Mailing List CGatePro@mail.stalker.com Message #103881
From: Juergen P. [core] <juergenp@core.at>
Subject: Re: Use Blacklisting DNS Servers (RBLs)
Date: Wed, 16 Jan 2013 17:36:41 +0100
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pronto! 6.0.1
yeah, single ip addresses are used.

unfortunately i don't know how the temp blacklist is built inside cgp - checkup the doku later.
i would also create ip address blocks inside the temp blacklist
[x.x.x.x](28)  something like that makes parsing and calculation a bit more interesting :-)

kr


On Wed, 16 Jan 2013 11:09:01 -0500
 Jeff Wark <jwark@tbaytel.net> wrote:
I like where this is going.

Now, the Temp Blacklisted entries are always single IP addresses and not network blocks, correct?

And the submissions could be varied....
1. SMTP Error blacklists [maybe divided up by time]
2. failed login blacklists etc.
3. Whatever other source from CommuniGate [may involve netblocks].





On 01/16/2013 10:51 AM, Juergen P. [core] wrote:
On Wed, 16 Jan 2013 09:04:03 -0500
 Jeff Wark <jwark@tbaytel.net> wrote:
That would be interesting....a daily/hourly dump of the current 'temp blacklisted' tables from CommuniGate submitted to a server. The various blacklists would be compared and the commonalities could be published in an rbldnsd type format.

I suppose the biggest problem [besides making all that code and getting everyone to participate ;)] would be getting a consensus on what deserves getting temporarily blacklisted.  I don't think it would necessarily be good to mix lists of "a few errors blacklisted for a short time" with "many errors blacklisted for a long time". The meaning of the lists is a little different with varying error counts and blacklist time.

Oh yeah, and even though it would be an anti-spam list, there would still have to be an authentication system to prevent fraud. Darn security is so troublesome....getting in the way of all this innovation.


creating a domain on communigate pro with some validated accounts is the easiest way, i think.
therefore "inside" that domain some webpages/cgi-scripts and stuff could handle that.






On 01/15/2013 06:43 PM, Juergen P. [core] wrote:
i setup rbldns but i didn'T have the time yet, filling it up.

currently i manuallly run  a perl-script is used which filters the logfiles for forbidden action and writes out the attackers and spammer to a flat file which is injected to the mailservers directly into the blocked list (of course i remove duplicates, etc.)
in the meantime the rbl-list is getting quit big and i don't know how many entries communigate pro can hold without running into trouble.
thats why i was thinking about using a rbldnsd which gets data from cgp directly via some scripts so that i have an auto-updated list.

i think it should be sufficient if you monitor your own mailsystems for spammers and enter those somehow into the database.
external data feeds are a "nice to have" but i found out, that communigate pro can be configured to detect spam by itself via rules or scripts and so has also good spam-prevention functionality built in.

exchanging blocklists, which where created via CGP could be interesting for comparision and maybe also for building a controllable blacklist.
sometime a admin can react faster and provide more reliable information about spammers and other attackers than any RBL-service can


please comment :-)






On Tue, 15 Jan 2013 15:33:56 -0600
  Lyle Giese <lyle@lcrcomputer.net> wrote:
I have an internal only rbl-database and in the past I have gotten downloads from some rbl's.  I have stopped using downloads from off site rbls and send queries directly to them.  In the case of cbl.abuseat.org, the delays I was seeing between it and spamhaus also seemed to effect their rsync database dumps I was getting.

For our inhouse rbl, I have a postgres database and do a dump of it and then modify the data before feeding it to rbldnsd for serving up to our internal mail servers.

Lyle Giese
LCR Computer Services, Inc.

On 01/15/13 09:55, Juergen P. [core] wrote:
has anyone built his own rbl-database with rbldnsd or similar ?


On Tue, 15 Jan 2013 09:47:00 -0600
 Lyle Giese <lyle@lcrcomputer.net> wrote:
cbl.abuseat.org is utilized by spamhaus, but there is a delay from when cbl.abuseat.org tags an ip address and when it gets into the spamhaus databases.  Enough that I found it worthwhile to include cbl.abuseat.org in my setup here.

Lyle Giese
LCR Computer Services, Inc.

On 01/15/13 09:30, Jeff Wark wrote:
I believe that cbl.abuseat.org in contained in xbl.spamhaus.org.

zen.spamhaus.org is also a list containing sbl.spamhaus.org and xbl.spamhaus.org [and pbl.spamhaus.org].

On 01/15/2013 10:23 AM, Juergen P. [core] wrote:
regarding barracuda.org:

they use backscatterer.org listings for spam-prevention.
if you get on that  list, your ip can not be removed unless you pay some money, otherwise youll stay on the list for minimum a month. my opinion is that backscatter.org and friends are not seroisly managed.

currently i'm using following RBL-Servers:

dnsbl.sorbs.net
zen.spamhaus.org
cbl.abuseat.org
bl.spamcop.net
sbl.spamhaus.org
xbl.spamhaus.org
IP.v4BL.org



kr

juergen


On Tue, 15 Jan 2013 06:58:09 -0800
 Michael Wise <spiski@okean.com> wrote:
On 2013.01.15 06:07 PST (UTC -8) Sherif Aboul Gadayel wrote:


I noticed the the option "Use Blacklisting DNS Servers (RBLs)" do good
job to block Blacklisted ips
I am currently using "zen.spamhaus.org" and "bl.spamcop.net" which are free
Any other advice in this ?


These are pretty good as well:

b.barracudacentral.org
truncate.gbudb.net


To use b.barracudacentral.org, you will need to register with them (free):

http://www.barracudacentral.org/account/register



--Mike


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>

-- Best Regards

Juergen Paulhart

E-Mail / VOIP / SIP / IM: juergenp@core.at
TEL: +43 676 30 592 44

** Cloud Communication Technologies and Unified Communications ***

pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org>
Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
 thug nature <<<



#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>

-- Best Regards

Juergen Paulhart

E-Mail / VOIP / SIP / IM: juergenp@core.at
TEL: +43 676 30 592 44

** Cloud Communication Technologies and Unified Communications ***

pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org>
Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
 thug nature  <<<

#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>

-- Best Regards

Juergen Paulhart

E-Mail / VOIP / SIP / IM: juergenp@core.at
TEL: +43 676 30 592 44

** Cloud Communication Technologies and Unified Communications ***

pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org>
Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
 thug nature  <<<

#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>

-- Best Regards

Juergen Paulhart

E-Mail / VOIP / SIP / IM: juergenp@core.at
TEL: +43 676 30 592 44

** Cloud Communication Technologies and Unified Communications ***

pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org>
Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
 thug nature  <<<

#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

--
Best Regards

Juergen Paulhart

E-Mail / VOIP / SIP / IM: juergenp@core.at
TEL: +43 676 30 592 44

** Cloud Communication Technologies and Unified Communications ***

pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org>
Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
 thug nature  <<<
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster