> (2) the fact that the IP is in reverse order.

How do you then enter ranges? For example, one of the rbldnsd zone
examples I've seen have entries such as:

That does not look to be in reverse order, as the host octet is still last.

> foo.example.com: System
> in my experience, I haven't been able to get this to work unless I put a
> space just before the first colon, as follows
> foo.example.com : System

That was my exact problem that caused me to write this post. It was
frustrating that ip4set worked fine, but dnset always failed because
of that.

> But sometimes you don't need that and can simply use just the domain or IP
> on each line, since much of that can be accomplished with a single line
> at/near the top of the file, such as this one that I use for the invaluement
> URI list:
> : by ivmURI - see http://www.invaluement.com/lookup/?item=$

Yes, this is what I've settled on for now.

> of course, the most difficult part is not collecting spammy IPs and
> domains... that part is easy. The most difficult part is knowing when NOT to
> blacklist a domain--which would be a decoy domain found in a spam, that
> wasn't the actual "payload" for the spam and is instead an innocent
> bystander's domain -- and/or generally keeping FPs super low. THAT is the
> hard part.

Yeah, absolutely. That's a large part of what's been delaying my
progress with my honeypots. It's still in progress, but one thing I've
been doing is checking my entries against existing whitelists, and
other ways such as seeing how long they've been around, etc.

> But try this and blacklist:
> .blogspot.com
> ...and trigger massive FPs... when you should have listed:
> .somehorrificspammerfromhell.blogspot.com

Yes, exactly. I've just been doing specific hostnames.

I appreciate that this is slightly off-topic, but it's an extension of
SA. Thanks so much for your help. Your service is great, btw.

Reply via email to