Re: creating DNSBL for blocking email virus, need suggestion

[Rob Hughes <rob () robhughes com>]

On Sat, 2004-11-13 at 12:10 +0700, Markus wrote:
> how if the computer that infected by virus and send email virus is in
> a network/LAN? the LAN's server public IP will be blocked, and then
> all computer in that network can't send email to my school network.
> can we know local IP 198.x.x.x for that computer?

You're right. But blocking 1918 addresses isn't a solution either, since
many networks use those same addresses for their internal hosts. About
all you can do is pick a pain point and decide when too many infected
mails come from a given server, then block it. Further, individual user
systems shouldn't be sending out email. All email from a network should
go through a central server so that it can be scanned. Allowing users to
send email directly from their systems and/or not scanning outgoing mail
is sloppy administration and lax security, almost to the point of
criminality IMO.

> how long do you think an IP should remain in the blacklist? because
> blacklist can't know if the infected computer already cleaned by its
> user/admin.

I'd really suggest that you use some of the free RBLs out there. They
have automated systems that let admins submit removal requests when they
get their network cleaned up.

A good source for these is openrbl.org.

Rob.