[Mimedefang] Another silly idea

[Craig Green]

WBrown at e1b.org wrote:
> My thinking is why 
> not add them to an RBL if they have sent a virus in the past week or two, 
>   
[munch]
> Even if it is a "legitmate" mail server, I cannot think of any reason to 
> trust it if it does not have functioning antivirus software running.

I tried this.  Turns out a shocking number of ISPs and businesses don't 
bother running AV software on their outbound servers and just blindly 
relay their users' mail.

If you blacklist IPs based simply on if they've sent you a worm, then 
you'll likely be blocking a lot of legit mail as well.  I was just doing 
this as an input to a greylisting system (send me a worm and get 
greylisted for an hour, send mail to too many bad addresses and get 
greylisted, etc.) and I *still* had a whole pile of complaints from my 
users.  :-(  I tried maintaining a whitelist, but eventually gave it up 
as a bad job.

Sticking with SBL-XBL, at least I can be fairly certain that if an ISP 
or business gets themselves blacklisted, they'll find out in short order 
and get themselves removed.  The same isn't really true if you're 
running a local blacklist--I shudder to think what would have happened 
if I'd blacklisted and bounced the mail, rather than just delaying it....

YMMV, but I'd expect a rough ride with plenty of whitelist-patched potholes.


Craig.
------