Spamhaus...

Crist Clark Crist.Clark at globalstar.com
Thu Feb 18 14:36:22 CST 2010


>>> On 2/18/2010 at 11:47 AM, Michelle Sullivan <matthew at sorbs.net> wrote:
> Crist Clark wrote:
>> We received such a message from a Spamhaus Datafeed reseller
>> and eventually had our DNS servers blocked. What angered me was
>> that I analyzed our usage, and we were well below the thresholds
>> and met the TOS published at the Spamhaus website for no-cost use.
>> However, they said we had to subscribe to the Datafeed despite
>> that because we have a Barracuda appliance.
>>   
> 
> Well aside from I remember reading that they look for Barracuda
> Appliances*, it does say on:
> http://www.spamhaus.org/organization/dnsblusage.html 
> 
> *Definition: "non-commercial use" is use for any purpose other than as
> part or all of a product or service that is resold, or for use of which
> a fee is charged. For example, using our DNSBLs in a commercial spam
> filtering appliance that is then sold to others requires a data feed,
> regardless of use volume. The same is true of commercial spam filtering
> software and commercial spam filtering services.

We do not fit into that. We are not selling an appliance or service
to others (the 'Cuda is for our internal corporate email only, not
customers). If we were still using my home-built SpamAssassin system,
it'd be OK to use Spamhaus. Now that we've purchased an appliance
and manually added a Spamhaus to the user-customizable DNSBL list
on it, it's not OK?

>> And I want to know how they figured out we had a Barracuda.
>>
>>   
> 
> 
> * well have you considered that the Barracuda may be very specific in
> it's IP stack, or they signature it produces in queries etc.  Might have
> a very specific open port for administration - and not forgetting that
> if it's making queries very directly it's exposing it's IP address and
> therefore can be tested very simply.  Many different ways, and I bet I
> could find out if I were to have a device to look at.

I have considered that, but it would seem it must be some signature
in the queries. It does not query directly, but through our own
caching DNS servers (I won't name the DNS server software, but its
initials are B.I.N.D.).





More information about the NANOG mailing list