spamhaus drop list

Quinn_Mahoney · June 15, 2009, 8:16pm

I'm looking to implement the Spamhaus drop list.
http://www.spamhaus.org/drop/index.lasso

On their FAQ they have a script that looks like it grabs the lists text
file and connects to a given router, and tells you what has changed in
the list, and what your router is null routing. I'm not sure if it then
removes the null routes if a list entry has been removed. I haven't
found much documentation on the net regarding this. In the future it
looks like you will be able to peer with them and null route traffic
from a private AS, which will be routes from the drop list. Right now
though, it looks like you'd have to update an ACL manually for any
changes to the list. Or use this script which null routes the traffic
(I guess it's not a big deal getting the syn packets, as long as the
mail won't send because of the null route). I am not sure if this
script updates the null routes automatically, or how to use it, I can't
find to much documentation.

Any documentation on this script or another script available. What are
your suggestions?

thanks

Baker_Fred · June 15, 2009, 8:44pm

I you are using uRPF, the SYN packets won't get through either, because they came from an interface other than the null interface. Not so helpful interddomain, but it protects your customers from each other (as BCP 38 does in other cases).

Chris_Adams3 · June 15, 2009, 9:18pm

Once upon a time, Fred Baker <fred@cisco.com> said:

Quinn_Mahoney · June 16, 2009, 6:00pm

Is there a competing droplist, that can be compared against Spamhaus's
droplist? That seems like an extraordinary claim, so I'm not satisfied
with the evidence provided. Is this not the best droplist?

sthaug · June 16, 2009, 6:08pm

Is there a competing droplist, that can be compared against Spamhaus's
droplist? That seems like an extraordinary claim, so I'm not satisfied
with the evidence provided. Is this not the best droplist?

Obviously the Spamhaus DROP list should be evaluated - you should not
use such lists unreservedly. That said, the Spamhaus DROP list contains
entries that *are* verifiably bad, e.g. the well published Cernel
85.255.112.0/20 prefix.

Regarding the extraordinary claim - consider the possibility that Nanog
has its share of kooks.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

Peter_Karin_Dambier · June 16, 2009, 7:15pm

Also I don't like those lists at all

http://www.heise.de/ix/nixspam/dnsbl_en/

Heise do print the very important magazines IX, CT and others in germany.
They depend on their emails coming through.

Kind regards
Peter

Quinn Mahoney wrote:

ianai · June 16, 2009, 7:43pm

Extraordinary claims require extraordinary proof. Mr. Anderson gives little proof at all, and not even close to extraordinary proof, IMHO.

My personal experience is that Spamhaus is highly respectable organization. They are by no means perfect, but I trust their judgement to a high degree, FWIW. The Spamhaus DNSRBLs are, I believe, the most used on the Internet. This suggests the rest of the Internet has a different opinion than Mr. Anderson.

I have not used MAPS, so I cannot comment on its utility. but I have never heard a single credible claim Mr. Vixie is a spammer, more or less a verifiable one. (Yes, that includes the claim below.) From my personal experience, Mr. Vixie is very much the opposite of a spammer. Mr. Vixie gave the Keynote speech at the NANOG conference yesterday, so I would submit the community at large disagrees with Mr. Anderson's assessment.

SORBS is probably not as highly regarded as Spamhaus, but as with Vixie, not one credible claim has ever been made that Michelle is a spammer, including the below. Again, the opposite is reality, and probably to the same extent as Vixie. (I.e. Some people think they go too far in fighting spam, not in sending it.)

Finally, John Levine is not a spammer either. I'm kinda tired of giving proof, so take my word for it, or not, as you please.

Anyway, just some personal opinions from someone who has had personal interaction with the people involved and used two of the three products mentioned. Not sure this was operational, but I felt the need to step up and defend people after you forwarded the outrageous claims below to the list. (No one on the list saw Mr. Anderson's claims other than you, because you were personally CC'ed.)

End of day, your network, your choice. I think you know mine.

Peter_Karin_Dambier · June 16, 2009, 8:43pm

http://wnagele.com/2007/06/19/spamhouseorg-vs-nicat/

Another problem with spamhaus, they want to earn money.
The Pirates Party in germany is a nonprofit.
Nevertheless our mailers use a fixed addresses and when
you query spamhaus long enough from a fixed address
you are put on a blacklist and fed wrong information.
Time and again all mails bounced. Every new mail admin
went through this cycle

Kind regards
Peter

Patrick W. Gilmore wrote:

ianai · June 16, 2009, 8:52pm

I know. Who would expect that when you use a resource, the people who own and pay for that resource might want to be compensated? The least they should do is make these rules clear and prominent on their website so you could know before you use the resource!

Oh, wait, they do....

John_L · June 16, 2009, 9:04pm

Is there a competing droplist, that can be compared against
Spamhaus's droplist?

Not that I've ever seen. Nobody else has the breadth of data that
Spamhaus does.

I've been using it for ages and based on zero complaints, it's never
blocked anything that any of my users wanted.

R's,
John

Bret_Clark · June 16, 2009, 11:49pm

John Levine wrote:

Not that I've ever seen. Nobody else has the breadth of data that
Spamhaus does.

I've been using it for ages and based on zero complaints, it's never
blocked anything that any of my users wanted.

R's,
John

I have to agree with this...I'm somewhat surprised to see some of the comments here. I've found there service to work well and have never received customer complaints.

J.D_Falk1 · June 17, 2009, 6:19pm

Patrick W. Gilmore wrote:

I have not used MAPS, so I cannot comment on its utility. but I have
never heard a single credible claim Mr. Vixie is a spammer, more or less
a verifiable one. (Yes, that includes the claim below.) From my personal
experience, Mr. Vixie is very much the opposite of a spammer. Mr. Vixie
gave the Keynote speech at the NANOG conference yesterday, so I would
submit the community at large disagrees with Mr. Anderson's assessment.

The former MAPS offerings have been owned by Trend Microsystems since 2005, and I'm fairly certain that Mr. Vixie hasn't been involved in that project since before Trend took over. There's more information at http://www.mail-abuse.com/.

(Full disclosure: I worked for the Mail Abuse Prevention System from 2000-2001.)

Rich_Kulawiec · June 18, 2009, 11:44am

I strongly concur with John: using the Spamhaus DROP list is incredibly
effective not just against spam but against many other forms of abuse.
I use a script to update various routers/firewalls/mail systems once
a week, and there have been no problems of any kind with it.

---Rsk