RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
Actually, I was reading this when I thought of it, and thinking of how INVURIBL reads the links inside of an e-mail and then compares them to a configured RBL, like the recommended Invaluement paid subscription. http://www.blue-quartz.com/rbl/ It would be much more efficient to store large numbers of IPs in DNS than it would a plain text blacklist, wouldn't it - or am I wrong about that? This is the relevant quote from this page: If a blacklisted IP address is in your rbl database it will exist in the DNS system. For example: if you blacklisted IP 89.40.1.32 then doing a regular DNS lookup like this: nslookup test.rbl.mydomain.com nslookup 32.1.40.89.rbl.mydomain.com should result in a match of 127.0.0.2 I haven't figured out how to get the e-mail harvesting IP blocks out of SmarterMail yet, but if I could, then if I could script-insert them into DNS and then use that as a local RBL, do you think that would be an effective tool? Those are the spammers that are banging on my door, right? -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford Whiteman Sent: Saturday, July 11, 2009 3:09 AM To: Michael Cummins Subject: Re[2]: [Declude.JunkMail] Cutting down on DNS Probably a crazy question, but if I wrote a script to harvest the current blocks (for e-mail harvesting) out of SmarterMail (if such a thing could be done) would that make a good or a bad local URI? Are you talking about turning a list of IPs into a list of dotted-decimal URIs like http://1.2.3.4 ? That doesn't make sense. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cutting down on DNS
Michael Cummins wrote: The product is basically the conduit from the URI in the email to the list. In fact if you wanted to you could host your own URI list internally and add domains as you see fit. We have many customers that do this. I understand now. What does a record for URI look like in DNS? How do you add IP addresses? rDNS? Is there a sample somewhere I could use as a guide? You would create a new zone on the DNS server you want to host your URI list. Example: uri.yourdomain.com When you want to add a URI like www.spammers.com you would make sure that there is a subdomain under URI called com and than create an A record under com called spammers. When you query the zone it looks like this spammers.com.uri.yourdomain.com Hope this helps, Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cutting down on DNS
No reason to believe that putting IP addresses in a DNS server would be substantively faster than an optimized local connection-time IP database. The local db itself should be cached in memory, and thus should never be slower when you add in the network overhead of DNS (even on the same box). The advantage of DNS in this case is in sharing the same db across multiple machines, not speed. -- Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Cutting down on DNS
Probably a crazy question, but if I wrote a script to harvest the current blocks (for e-mail harvesting) out of SmarterMail (if such a thing could be done) would that make a good or a bad local URI? Are you talking about turning a list of IPs into a list of dotted-decimal URIs like http://1.2.3.4 ? That doesn't make sense. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Cutting down on DNS
On Jul 10, 2009, at 12:50 PM, Scott Fisher wrote: SORBS is shutting down. Might want to remove that http://www.au.sorbs.net/ Actually their website announced that they found other hosting arrangements and will not be shutting down at this time. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Cutting down on DNS
How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Sure. Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Mail was checked for spam by the Freeware Edition of No Spam Today! The Freeware Edition is free for personal and non-commercial use. You can remove this notice by purchasing a full licens Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Cutting down on DNS
*unsticks Ctrl key* How does one go about replicating a zone locally to begin with? 2 ways, depending on the BL. They could let you use standard DNS zone transfer, or they could make you do an out-of-band HTTP/FTP download of the zone. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
IADB holds the IP's of good senders and helps reduce false positives so the hit rate may be low but it is worth having. MAILPOLICE can be consolidated into a single lookup. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Friday, July 10, 2009 2:58 PM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] Cutting down on DNS And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[4]: [Declude.JunkMail] Cutting down on DNS
How does this work then, if you don't mind me asking stupid questions...? ...Declude just does a DNS lookup on the defined server and checks to see if it returns an authoritative or non-authoritative response for the host name of the e-mail address, and then pass/fails on that? I Googled a few of the more useful RBLs on my list. So far, they all want you to contact them for pricing. That sounds scary. Does anyone know how much this kind of thing usually runs? -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford Whiteman Sent: Friday, July 10, 2009 3:20 PM To: Michael Cummins Subject: Re[4]: [Declude.JunkMail] Cutting down on DNS *unsticks Ctrl key* How does one go about replicating a zone locally to begin with? 2 ways, depending on the BL. They could let you use standard DNS zone transfer, or they could make you do an out-of-band HTTP/FTP download of the zone. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
Cbl is a subset of zen.spamhaus.org so you could be double scoring that. UCEPROTECT-2 and UCEPROTECT-1 overlap considerable. You are probably double scoring there. DNSBL and IADB are whitelists. They would have lower scores. SORBS is shutting down. Might want to remove that http://www.au.sorbs.net/ Mxrate-suspicious comes along with the same DNS test as MXRate-black. So no need to disable that as it doesn't induce extra dns traffic. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Friday, July 10, 2009 1:58 PM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] Cutting down on DNS And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[6]: [Declude.JunkMail] Cutting down on DNS
...Declude just does a DNS lookup on the defined server and checks to see if it returns an authoritative or non-authoritative response for the host name of the e-mail address, and then pass/fails on that? Yes, same way DSBLs usually work, only when you replicate the zone, your DNS server is authoritative, so there is no outside lookup. I Googled a few of the more useful RBLs on my list. So far, they all want you to contact them for pricing. That sounds scary. Does anyone know how much this kind of thing usually runs? UCEPROTECT is free to replicate locally (HTTP or RSYNC) http://www.uceprotect.net/en/index.php?m=6s=0 Note that the resulting downoaded file is in RBLDNS format. So you would convert it to a standard zone file. What DNS server do you use? Considering that UCEPROTECT folks say a maximum of 1,000 (!) direct requests per day are supported, you would be well advised to replicate this one. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cutting down on DNS
INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? invURIBL is extremely effective for me even more so now that (personally) I am using the invaluement lists which haven been absolutely terrific. The one problem with the URI lists now (URIBL) is that all of the providers are cutting off the free public access and moving to a pay model. Chances are if invURIBL is not working well for you that you access to the URI lists have been cut off for excessive DNS queries. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[6]: [Declude.JunkMail] Cutting down on DNS
Note that the resulting downoaded file is in RBLDNS format. So you would convert it to a standard zone file. What DNS server do you use? I'm using The MS DNS that comes on 2003 Server. I have it installed on both of the SmarterMail/Declude/Sniffer/INVURIBL boxes. Is that a bad, or a good idea? UCEPROTECT is free to replicate locally (HTTP or RSYNC) http://www.uceprotect.net/en/index.php?m=6s=0 Thanks, I'll look into that! It seems a few people here already do this. What DNS servers do you use to do this? Do you use separate dedicated servers to do this, or do you do it on your Declude server? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Cutting down on DNS
invURIBL is extremely effective for me even more so now that (personally) I am using the invaluement lists which haven been absolutely terrific. Wow. That blindsided me. I was completely ignorant of how the product worked. I thought that Invariant Systems maintained their own list, and that's what I was paying for. I look to the bottom of the config file, and I see: add key=RBL1 value=sbl.spamhaus.org / add key=Bitmask_Skip_Options_RBL1 value=2 / add key=Return_Code_RBL1 value=* / add key=WEIGHT_RBL1 value=5 / add key=RBL2 value=cn.countries.nerd.dk / add key=Bitmask_Skip_Options_RBL2 value=0 / add key=Return_Code_RBL2 value=* / add key=WEIGHT_RBL2 value=3 / add key=RBL3 value=kr.countries.nerd.dk / add key=Bitmask_Skip_Options_RBL3 value=0 / add key=Return_Code_RBL3 value=* / add key=WEIGHT_RBL3 value=3 / add key=RBL4 value=ru.countries.nerd.dk / add key=Bitmask_Skip_Options_RBL4 value=0 / add key=Return_Code_RBL4 value=* / add key=WEIGHT_RBL4 value=3 / I had no idea that's how it worked, shame on me! I'll have to look into those invalument lists; I Googled them up and found this website: http://dnsbl.invaluement.com/ Just glancing around their website, I see that they recommend RSYNC to RBLDNSD formatted files. The Invaluement people here recommend Simple DNS Plus as a replacement for Windows DNS. Would most people here make the same recommendation? It looks like it would cost me about $300 a year to subscribe to this. This stuff really adds up quick! Thanks for the discussion :) -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.JunkMail] Cutting down on DNS
Hi Michael, I'm using Windows 2003 DNS server as well, and have had no trouble with it at all. There are some advantages to Simple DNS when it comes to integration and replication of an entire server, but I've made up those deficiencies with scripting around the DNSCMD utility in the Windows Server Resource Kit.. As for what server to use, the mail systems seem to perform better with a local DNS server for lookup, and we do DNSBL replication onto those servers as well. Darin. - Original Message - From: Michael Cummins mich...@i-magery.com To: declude.junkmail@declude.com Sent: Friday, July 10, 2009 4:37 PM Subject: RE: Re[6]: [Declude.JunkMail] Cutting down on DNS Note that the resulting downoaded file is in RBLDNS format. So you would convert it to a standard zone file. What DNS server do you use? I'm using The MS DNS that comes on 2003 Server. I have it installed on both of the SmarterMail/Declude/Sniffer/INVURIBL boxes. Is that a bad, or a good idea? UCEPROTECT is free to replicate locally (HTTP or RSYNC) http://www.uceprotect.net/en/index.php?m=6s=0 Thanks, I'll look into that! It seems a few people here already do this. What DNS servers do you use to do this? Do you use separate dedicated servers to do this, or do you do it on your Declude server? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Cutting down on DNS
Just glancing around their website, I see that they recommend RSYNC to RBLDNSD formatted files. The Invaluement people here recommend Simple DNS Plus as a replacement for Windows DNS. Would most people here make the same recommendation? I really have nothing against Windows DNS, no security/stability FUD or anything. *But* I always use SimpleDNS Plus for anything other than Active Directory because of its feature set. For a relevant example here, SDNS has a utility to parse down RBLDNS formatted files into its own native blacklist format. I also like SDNS' NAT recognition feature -- I have probably saved days upon days of configuration/replication hell because of that. But you can continue to use Windows DNS and DNSCMD and be fine for this purpose. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[6]: [Declude.JunkMail] Cutting down on DNS
There are some advantages to Simple DNS when it comes to integration and replication of an entire server, but I've made up those deficiencies with scripting around the DNSCMD utility in the Windows Server Resource Kit.. Thanks, Darin! I've written scripts using DNSCMD before; I guess I should see what is involved in RNSYNCing that UCEPROTECT zone for starters. SimpleDNS seems to come with a handy HTTP interface though; I could write some custom Cold Fusion Components to manage the whole process. I already use a bunch of Cold Fusion scripts to parse DLAnalyzer reports every night and drop them into SQL. (DLAnalyzer is fantastic; just thought that should be said again) Should I post my notes here, or is this old hat for everyone on this list? -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cutting down on DNS
Michael Cummins wrote: invURIBL is extremely effective for me even more so now that (personally) I am using the invaluement lists which haven been absolutely terrific. Wow. That blindsided me. I was completely ignorant of how the product worked. I thought that Invariant Systems maintained their own list, and that's what I was paying for. The product is basically the conduit from the URI in the email to the list. In fact if you wanted to you could host your own URI list internally and add domains as you see fit. We have many customers that do this. It looks like it would cost me about $300 a year to subscribe to this. This stuff really adds up quick! While invalument does charge the cost to use their list is significantly less than what other lists charge once you are cutoff. Darrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Cutting down on DNS
The product is basically the conduit from the URI in the email to the list. In fact if you wanted to you could host your own URI list internally and add domains as you see fit. We have many customers that do this. I understand now. What does a record for URI look like in DNS? How do you add IP addresses? rDNS? Is there a sample somewhere I could use as a guide? Probably a crazy question, but if I wrote a script to harvest the current blocks (for e-mail harvesting) out of SmarterMail (if such a thing could be done) would that make a good or a bad local URI? Good people don't ever end up on that list, do they? Thanks again for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Cutting down on DNS
My declude boxes are really driving DNS traffic up, loads. Is there any general advice on improving the efficiency of the various declude checks to reduce the number of DNS hits? Thanks! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cutting down on DNS
My declude boxes are really driving DNS traffic up, loads. As in humans notice or as in my SNMP monitors notice... is this actually negatively impacting performance of DNS or any other service? Do you run local caching DNS (I hope so)? The other thing to look into is zone transfers for eligible BLs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Cutting down on DNS
Humans notice, because the traffic runs through a perimeter firewall that checks port 53 traffic against its Intrusion Protection profiles (amongst other things). Lately, during periods of heavy activity it's been ramping up the CPU and memory of the perimeter firewall. I've noticed moments of sluggishness as a result. My two declude servers probably handle about 250k messgaes per day, but around 90% of that is eliminated as waste. This waste still consumes bandwidth and DNS connections. During those periods of heavy activity, there are about 30k connections through the firewall, and it seems that half of them, I'm guessing, are wasted DNS lookups. I'm guessing this because filtering the connections reveals heavy port 53 activity on the Declude servers. Yes, I run local DNS on the Declude Machines, but I've notcied that the caching isn't all that effective. To the perimeter firewall, a lookup is a lookup, not matter what resource asked for it. ...unless I just don't understand, in which case I welcome being tapped into place. -- Michael -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford Whiteman Sent: Monday, July 06, 2009 8:49 PM To: Michael Cummins Subject: Re: [Declude.JunkMail] Cutting down on DNS My declude boxes are really driving DNS traffic up, loads. As in humans notice or as in my SNMP monitors notice... is this actually negatively impacting performance of DNS or any other service? Do you run local caching DNS (I hope so)? The other thing to look into is zone transfers for eligible BLs. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Cutting down on DNS
Humans notice, because the traffic runs through a perimeter firewall that checks port 53 traffic against its Intrusion Protection profiles (amongst other things). Lately, during periods of heavy activity it's been ramping up the CPU and memory of the perimeter firewall. I've noticed moments of sluggishness as a result. If you have 250,000 messages, each one does 10 lookups -- 2.5 million remote lookups on its own is not overwhelming (of course, depending on your raw upstream/downstream bandwidth, but I presume you have that limit covered.) But 250,000 daily queries to an individual BL will likely exceed their limits if they have one: overages may be timed out or throttled down, adversely (and purposely) affecting the number of attempted and simultaneous outbound connections. What is the firewall model? What's the rated max UDP connections? The rated max for wire-speed IPS inspection? Do these effects, in other words, simply jibe with your use of a lowish-end firewall to do egress filtering on some rather chatty servers? If the results are not what you would expect from your hardware, do you have some setting that is leaving connections open for too long? An too-deep inspection profile being applied to these servers? If push comes to shove, what about giving these machines their own dedicated IPS and not filtering on the main unit? My two declude servers probably handle about 250k messgaes per day, but around 90% of that is eliminated as waste. This waste still consumes bandwidth and DNS connections. Well, of course... if it didn't take DNS connections, you wouldn't know it's waste (with the exception of those BL lookups which are redundant with other tests or which rarely find listings -- and those are lookups you should eliminate). Yes, I run local DNS on the Declude Machines, but I've notcied that the caching isn't all that effective. To the perimeter firewall, a lookup is a lookup, not matter what resource asked for it. When a result is in the local DNS cache, there is no remote lookup, so nothing goes through the firewall. Can you check the size of the cache throughout the day and verify that you haven't turned something off so that lookups are being passed through and not cached? It is of course possible that you have few IPs that reconnect before their TTLs expire, but that should be verified. And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
