Howdy!
Any ISPs out there (big or small) ever used the Spamhaus BGP feed to
prevent against botnet, spam, etc? If so, how has your experience been? Is
it worthwhile? Has it helped? On / off list responses are appreciated in
advance.
Thank You,
Mike
We use Spamhaus DROP (not the BGP version: our software asks a human to
review each change).
The benefits are not obvious since we do not have access customers, but
it will blackhole some networks you obviously do not want to talk to,
and it has not caused any troubles either.
We've been using the BGP feed for a little over a year now.
We had some problems with malware infected end user PCs causing
upstream congestion resulting in "slow internet" complains.
The spamhouse feed definitely helped a little with our problem but
it's not the magic super tool to completely stop malware in your
network.
On the other hand there was no complain due to a false positive (a
couple of years ago we had one complain due to a false positive on the
EDROP list).
Best Regards,
Frederik Kriewitz
How much false positives (i.e. blackholing traffic users want to reach)?
In article <555B8313.5080400@netassist.ua> you write:
How much false positives (i.e. blackholing traffic users want to reach)?
Very little. The DROP list, which is what's in the BGP feed, is a
small subset of the SBL, and only includes blocks that send no
legitimate traffic at all.
At dnswl.org <http://dnswl.org/> we check our data against the DROP list every once in a while. The overlap of DROP with legitimate sources of SMTP traffic is very, very small: a low single-digit number, and most of them are crappy to start with (so we don’t publish them, but only keep them in our database for reference purposes).
— Matthias