RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
Actually, I was reading this when I thought of it, and thinking of how INVURIBL reads the links inside of an e-mail and then compares them to a configured RBL, like the recommended Invaluement paid subscription. http://www.blue-quartz.com/rbl/ It would be much more efficient to store large numbers of IPs in DNS than it would a plain text blacklist, wouldn't it - or am I wrong about that? This is the relevant quote from this page: If a blacklisted IP address is in your rbl database it will exist in the DNS system. For example: if you blacklisted IP 89.40.1.32 then doing a regular DNS lookup like this: nslookup test.rbl.mydomain.com nslookup 32.1.40.89.rbl.mydomain.com should result in a match of 127.0.0.2 I haven't figured out how to get the e-mail harvesting IP blocks out of SmarterMail yet, but if I could, then if I could script-insert them into DNS and then use that as a local RBL, do you think that would be an effective tool? Those are the spammers that are banging on my door, right? -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford Whiteman Sent: Saturday, July 11, 2009 3:09 AM To: Michael Cummins Subject: Re[2]: [Declude.JunkMail] Cutting down on DNS Probably a crazy question, but if I wrote a script to harvest the current blocks (for e-mail harvesting) out of SmarterMail (if such a thing could be done) would that make a good or a bad local URI? Are you talking about turning a list of IPs into a list of dotted-decimal URIs like http://1.2.3.4 ? That doesn't make sense. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Cutting down on DNS
Probably a crazy question, but if I wrote a script to harvest the current blocks (for e-mail harvesting) out of SmarterMail (if such a thing could be done) would that make a good or a bad local URI? Are you talking about turning a list of IPs into a list of dotted-decimal URIs like http://1.2.3.4 ? That doesn't make sense. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Cutting down on DNS
On Jul 10, 2009, at 12:50 PM, Scott Fisher wrote: SORBS is shutting down. Might want to remove that http://www.au.sorbs.net/ Actually their website announced that they found other hosting arrangements and will not be shutting down at this time. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
IADB holds the IP's of good senders and helps reduce false positives so the hit rate may be low but it is worth having. MAILPOLICE can be consolidated into a single lookup. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Friday, July 10, 2009 2:58 PM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] Cutting down on DNS And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
Cbl is a subset of zen.spamhaus.org so you could be double scoring that. UCEPROTECT-2 and UCEPROTECT-1 overlap considerable. You are probably double scoring there. DNSBL and IADB are whitelists. They would have lower scores. SORBS is shutting down. Might want to remove that http://www.au.sorbs.net/ Mxrate-suspicious comes along with the same DNS test as MXRate-black. So no need to disable that as it doesn't induce extra dns traffic. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Friday, July 10, 2009 1:58 PM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] Cutting down on DNS And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Cutting down on DNS
Just glancing around their website, I see that they recommend RSYNC to RBLDNSD formatted files. The Invaluement people here recommend Simple DNS Plus as a replacement for Windows DNS. Would most people here make the same recommendation? I really have nothing against Windows DNS, no security/stability FUD or anything. *But* I always use SimpleDNS Plus for anything other than Active Directory because of its feature set. For a relevant example here, SDNS has a utility to parse down RBLDNS formatted files into its own native blacklist format. I also like SDNS' NAT recognition feature -- I have probably saved days upon days of configuration/replication hell because of that. But you can continue to use Windows DNS and DNSCMD and be fine for this purpose. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Cutting down on DNS
Humans notice, because the traffic runs through a perimeter firewall that checks port 53 traffic against its Intrusion Protection profiles (amongst other things). Lately, during periods of heavy activity it's been ramping up the CPU and memory of the perimeter firewall. I've noticed moments of sluggishness as a result. If you have 250,000 messages, each one does 10 lookups -- 2.5 million remote lookups on its own is not overwhelming (of course, depending on your raw upstream/downstream bandwidth, but I presume you have that limit covered.) But 250,000 daily queries to an individual BL will likely exceed their limits if they have one: overages may be timed out or throttled down, adversely (and purposely) affecting the number of attempted and simultaneous outbound connections. What is the firewall model? What's the rated max UDP connections? The rated max for wire-speed IPS inspection? Do these effects, in other words, simply jibe with your use of a lowish-end firewall to do egress filtering on some rather chatty servers? If the results are not what you would expect from your hardware, do you have some setting that is leaving connections open for too long? An too-deep inspection profile being applied to these servers? If push comes to shove, what about giving these machines their own dedicated IPS and not filtering on the main unit? My two declude servers probably handle about 250k messgaes per day, but around 90% of that is eliminated as waste. This waste still consumes bandwidth and DNS connections. Well, of course... if it didn't take DNS connections, you wouldn't know it's waste (with the exception of those BL lookups which are redundant with other tests or which rarely find listings -- and those are lookups you should eliminate). Yes, I run local DNS on the Declude Machines, but I've notcied that the caching isn't all that effective. To the perimeter firewall, a lookup is a lookup, not matter what resource asked for it. When a result is in the local DNS cache, there is no remote lookup, so nothing goes through the firewall. Can you check the size of the cache throughout the day and verify that you haven't turned something off so that lookups are being passed through and not cached? It is of course possible that you have few IPs that reconnect before their TTLs expire, but that should be verified. And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
