nanog mailing list archives

Re: Spamhaus...

From: "Crist Clark" <Crist.Clark () globalstar com>
Date: Thu, 18 Feb 2010 12:36:22 -0800

On 2/18/2010 at 11:47 AM, Michelle Sullivan <matthew () sorbs net> wrote:

Crist Clark wrote:

We received such a message from a Spamhaus Datafeed reseller
and eventually had our DNS servers blocked. What angered me was
that I analyzed our usage, and we were well below the thresholds
and met the TOS published at the Spamhaus website for no-cost use.
However, they said we had to subscribe to the Datafeed despite
that because we have a Barracuda appliance.


Well aside from I remember reading that they look for Barracuda
Appliances*, it does say on:
http://www.spamhaus.org/organization/dnsblusage.html 

*Definition: "non-commercial use" is use for any purpose other than as
part or all of a product or service that is resold, or for use of which
a fee is charged. For example, using our DNSBLs in a commercial spam
filtering appliance that is then sold to others requires a data feed,
regardless of use volume. The same is true of commercial spam filtering
software and commercial spam filtering services.


We do not fit into that. We are not selling an appliance or service
to others (the 'Cuda is for our internal corporate email only, not
customers). If we were still using my home-built SpamAssassin system,
it'd be OK to use Spamhaus. Now that we've purchased an appliance
and manually added a Spamhaus to the user-customizable DNSBL list
on it, it's not OK?

And I want to know how they figured out we had a Barracuda.



* well have you considered that the Barracuda may be very specific in
it's IP stack, or they signature it produces in queries etc.  Might have
a very specific open port for administration - and not forgetting that
if it's making queries very directly it's exposing it's IP address and
therefore can be tested very simply.  Many different ways, and I bet I
could find out if I were to have a device to look at.


I have considered that, but it would seem it must be some signature
in the queries. It does not query directly, but through our own
caching DNS servers (I won't name the DNS server software, but its
initials are B.I.N.D.).

Current thread:

Re: Spamhaus..., (continued)
- Re: Spamhaus... Patrick W. Gilmore (Feb 17)
  - RE: Spamhaus... Paul Stewart (Feb 17)
- Re: Spamhaus... Matthew Black (Feb 17)
  - Re: Spamhaus... John Levine (Feb 17)
    - Re: Spamhaus... Dave Sparro (Feb 18)
- Re: Spamhaus... Jason Bertoch (Feb 17)
- Re: Spamhaus... Michelle Sullivan (Feb 18)
  - Re: Spamhaus... Crist Clark (Feb 18)
    - Re: Spamhaus... William Warren (Feb 18)
    - Re: Spamhaus... Michelle Sullivan (Feb 18)
    - Re: Spamhaus... Crist Clark (Feb 18)
    - Re: Spamhaus... Larry Sheldon (Feb 18)
    - Re: Spamhaus... James Hess (Feb 18)
    - Re: Spamhaus... Jon Lewis (Feb 18)
    - Re: Spamhaus... Michelle Sullivan (Feb 18)
    - Re: Spamhaus... Michelle Sullivan (Feb 18)
    - Re: Spamhaus... Rich Kulawiec (Feb 19)
    - Re: Spamhaus... Michelle Sullivan (Feb 19)
    - Re: Spamhaus... Bjørn Mork (Feb 19)
    - Re: Spamhaus... Michelle Sullivan (Feb 19)
    - Re: Spamhaus... Rich Kulawiec (Feb 19)

(Thread continues...)