Not true. There are plenty of large sites that use them (e.g., AOL), and many sites use them to help ensure that they themselves don't get added to the black lists.
IMO, there is a serious risk of having DNSBL servers attacked and used as a DoS.
The easiest way would be to check to see if the servers being used are open public caching recursive servers, in addition to their authoritative services. If so, then they would be open to cache poisoning attacks.
That said, I think the bigger black list services are run by people who have at least half a clue as to how a nameserver should be operated, and therefore they should be relatively secure. However, they would still be at risk if one of their parent zones is served by a nameserver that mixes both authoritative service & caching/recursive service, and therefore would be easily subject to cache poisoning.
A slightly different sort of DOS from what you mean would be what we got a
few days ago. I got a call from our Noc about problems with our
old (but still online) incoming mail servers. They were taking about a
minute to put up their SMTP banner when you connected to them.
Turned out the problem was that we were using bl.spamcop.net which was
being DOSed at the time ( according to most reports, some said they had
upstream link problems ) .
The live servers are using spamassassin which has decent timeouts so they
were not affected. We try and slave as many RBLs as possible locally
to avoid these sort of problems.
> IMHO Even the really large DNSBL's are barely used -- I think
> (much) less than 5% of total human mail recipients are behind
> a mailserver that uses one...
Not true. There are plenty of large sites that use them (e.g.,
AOL), and many sites use them to help ensure that they themselves
don't get added to the black lists.
Is true.. those "large sites" still account for an infinitely small percentage
of the net.
IMO, there is a serious risk of having DNSBL servers attacked and
used as a DoS.
Yes, there is a risk but the exposure is negligble if it does occur. I'm
all for anti-spam measures but unless they're universally adopted and the
world governments start putting spammers out of business, these anti-spam
blacklists are more of an annoyance operated by a radical fringe of the
I get 500-600 pieces of spam a day, and there is nothing I can do about it.
This topic has also been discussed to death before, the potential for a
DoS atatck is patently obvious to everyone.
(I also trimmed the Cc list)