SORBS?!

Jon Lewis jlewis at lewis.org
Fri Apr 6 19:02:49 UTC 2012


On Thu, 5 Apr 2012, Landon Stewart wrote:

> If the purpose of blacklist is to block spam for recipients using that
> blacklist then a /32 works.  If the purpose of a blacklist is to annoy
> providers then a /24 works.  The most reputable and useful blacklists IMHO
> are Spamhaus and Spamcop - they don't block /24s.  Spamhaus sometimes does
> if your rwhois shows that a large amount of the /24 is owned by the
> offending party but generally they don't.

Spamhaus may not default to doing /24 listings for a /32 spam emitter, but 
they certainly do list /24s or shorter subnets when they feel it's 
appropriate.  They even do "escalations" to corporate mail servers on rare 
occasions when a provider appears to be complicit with spammers and 
ignoring their SBLs.

The purpose thing is an interesting question though.  Is the purpose of 
DNSBLs simply to help admins avoid accepting spam from spammers or to 
attempt to prevent spammers from operating on the internet?  For most of 
the DNSBLs I'm familiar with, I'd say they're trying to do both.

> Spamhaus encourages companies to resolve all the issues while only 
> blocking /32s by showing all the listings under your responsibility and 
> making nice to see that list empty. Pretty simple.  Incidentally SORBS 
> usually blocks /24s and, as far as I know, provides no way for you to 
> lookup all listings under a providers responsibility (by AS or 
> otherwise).

That's really either not true or an oversimplification.  Spamhaus blocks 
shorter than /32 pretty frequently.  You could maybe argue that Spamhaus 
works harder to avoid innocent collateral damage.  Having not used SORBS 
for many years, I couldn't say if that's true or not.  The vast majority 
of my recent years interactions with SORBS have been trying to get 
inappropriately listed IPs removed from their DUHL.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list