On Wed 10/Dec/2025 13:51:37 +0100 Slavko via mailop wrote:
Dňa 10. decembra 2025 11:53:36 UTC používateľ John Fawcett via mailop
<[email protected]> napísal:
those IPs are also on Spamhaus XBL. Do you have use cases where legitimate
users need to login from exploited ips? [...]
Yes, i have use case for legitimate users with IP on XBL -- end users
have often dynamic IP, which changes, and thus they can get new IP
which is already on XBL and will take ~2 days until XBL entry expires.
Indeed, Spamhaus's XBL usage questions[*] answers negatively to the question "Should providers
use the XBL to block their own users?". They say XBL "should only be used as an
“informational” alert".
I've limited it to IPs detected more than seven days ago, which implies there haven't
been any successful logins from that IP in the last seven days. If such an IP is in XBL,
I block it with a half-life of one month (instead of six hours). Dunno how
"informational" this usage is; If there are false positives I'll increase the
time span to more than seven days.
Today, on my family server, I got:
Actual violations 815
Dictionary attacks 766 93.99% of violations
XBL lookups 579 96.37% of which hit
Best
Ale
--
[*]
https://www.spamhaus.org/blocklists/exploits-blocklist/#XBL%20usage%20questions
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
