RBLs in use
clewis at nortelnetworks.com
Thu Nov 20 17:06:35 UTC 2003
Suresh Ramasubramanian wrote:
> You need a fairly wide coverage of BLs.
> # Open proxies - http://opm.blitzed.org and
I would add the SORBS http and SORBS socks lists to this.
> # Open relays - http://www.ordb.org
I'd add VISI to that too.
> # Dialup and DSL/cable dynamic IPs - http://dynablock.easynet.nl
> # Current spam sources - http://cbl.abuseat.org [strongly recommended]
CBL tends to list only open proxies and spam trojans, but there's a few
"classic viri emitters" (ie: Yaha) and a _very_ small number of "grossly
misconfigured mail servers" in it too. All of which you want to know
What you can do is do zone downloads of the open relay/proxy/CBL lists
above and correlate them to your own netblocks. _Very_ helpful in
finding compromised systems.
With dynablock, you may want to audit it for accuracy against your IP
allocations. They're responsive to update requests.
SBL/SPEWS identifies your spammers. But as Suresh says, be careful to
interpret the SPEWS listings correctly, so you nail the spammer, not the
There are a lot more DNSBLs, but the above ones are the most respected,
important and useful for your purposes. XBL & Spambag, for example, are
too rabid to worry about. Anybody who uses them gets what they deserve.
More information about the NANOG