[Mimedefang] surbl
Stephen Smoogen
smoogen at lanl.gov
Tue Apr 13 22:15:01 EDT 2004
On Tue, 13 Apr 2004, David F. Skoll wrote:
>On Tue, 13 Apr 2004, Kelson Vibber wrote:
>
>> Then SURBL should be fine. It's just a RHSBL, built from domains
>> advertised in spam rather than domains that (appear to) send it. A client
>> using SURBL just parses URLs out of the message and queries the domain
>> names against the SURBL zone.
>
>It still makes me nervous. An attacker could put hundreds of URLs
>in the message, leading to hundreds of SURBL lookups. This kind of
>traffic-amplification just screams DoS to me. But then, I tend to
>be more paranoid than most. :-)
>
>I think SURBL should be used for (let's say) the first 20 URLs in a
>message, and if there are more than 20 URLs in the message, it should get
>a big spam score and further SURBL lookups suppressed.
>
>Regards,
Personally I think any RBL is a DoS waiting to happen. All it takes is
them being down/broken/etc and poof your servers are down for a bit with
the usual management questions of why did you allow it to happen.
The only way I would use an RBL in a large production enviroment is if
they had a DB push mechanism where I could sign up for a daily DB4 and
source file from either a central site or some osrt of P2P cloud.
But I am a grumpy young sysadmin.
--
Stephen John Smoogen smoogen at lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --
More information about the MIMEDefang
mailing list