Re: SpamHaus Drop List

[Sean Donelan <sean () donelan com>]

On Thu, 24 Aug 2007, Paul Vixie wrote:
> > Is it a placebo or does it actually have an effect?
> the inbound tcp/53 i see blocked by SH-DROP isn't the result of truncation
> or any other response of mine that could reasonably trigger TCP retry.  so
> on the basis that it's no longer reaching me and can't have been for my
> good, SH-DROP has at least that good effect.  i also see a lot of nameserver
> transaction timeouts in my own logs, and it's all (*ALL*) for garbage domains
> such as much be used by phishers or spammers.

Unfortunately, on today's Internet if you randomly picked a couple of 
hundred network blocks of the same size you would see the same thing.
Lame delegations and brokeness is well distributed across the Internet.
Between Cisco Content Distributors emmitting tcp/53 syn/acks and broken
nat/firewalls that block udp but not tcp; inbound tcp/53 without 
truncation or any previous query/response from almost anywhere on the
Internet isn't unusual.


> why would i install something that required manual maintainance or depended
> on me still being present?  other than putting system level logic in my home
> directory, i detect no sysadmin sin here.

Other people do, which often leads to brokeness.

Unfortunately again, if you use your favorite search engine you will find
several instances that read something like "we also have the DROP list in
an ACL on our router, but we don't monitor it."  I  have found two year 
old copies of the DROP list in networks.

Network blocks are regularly added *AND REMOVED* from the Spamhaus DROP 
list.

> > If you do have a process in place, not only for routing but also for
> > your new customer order process, it is a useful source of information.
>
> agreed.

I think we're in violent agreement.

It can be useful if used correctly, it can be harmful if used incorrectly.