monkeys.dom UPL being DDOSed to death

Wed Sep 24 15:48:44 UTC 2003

Geo. wrote:

> 
> There shouldn't be a need for any removal process. A server should be listed
> for as long as the spam continues to come from it. Once the spam stops the
> blacklisting should stop as well. That is how a dynamic list SHOULD work.
> 

Depends on the type of listing. Open proxies and open relays are best 
removed by request of owner once they are fixed or staled out after a 
retest at a later time, although retests should be far and few between 
(many use anything from 1-6 months). Just because spam is not 
temporarily coming from an insecure host does not mean that the host has 
been secured.

Direct Spam is difficult to automatically detect, and reports are not 
always accurate (see SpamCop). It tends to be a very manual process. A 
lot of work goes into maintaining a list like SBL or SPEWS.

Spam is also very transient which makes local detection of a spammer's 
activities difficult. They may just be focusing on someone else for a 
week or two before plastering your servers again. If you removed them, 
they will do considerable damage before they get relisted via the manual 
process (delay between first email received and first recipient 
reporting can easily exceed hours).

The other issue with shared listings is what one considers acceptable or 
unacceptable. Easynet, for example, lists a lot of mail senders which I 
accept mail for due to user demand. They consider the email spam or 
resource abuse (broken mailers) while I am meeting the demands of my 
customers who are paying to receive the email. This isn't a collateral 
damage issue. It is an issue of where a network decides to draw the line 
on accepting or rejecting email.

-Jack