[Mimedefang] Another silly idea
WBrown at e1b.org
WBrown at e1b.org
Tue May 2 14:04:00 EDT 2006
mimedefang-bounces at lists.roaringpenguin.com wrote on 05/02/2006 12:11:00
PM:
> I tried this. Turns out a shocking number of ISPs and businesses don't
> bother running AV software on their outbound servers and just blindly
> relay their users' mail.
If you run the BL locally and no one knows about it. If it's a publicly
available RBL that show up on some of the RBL lookup tools like
DNSStuff.com, etc. then the mail server owner wouldn't take the heat. All
you would have to do is point to the RBL and say "Your server has sent
viruses, and is therefore blocked for security reasons. Please address
the situation with the RBL. And by the way, you might want to install
some antivirus software on your server."
Maybe that way more ISP could be encouraged to run AV software and prevent
the spread.
> If you blacklist IPs based simply on if they've sent you a worm, then
> you'll likely be blocking a lot of legit mail as well. I was just doing
> this as an input to a greylisting system (send me a worm and get
> greylisted for an hour, send mail to too many bad addresses and get
> greylisted, etc.) and I *still* had a whole pile of complaints from my
> users. :-( I tried maintaining a whitelist, but eventually gave it up
> as a bad job.
Blocking open relays used to block a lot of legitimate mail too until
owners started closing them down. There is no reason to relay a virus
either. By shaming owners and punishing them for poor behavior, maybe we
can have the same effect and get them to clean up their act.
> Sticking with SBL-XBL, at least I can be fairly certain that if an ISP
> or business gets themselves blacklisted, they'll find out in short order
> and get themselves removed. The same isn't really true if you're
> running a local blacklist--I shudder to think what would have happened
> if I'd blacklisted and bounced the mail, rather than just delaying
it....
I use SBL-XBL. I'm looking to enhance it by listing anything that sends a
virus and another sign of poor server management. I am not talking about
this being a local blacklist, but a public one where anyone can query
1.2.3.4.virusrbl.org and find out whether that address is a known virus
source, and www.virusrbl.org will provide information about why the
address is blocked. I'm fairly sure that if an ISP or business gets
listed for passing a virus, they'll find our in short order and get
themselves removed.
More information about the MIMEDefang
mailing list