[Mimedefang] Another silly idea

WBrown at e1b.org WBrown at e1b.org
Tue May 2 14:04:00 EDT 2006 

mimedefang-bounces at lists.roaringpenguin.com wrote on 05/02/2006 12:11:00 
PM:

> I tried this.  Turns out a shocking number of ISPs and businesses don't 
> bother running AV software on their outbound servers and just blindly 
> relay their users' mail.

If you run the BL locally and no one knows about it.  If it's a publicly 
available RBL that show up on some of the RBL lookup tools like 
DNSStuff.com, etc. then the mail server owner wouldn't take the heat.  All 
you would have to do is point to the RBL and say "Your server has sent 
viruses, and is therefore blocked for security reasons.  Please address 
the situation with the RBL.  And by the way, you might want to install 
some antivirus software on your server."

Maybe that way more ISP could be encouraged to run AV software and prevent 
the spread.
 
> If you blacklist IPs based simply on if they've sent you a worm, then 
> you'll likely be blocking a lot of legit mail as well.  I was just doing 

> this as an input to a greylisting system (send me a worm and get 
> greylisted for an hour, send mail to too many bad addresses and get 
> greylisted, etc.) and I *still* had a whole pile of complaints from my 
> users.  :-(  I tried maintaining a whitelist, but eventually gave it up 
> as a bad job.

Blocking open relays used to block a lot of legitimate mail too until 
owners started closing them down.  There is no reason to relay a virus 
either.  By shaming owners and punishing them for poor behavior, maybe we 
can have the same effect and get them to clean up their act.
 
> Sticking with SBL-XBL, at least I can be fairly certain that if an ISP 
> or business gets themselves blacklisted, they'll find out in short order 

> and get themselves removed.  The same isn't really true if you're 
> running a local blacklist--I shudder to think what would have happened 
> if I'd blacklisted and bounced the mail, rather than just delaying 
it....

I use SBL-XBL.  I'm looking to enhance it by listing anything that sends a 
virus and another sign of poor server management.  I am not talking about 
this being a local blacklist, but a public one where anyone can query 
1.2.3.4.virusrbl.org and find out whether that address is a known virus 
source, and www.virusrbl.org will provide information about why the 
address is blocked.  I'm fairly sure that if an ISP or business gets 
listed for passing a virus, they'll find our in short order and get 
themselves removed.

More information about the MIMEDefang mailing list