IETF Logo Mail Archive

Re: [Asrg] 7. Best Practices - DNSBLs - Article

"Chris Lewis" <clewis@nortelnetworks.com> Sat, 20 September 2003 01:38 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA01771 for <asrg-archive@odin.ietf.org>; Fri, 19 Sep 2003 21:38:20 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.12.8/8.12.8) with ESMTP id h8K1VhGb020140 for <asrg-archive@odin.ietf.org>; Fri, 19 Sep 2003 21:38:00 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h88ELc7B024715 for asrg-archive@odin.ietf.org; Mon, 8 Sep 2003 10:21:38 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19wMtV-0006QN-Tf for asrg-web-archive@optimus.ietf.org; Mon, 08 Sep 2003 10:21:29 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24605 for <asrg-web-archive@ietf.org>; Mon, 8 Sep 2003 10:21:21 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19wMtT-0002oQ-00 for asrg-web-archive@ietf.org; Mon, 08 Sep 2003 10:21:27 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19wMtS-0002oL-00 for asrg-web-archive@ietf.org; Mon, 08 Sep 2003 10:21:26 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19wMt4-0006If-DO; Mon, 08 Sep 2003 10:21:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19wMqo-00063k-9L for asrg@optimus.ietf.org; Mon, 08 Sep 2003 10:18:42 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24281 for <asrg@ietf.org>; Mon, 8 Sep 2003 10:18:33 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19wMql-0002ie-00 for asrg@ietf.org; Mon, 08 Sep 2003 10:18:39 -0400
Received: from h87s129a234n47.user.nortelnetworks.com ([47.234.129.87] helo=zcars0m9.nortelnetworks.com) by ietf-mx with esmtp (Exim 4.12) id 19wMql-0002dm-00 for asrg@ietf.org; Mon, 08 Sep 2003 10:18:39 -0400
Received: from zcard309.ca.nortel.com (zcard309.ca.nortel.com [47.129.242.69]) by zcars0m9.nortelnetworks.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id h88EI0R15633 for <asrg@ietf.org>; Mon, 8 Sep 2003 10:18:00 -0400 (EDT)
Received: from zcard031.ca.nortel.com ([47.129.242.121]) by zcard309.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id RY5AB2AY; Mon, 8 Sep 2003 10:18:01 -0400
Received: from americasm01.nt.com (clewis-2.ca.nortel.com [47.129.150.136]) by zcard031.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id R239160K; Mon, 8 Sep 2003 10:18:01 -0400
Message-ID: <3F5C905A.1090302@americasm01.nt.com>
X-Sybari-Space: 00000000 00000000 00000000 00000000
From: Chris Lewis <clewis@nortelnetworks.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
CC: asrg@ietf.org
Subject: Re: [Asrg] 7. Best Practices - DNSBLs - Article
References: <6.0.0.12.0.20030811151412.026f21e0@solidmatrix.com> <a06001207bb5dacfd9eb5@[10.0.1.2]> <3F3946A9.4040004@americasm01.nt.com> <a06001201bb5f23f67ff7@[10.0.1.4]> <3F5BD983.6080606@americasm01.nt.com> <a06001a0cbb81d63b5066@[10.0.1.2]>
In-Reply-To: <a06001a0cbb81d63b5066@[10.0.1.2]>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
Date: Mon, 08 Sep 2003 10:21:14 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

Brad Knowles wrote:

> At 9:21 PM -0400 2003/09/07, Chris Lewis wrote:
> 
>>  For example, I can tell you that 2.5% of the email that got through
>>  would have been caught except for latency delays in our BLs... ;-)

>     Do you know what the latency delays are?  For example, if you 
> implemented greylisting and enforced a minimum 30 minute delay before 
> you allowed them to get through the greylist, for what percentage of 
> these messages would that 30 minute delay have been enough for them to 
> show up on the BLs?

We're considering greylisting as an adjunct to our filters.  However, 
since we have 8 inbound gateways, it could get rather messy.  A 
simple-minded implementation with a half hour delay would have a four 
hour worst-case delay...  Not acceptable.

Due to how our DNSBL system works (we do our own zone downloads), and 
with a eye to not bashing the DNSBL originating servers too much, the 
latency (for 3rd party DNSBLs) averages around 12 hours.  So, 
greylisting-delay-for-DNSBL-catchup isn't going to help (us).

Most of the third party DNSBLs have an average latency on the order of 
an hour or two (or considerably longer) when querying them directly[1]. 
  So, even by switching to real-time queries, it still wouldn't help 
greylisting (unless you were willing to deal with that much longer 
latencies). Only spamcop is any faster.  And SpamCop we won't use, 
because its FP level is too high (for a organization like us).

That being said - I don't think it's necessary to tune your greylisting 
timeout w.r.t. DNSBL latencies.

The simple fact of the matter is that open proxy/socks code will _not_ 
queue - so they won't try a second time[2].  I would strongly suspect 
that if you made your greylisting timeout _zero_, and simply 400'd the 
first appearance of a given sender/IP/recipient tuple and accept the 
next appearance, no matter how quickly, you'd still be getting 90% of 
what greylisting with a very long timeout would give you.

Of course, spamming tools will evolve, so then you consider increasing 
the timeouts.  Too far, tho, and it's worse than where you started.  And 
I don't think you'd ever get to where you'll be able to take into 
account DNSBL latency.

>     Have you incorporated tools like DCC or Razor into your 
> methodology?  Do you know how greylisting with a minimum delay time 
> (e.g., 30 minutes) would effect DCC and/or Razor, in terms of their 
> efficiency?

[1] Do also consider that our 2.58% number is based over a 14 _day_ 
interval.  There's no way of telling the distribution of that DNSBL 
"catchup" over the 14 days.  I don't think the DNSBL latencies on 
individual IPs is anywhere near close to the latency of update. Ie: 
there's no particular reason why a given IP hits the third party DNSBL 
detector at the same time it first hits you.  It takes time (as much as 
hours) for decent/"polite" open relay/proxy testing.

So, short of perhaps the CBL (and SpamCop of course) which doesn't do 
server testing, it's not possible to get latency down _that_ short even 
for direct query.

[2] That's not _entirely_ true, I've seen some spammers that retry 550's 
after DATA several times very quickly (within minutes).  Not sure 
whether that's proxy or relay behaviour.


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email