A word on DNS blacklists.

There seems to be some disagreement regarding use of DNS blacklists (“DNSBLs”) among some members of the Internet community (pro-DNSBL here and slightly con here for example)

This is fine, they’re both valuable notices and opinions. What bothers me a little is the seeming lack of understanding (mostly from commenters) of how they work in practice, how they’re actually implemented on mailservers and the reasons for listing. Interestingly these arguments seem to rear up only when someone’s fave domain / service gets listed on a widely used blacklist.

Any blacklist entry is just a simple DNS A/TXT record, nothing more. It’s not going to hunt you down and eat your brain. They even go away after a while and life goes on.

But seriously…

Like any service, there will be good examples and not-so-good examples. The arguments against seem to focus on

  • “Political listings!!eleventyone!” cries (often accompanied by accusations of censorship/ulterior motive on the part of the DNSBL maintainers)

Some are indeed poorly maintained and have contained spite listings (ORBS from the old days was a frequently cited example, SORBS is often accused of same; I don’t necessarily agree, I think it’s just too broad and poorly maintained) but the bigger names – Spamhaus, what was MAPS (now owned by Trend Micro?) in particular need to be impartial and accountable as they have paying customers.

Even the other “big names” – NJABL and DSBL to name two need some level of openness if they’re going to be widely used and taken seriously – and in these cases I think they do. In the case of gmail.com, look at the listing and their stated processes – frankly it looks pretty clear that it’s purely a technical decision; someone at Google allowed the box to relay mail for clients it’s shouldn’t, which is hard to fuck up these days but still possible if you’re not paying attention.

A tester found this and submitted it, and it tested positive. Simple as that. No politics or such involved. Do folks believe Google should get a free pass on this because they’re Google? Not me – that’d be doing them (Google) a disservice. Open SMTP relaying is a security issue and it’s imperative to let folks know, especially the maintainers of the service.

  • “They’re ineffective”

So, what’s the alternative? Legislation hasn’t cut it, nor will it. Bayesian filtering is OK, but as implemented isn’t a panacea or useful on it’s own. Rule / regexp based filtering is too prone to false negatives as well as positives. Challenge-response mechanisms? Fsck off, they generate more noise than the spam itself. I can pull up plenty of examples with not too much effort

DNS blacklists at least cut down on obvious junk from the “known” spam systems / networks, misconfigured proxies, botnets and zombies. Your own choices of scoring/filtering can take care of the rest. Ask any DNSBL using provider – and there’s a lot of them (including mine as well as my own systems)

  • “They can’t be trusted”

This is a daft argument. Really – I suppose proponents of such arguments don’t allow DNS either? You’re never quite sure if a packet is spoofed / poisoned or not. Why do you trust Verisign / Thawte to sign that SSL cert? Is that PGP key really Phil Zimmermans?

But they all have policies and best-practice documents. Verisign are trusted because they’ve shown themselves to be so over time (plus contracts to ensure same I’d imagine) and they check their documents throroughly. DNS has DNSSEC for the paranoid, and the roots are distributed and maintained professionally. PGP – ever heard of “web of trust” or key-signing parties? Noone is forcing you to trust a key owned by someone unmet…

Noone with a half-clue is going to implement or add a DNS blacklist or any security feature without at least looking at the consequences and practical realities of said action. They’re going to Read The Fucking Manual or Check The Fucking Policy first, at least you’d hope. If they’ve got users and customers, they’re going to notify them via policy that this is going to take place (for ISPs, make it clear in the terms at signup if need be)

Again, DNSBL maintainers are reliant on their record as good citizens otherwise noone’s going to use them. They publish policies and guidelines for use so even the most inept excuse for a sysadmin can use them and user can understand why they’re there. They publish the listings with appropriate information regarding how and why a listing exists. What more accountability can you ask for without a contract?

I personally like some lists – not all, my Anti-Spam pages and some of my wiki documents outline what I prefer and use. They cut out a lot of spam – not all of it, but as mentioned a lot of it (Spamhaus rejects a LOT of crap) and surprisingly I’ve not had a false positive in recent memory – and I check my logs carefully (viva pflogsumm!). I’ve also been at this spam-fighting game for around 10 years (NANAE posts going back to ’97ish) and remember some of the bigger players when they were just starting up!

My point, in summary: They’re not a panacea but they’re not inherently evil, political or a censorship tool. They’re just DNS records!

On their own, they do little – it’s HOW and WHERE they’re implemented that matters. Poor choices will lead to poor results and vice versa. Use them wisely if you choose to!

Don’t go apportioning blame where it’s not deserved – the blacklist doesn’t set your local policy and blacklist (non)usage, you/your sysadmin does.

DNSBL operators just provide a tool and instructions on how to use it, along with relevant support information and policies. If you don’t like them – don’t use them (or don’t use the parts you don’t want, most are fairly modular now) if you do, go for it – but be aware of the consequences.

Pre-Christmas message :-)

A few things:

Life:

  • Spending Christmas with the family this year. As is tradition, I’ll be sleeping on the couch/floor/other non-bed flat surface.
  • Dad is not well, unfortunately. We’ll find out more next week from the specialist.
  • Organized a fortnight off work starting new year. I’m not going anywhere, as long as I don’t have to deal with computers that aren’t mine I’m happy.
  • Got Bri her Christmas present a little early. Her friendship is her gift to me, something you can’t put a price on.
  • Trying to keep up the gym work, but overtime at work seems to hamper it.

Tech:

  • Finally got the Samba domain sorted out. I don’t really need LDAP – it would be nice but it’s not essential.
  • Word to the wise – always clean the dust bunnies out of your servers regularly. My case temp dropped 6 degrees after a cleanup last week.
  • Switched version control for my code/website/RPM specs and patches from Subversion to Bazaar-NG. Turns out I’ve never used Subversion correctly anyway (basically nobbled proper trunk/branch/tag usage) so I pulled the code and did a clean import into a new bzr repo. It’s working OK so far
  • All disk / crash issues with defender are sorted out now.
  • Few packages to update and nothing really interesting to add barring maradns, which I’ve been meaning to do for a while. Pity there’s no IPv6 support for recursive/caching service otherwise I’d replace BIND on my servers.
  • WTFs: Steam is down, so I can’t play HL2 or even pull updates. CPAN mirrors in Australia are also a little lacking – I’ve been trying to update my CGI::Session RPM but I can’t pull the current tarball from ilisys or PM/AARNet.

Work:

  • As it’s almost the end of the year, things are slowing down, which will mean less support work and more chances for me to get some processes and scripts cleaned up. I’ve been waiting to do some of this for months.
  • More people in the team in January, also badly needed.
  • Had the company Christmas party last night at the Rugby Club (Eagle Street Pier). Nice place, but like the last 2 years it was merely finger food + obento (with rice!?) . The theme was glitz + glam, however the night was notable for a lesser turnout of bling and pimp hats than last year.
  • Further to the above, we also seemed to scare away our Melbourne IT overlords, who apparently came and went as a unit (insert Borg jokes here.)

If you don’t hear from me beforehand, Merry Christmas everyone 🙂

New weblog software!

Yes, after something of a hiatus I’ve followed the crowd and switched over to WordPress.

Is this a permanent arrangement? I’ll have to see how it goes. It’s been OK so far, although not having my own tree is something of a pain.. (this is the Fedora Extras RPM so installs in the datadir, limiting customisation somewhat.)

I’ll need a nicer theme too to go with the rest of the site.

I’ve at least got the last handful of entries from my regular blog (hooray for import functions :-D) and the rest will stay as a “legacy archive”. For my next entry I’ll even try writing something interesting, after all it’s been a month or so!