Repeated Blacklisting / IP reputation
jgreco at ns.sol.net
Wed Sep 9 11:37:53 UTC 2009
> > Show me ONE major MTA which allows you to configure an expiration for
> > an ACL entry.
> > The problem with your opinion, and it's a fine opinion, and it's even a
> > good opinion, is that it has very little relationship to the tools which
> > are given to people in order to accomplish blocking. Kind of the question
> > I was contemplating in my other message of minutes ago.
> > If people were given an option to "block this IP for 30 minutes, 24 hours,
> > 30 days, 12 months, 5 years, or forever" - I wonder how many people would
> > just shrug and click "forever."
> > This may lead to the discovery of another fundamental disconnect - or two.
> > Sigh.
> > ... JG
> A cron job/schedule task with a script that removes said line would most
> likely do wonderous things for you. I could see a comment before each
> listing with a time/date that you use some regex fu on to figure out how
> long it was there and how long it should be there for. Simple! You
> could also automate it with a web frontend for noobs so they don't have
> to manually edit configuration files.
You /COMPLETELY/ missed the point.
If this was something that people felt was truly useful, then there would
be support for something like this. I mean, we've only had about 15 years
of spam-as-a-real-problem on the Internet. The perception by most admins
is that when you block someone, you want to block them for a Really Long
Time. If this wasn't true, then there would likely be an automatic
feature built in to MTA ACL entries to expire.
I didn't say you /couldn't/ do it. The problem is that the average spam
spewer is a long-term thing, so when you ACL off a host, you've probably
deemed the sender to be of no significant value to you, and you're not
expecting that they're suddenly going to become whitehat in two weeks, or
even six months.
Therefore, there's no default support built into MTA's for this, because
it /doesn't/ do anything "wonderous" for you.
I would agree that in the best case, we would want a default behaviour of
ACL removal when an IP block is reallocated by the RIR, but I don't see
an easy way to get there as a default behaviour of an MTA.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG