On Tue, 13 Apr 2004, David F. Skoll wrote: >On Tue, 13 Apr 2004, Kelson Vibber wrote: > >> Then SURBL should be fine. It's just a RHSBL, built from domains >> advertised in spam rather than domains that (appear to) send it. A client >> using SURBL just parses URLs out of the message and queries the domain >> names against the SURBL zone. > >It still makes me nervous. An attacker could put hundreds of URLs >in the message, leading to hundreds of SURBL lookups. This kind of >traffic-amplification just screams DoS to me. But then, I tend to >be more paranoid than most. :-) > >I think SURBL should be used for (let's say) the first 20 URLs in a >message, and if there are more than 20 URLs in the message, it should get >a big spam score and further SURBL lookups suppressed. > >Regards,
Personally I think any RBL is a DoS waiting to happen. All it takes is them being down/broken/etc and poof your servers are down for a bit with the usual management questions of why did you allow it to happen. The only way I would use an RBL in a large production enviroment is if they had a DB push mechanism where I could sign up for a daily DB4 and source file from either a central site or some osrt of P2P cloud. But I am a grumpy young sysadmin. -- Stephen John Smoogen [EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem -- _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
