On 4/13/2004 6:15 PM, Stephen Smoogen wrote:
> Personally I think any RBL is a DoS waiting to happen. All it takes is > them being down/broken/etc and poof your servers are down for a bit with > the usual management questions of why did you allow it to happen. > > The only way I would use an RBL in a large production enviroment is if > they had a DB push mechanism where I could sign up for a daily DB4 and > source file from either a central site or some osrt of P2P cloud. > > But I am a grumpy young sysadmin.
One of the better ones (SBL+XBL) lets you set this up for free, if you're "big enough" (250K+ queries/day).
SBL+XBL page: http://www.spamhaus.org/xbl/index.lasso Rsync zone access: http://www.spamhaus.org/service/
I had the same DoS worry; using a combination of sbl-xbl.spamhaus.org with rbldnsd and rsync, we've got a copy of the zone locally on each mail server, coexisting nicely with the caching BIND already there. It required a little setup up front, but we've been pleased with the results. We've also reduced DNS traffic by a substantial amount -- I refused 1.3M connections yesterday using SBL+XBL. Because it's effectively local, it's the first DNSBL check we perform now.
The Spamhaus folks were very helpful and they had a hole poked for our rsync within a couple of hours of my follow-up email about our setup. They even have the rsyncs distributed across particular parts of the hour, assigning a minute to you for the SBL and the XBL. We're never more than an hour stale.
A potential speed bump is their requirement to use rbldnsd. They only push the lists out in rbldnsd format, but it's worth the learning curve to use it, for those of you not familiar with it. It does wildcarded/templated TXT responses for DNSBLs, has a small memory footprint, and also speaks CIDR. You can also combine separate zone files into a single zone, accessed with one lookup.
http://www.corpit.ru/mjt/rbldnsd.html
Our empirical testing of looking up even information that was already cached made rbldnsd *very* attractive (~5.5ms/lookup for BIND vs ~.5ms/lookup for rbldnsd). There are some large lists that we keep in access.db files that we'll be them converting to rbldnds zones, so that we don't have to pay the per-box cost of distributing the access file and then generating the .db -- and because the sendmail access file doesn't speak CIDR.
There's a FreeBSD rbldnsd port that installed quite nicely, and the maintainer is quick with updates.
We're using forwarding as described in http://njabl.org/rsync.html :
zone "sbl-xbl.spamhaus.org" IN {
type forward;
forward first;
forwarders {
127.0.0.2;
};
};... so it's kept private and fast, and coexists with our BIND that's on 127.0.0.1. I had never previously had to figure out how to create a loopback alias before in FreeBSD, but it works like a charm.
In short -- if they get DoSed, Slashdot will tell me before my mail farm does, making me a less grumpy young sysadmin. :)
You can tell I was on vacation; sorry for the stale posts.
-royce
-- ------------------------------------------------------------------------ Royce D. Williams IP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
