locked
IP Block List Provider - Any downside ? RRS feed

  • Question

  • I,'m thinking to implement the "IP Block List Providers". Which one would you suggest ?

    I read only nice white paper on such setting, is there any downside you experienced or think of about "IP Block List Providers"

     

    Thanks

    Friday, May 6, 2011 8:38 AM

Answers

  • Thanks, right now I'm more focused on understanding possible
    impacts/issues by enabling such feature.

    Based on your experiece, did such setting bring issues in your
    environment ?

    I've to admit that I'm not using the native exchange spam filtering
    (IMF ....) since, dating back to 15 years ago... or maybe more; I found
    a filtering solution which did fit my needs; anyways, this doesn't mean
    that I don't know how to set IMF up, just that imHo it lacks a number
    of features and this makes it look like a spam filter from 20 years ago
    (no, not kidding, nor trying to troll or start a flame, mind me) it's
    just that
    given the fact that you PAY it you'd expect to have some -at least-
    kind of decent and UP TO DATE smtp filtering but probably someone
    up in Redmond decided that we'll have to stay at the stone age or
    either pay some $$$ to buy a filtering product <sigh>

    See, the rules of thumb of whatever spamfilter are... allow the "admin"
    to set things in test mode and have a clear log of what's going on
    and, allow the admin to set "scores" for each spam check and reject
    a given message only if the score goes over the given limit; in both
    cases the exchange filtering fails, so... given that it doesn't even
    have
    a way to use DNSWL (whitelists, to oppose to blacklists and which
    should be checked BEFORE DNSBL checks) the "risks" let's call it
    so missing a better term of using DNSBLs are mainly the classic
    false-positive ones, that is, a given sending host which, for a reason
    or another got listed in some DNSBL and is now unable to send you
    jun... ahem... email :) such an issue is usually solved by using the
    so called DNS whitelists (DNSWL), they work just like the DNSBLs
    but instead of listing "bad sending host" they list "good ones" so,
    the idea is basically to check DNSWLs first, see if the incoming IP
    (since that's what the server sees) is whitelisted and, if that's the
    case, skip whatever DNSBL lookup, otherwise, go on with the
    lookups and all the other stuff

    As (I hope) you realized by now, all this means trusting the opinion
    of the DNSBLs you're using, so, it's important to pick reputable ones
    and, at the same time, lists which won't "incorrectly list a bit ISP IP
    by chance" but which will ensure that, if an IP is listed then it's at
    99%
    a BAD one; that's why I suggested the lists you'll see in my previous
    post; and, if you want, give it a spin, see how they work for you and
    then, make a decision; again, given that no one filters the same kind
    of stuff, it's all about agreeing about "where the borderline is"

    • Marked as answer by vcnz Friday, May 6, 2011 1:50 PM
    Friday, May 6, 2011 1:25 PM

All replies

  • I,'m thinking to implement the "IP Block List Providers".
    Which one would you suggest ?

    The "IP Block List Providers" better known as DNSBL
    filtering is a method of filtering incoming connections
    through the use of DNS lists which will return a "bad"
    value in case a given incoming IP is a known spam
    source; the pitfall whenever using such an approach
    is that you'll need to use some rather "conservative"
    lists, that is, lists which won't cause rejects on "good"
    senders just since they sent out a couple "junk" emails
    or the like

    My suggestion is to try the following lists

    zen.spamhaus.org
    ix.dnsbl.manitu.net
    bb.barracudacentral.org
    bl.spamcop.net
    combined.njabl.org
    v4.fullbogons.cymru.com

    and then, keep an eye (monitor, check the logs) your
    box to see how they're behaving and, if needed to
    adjust your settings; notice that the above lists are
    decently conservative and quite reliable (in my own
    experience) although, since not everyone "filters"
    the same, you'll need to check them by yourself
    also, and since you're at it; you may want to have
    a look at the websites related to the various lists

    http://www.spamhaus.org/zen/

    http://www.dnsbl.manitu.net/

    http://www.barracudacentral.org/rbl

    http://spamcop.net/bl.shtml

    http://www.njabl.org/

    http://www.team-cymru.org/Services/Bogons/

    HTH

    Friday, May 6, 2011 9:22 AM
  • zen.spamhaus.org
    ix.dnsbl.manitu.net
    bb.barracudacentral.org
    bl.spamcop.net
    combined.njabl.org
    v4.fullbogons.cymru.com

    forgot, sorry; if/when you'll enable DNSBL filtering
    it will be a good idea to set the rejection message
    to something meaningful; if you refer to this

    http://exchangeshare.wordpress.com/2009/02/06/how-to-customize-rbl-rejection-response-in-exchange-2007/

    you'll see that it's possible to create a custom reject
    message and, I recommend something like

    Sorry, your IP %0 is blacklisted by %2

    or either, for exchange 2007

    Sorry, your IP {0} is blacklisted by {2}

    so, in case someone's message gets incorrectly rejected
    the sender will have a clue about the list which caused such
    a rejection and may possibly fix the issue and get delisted

    Friday, May 6, 2011 9:40 AM
  • Thanks, right now I'm more focused on understanding possible impacts/issues by enabling such feature.

    Based on your experiece, did such setting bring issues in your environment ?

    Friday, May 6, 2011 12:57 PM
  • Thanks, right now I'm more focused on understanding possible
    impacts/issues by enabling such feature.

    Based on your experiece, did such setting bring issues in your
    environment ?

    I've to admit that I'm not using the native exchange spam filtering
    (IMF ....) since, dating back to 15 years ago... or maybe more; I found
    a filtering solution which did fit my needs; anyways, this doesn't mean
    that I don't know how to set IMF up, just that imHo it lacks a number
    of features and this makes it look like a spam filter from 20 years ago
    (no, not kidding, nor trying to troll or start a flame, mind me) it's
    just that
    given the fact that you PAY it you'd expect to have some -at least-
    kind of decent and UP TO DATE smtp filtering but probably someone
    up in Redmond decided that we'll have to stay at the stone age or
    either pay some $$$ to buy a filtering product <sigh>

    See, the rules of thumb of whatever spamfilter are... allow the "admin"
    to set things in test mode and have a clear log of what's going on
    and, allow the admin to set "scores" for each spam check and reject
    a given message only if the score goes over the given limit; in both
    cases the exchange filtering fails, so... given that it doesn't even
    have
    a way to use DNSWL (whitelists, to oppose to blacklists and which
    should be checked BEFORE DNSBL checks) the "risks" let's call it
    so missing a better term of using DNSBLs are mainly the classic
    false-positive ones, that is, a given sending host which, for a reason
    or another got listed in some DNSBL and is now unable to send you
    jun... ahem... email :) such an issue is usually solved by using the
    so called DNS whitelists (DNSWL), they work just like the DNSBLs
    but instead of listing "bad sending host" they list "good ones" so,
    the idea is basically to check DNSWLs first, see if the incoming IP
    (since that's what the server sees) is whitelisted and, if that's the
    case, skip whatever DNSBL lookup, otherwise, go on with the
    lookups and all the other stuff

    As (I hope) you realized by now, all this means trusting the opinion
    of the DNSBLs you're using, so, it's important to pick reputable ones
    and, at the same time, lists which won't "incorrectly list a bit ISP IP
    by chance" but which will ensure that, if an IP is listed then it's at
    99%
    a BAD one; that's why I suggested the lists you'll see in my previous
    post; and, if you want, give it a spin, see how they work for you and
    then, make a decision; again, given that no one filters the same kind
    of stuff, it's all about agreeing about "where the borderline is"

    • Marked as answer by vcnz Friday, May 6, 2011 1:50 PM
    Friday, May 6, 2011 1:25 PM
  • This is the one many of my clients use with good result:

    zen.spamhaus.org

    I would avoid subscribing to multiple.


    Recalling Exchange Messages Works! - http://www.windeveloper.com/recall/
    Wednesday, May 11, 2011 10:50 PM
  • zen.spamhaus.org

    I would avoid subscribing to multiple.

    Up to you, that list is good, sure, but, in my direct
    experience it only covers you from some types
    of spam sources that's why I add some other
    lists to the combo; see, the whole approach
    mostly depends from the volume of traffic your
    server handles; if it's quite high then improving
    DNSBL rejection means lowering the load due
    to other filtering methods (e.g. checking the
    email data) if, otherwise, your traffic is low then
    you may afford the idea of letting the email go
    down to other filters for processing

    Thursday, May 12, 2011 6:25 AM
  • Using a lot of the same technology is not that useful. What is useful is to combine different filtering technologies. In fact this is what makes modern filters so effective.

    RBLS are good at blocking certain type of spam Content based filters are good at blocking others.

    The of course you have certain filters who are very effective for one type of organization but useless for others. For example character set filters…


    WinDeveloper IMF Tune http://www.windeveloper.com/imftune/ Recalling Exchange Messages Works! http://www.windeveloper.com/recall/
    Thursday, May 12, 2011 7:07 AM
  • Using a lot of the same technology is not that useful. What is useful
    is to combine different filtering technologies. In fact this is what
    makes modern filters so effective.

    I think you're missing the point, see, the spamhaus "zen" list focuses
    on some well defined kinds of spam sources (IPs) which means (and
    I can tell this from direct experience on several boxes and different
    connections/environments) that, the list alone will let some bad hosts
    slip through, this, in turn, means that they'll get to the "next level"
    of the
    spamfilter and, since usually they're designed to put the more "costly"
    (in computational terms) filters "up the chain" you'll end wasting your
    CPU cycles to reject a piece of junk which you may just have rejected
    by adding some additonal lists to the "zen" one

    RBLS are good at blocking certain type of spam
    Content based filters are good at blocking others.

    There aren't just RBLs or "content filtering", or better said, those are
    what you have in the Exchange IMF, but that isn't the only filter around
    sure, it's what you get ... but that doesn't mean it's perfect or that
    the
    approach it uses is the only possible one; you're missing a whole lot
    of other types of filtering, see... each stage of an SMTP transaction
    carries some infos - increasingly - up to contents and there are ways
    to run filtering at each single stage, not just at the connection one
    and
    at the "i got the whole message" one; not to say that while in IMF there
    is no way to use filters (including DNSBLs) in "weighted mode", there
    are other programs around allowing that ... and then some more

    Thursday, May 12, 2011 1:07 PM
  • Hi ObiWan,

    Please don't interpret my arguments strictly to be as a contradictory to yours.

    My argument was not for or against IMF. I was making a general argument about the importance of mixing technologies. I can assure you that the technology mix approach is a standard in anti-spam solutions today.

    BTW I am also talking from experience since I have been involved in the development of 2 commercial anti-spam products.


    Recalling Exchange Messages Works! http://www.windeveloper.com/recall/
    Thursday, May 12, 2011 3:48 PM
  • Hi ObiWan,

    Hi there, Alexander !

    Please don't interpret my arguments strictly to be as a contradictory
    to yours.

    I didn't nor I'm "fighting" at all :) just trying to expand and clear my
    point to ensure you get it right; sometimes I'm unclear, so... well :)

    My argument was not for or against IMF. I was making a general
    argument about the importance of mixing technologies.
    I can assure you that the technology mix approach is a standard
    in anti-spam solutions today.

    I see and understand, I wasn't against IMF either, sure, looking at
    it and at some other solutions (including forefront) IMF is "limited"
    yet... it's there and works well enough :)

    BTW I am also talking from experience since I have been involved in
    the development of 2 commercial anti-spam products.

    Hm... now I'm interested; I've been using an external filtering solution
    for my (and my customers) mailservers for years now and, while it
    isn't exactly easy to setup and master, it's a real killer (at least in
    my
    experience)... and there's a similar (not the same) commercial app
    which I tried time ago and which I found quite good... mind naming
    the products ? If you can't then ok, no problem, I'll understand !

    Thursday, May 12, 2011 3:56 PM
  • Today I work on IMF Tune :))

    http://www.windeveloper.com/imftune

    I also worked on a reputation service which I believe no longer exists, not my fault though :)

    I also worked for one of the big Anti-spam/Security software companies, but that’s a secret.


    Recalling Exchange Messages Works! http://www.windeveloper.com/recall/
    Thursday, May 12, 2011 4:24 PM
  • Today I work on IMF Tune :))
    http://www.windeveloper.com/imftune

    I see... so, all in all, you're leveraging IMF :D

    I also worked on a reputation service which
    I believe no longer exists, not my fault though :)

    Hmm.... are you referring to a certain reputation service
    which declared on their website that they were like
    "Santa Claus" by chance :D ?

    I also worked for one of the big Anti-spam/Security software
    companies, but that’s a secret.

    Not going to ask you to  break any NDA or whatever :)

    Thursday, May 12, 2011 4:34 PM
  • Well some people complain about the limitations of IMF.

    Others see that as an opportunity :)


    Recalling Exchange Messages Works! http://www.windeveloper.com/recall/
    Thursday, May 12, 2011 4:53 PM
  • Well some people complain about the limitations of IMF.

    Others see that as an opportunity :)

    Sure; as usual, each coins has two sides :D

    As for filtering, have a look at http://www.vamsoft.com/ the
    approach is the right one imHo and the product is similar
    to the one I've been used (and use) for quite a long time
    now... and btw it may give you ... some ideas :D

    Friday, May 13, 2011 7:00 AM
  • And that confirms what I told you before i.e. that spam filtering has to be dealt with using multiple filtering technologies.

    That was my main argument, and your link confirms just that :D

     


    Recalling Exchange Messages Works! http://www.windeveloper.com/recall/
    Monday, May 16, 2011 8:40 PM
  • And that confirms what I told you before i.e. that spam
    filtering has to be dealt with using multiple filtering
    technologies.

    Never wrote the opposite; DNSBLs represent just one
    amongst multiple filtering layers

    Tuesday, May 17, 2011 7:49 AM