Packets   Bytes
65.214.61.100          5409    260K
213.4.129.48           4690    215K
62.219.46.43           4580    220K
212.216.176.0/24       4310    213K
24.156.64.52           3761    181K
220.160.0.0/11         3297    168K
200.123.152.60         2536    152K
61.128.0.0/10          2529    129K
219.128.0.0/12         2173    112K

There's some new faces this week, including a very persistent IP address in Israel. I'm vaguely startled that 24.156.64.52 is still hammering away (and more startled that it doesn't seem to be on the CBL or other lists of open proxies; just what is going on with that machine?).

Written on 03 July 2005.
« What shouldn't be a method function
There's two sorts of large systems »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Jul 3 02:29:52 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.