This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1110380560-1414899825=:75122
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
Content-Transfer-Encoding: 8BIT
Content-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday, 01 November 2014 22:59 -0400,
in article ,
Virus Guy wrote:
> David Ritz wrote:
[restored]
>> On Saturday, 01 November 2014 19:44 -0400,
>> in article ,
>> Virus Guy wrote:
>>> So it's not clear if it would have been listed by the CBL at the
>>> time it hit my server. We know that it's not listed at spamhaus
>>> - even now.
>> Very little is clear to you.
>> The only way you can determine whether a sending IP is listed in
>> any DNSbl, when you first see it, is to check the DNSbl, when the
>> connection occurs.
> There is one other way - if the DNSbl web portal would give the
> date/time of first appearance (not just the last time it was
> detected).
Would you like a pony with sprinkles on top, to go with that?
DNSbls generally do not include the date and time information you want
them to include. You're more than welcome to take the matter up with
the maintainers of ever DNSbl in existence. I would seriously
recommend including C&C warnings, when you do.
The information you want is the same information the spammers want, in
order to try to game the system. This information could, for example,
compromise traps. That the CBL is telling the world, when it _last_
detected a compromised box doing the nasty, already goes over and
beyond what is required and certainly goes beyond what most others
provide.
>> It's your choice not to do so, but don't go jumping to conclusions
>> based on your assumptions. These seem to lead you to err.
> I said it wasn't clear, based on what the DNSbl was reporting
> through it's web interface, if it would have flagged the IP at the
> time it hit my server. That is a factual statement.
… and you'll only know, if you check whatever DNSbl you're checking,
at the time of the first connection to your MX. I'd recommend
checking zen.spamhaus.org.
Performing DNSbl lookups via a web interface is clumsy tedious and
time consuming. DNS tools are appropriate and far faster.
$ date -u;dig +short 36.237.206.209.zen.spamhaus.org;date -u
Sun Nov 2 03:40:24 UTC 2014
127.0.0.4
Sun Nov 2 03:40:24 UTC 2014
>> So far as your assertion, "We know that it's not listed at spamhaus
>> - even now," you've already shown that 209.206.237.36 is listed in
>> the Spamhaus XBL zone. It's on the XBL, because it's listed at
>> cbl.abuseat.org. Seriously, WTF is your major malfunction?
> Does spamhaus operate the other DNSbl's that comprise the XBL zone?
See
The XBL mirrors the CBL.
> Would a spamhaus query return only what spamhaus knows about an ip,
> or (if it knows nothing) would spamhaus return an XBL result (if one
> exists) ?
It's possible to receive multiple return codes, when querying ZEN.
I've seen as many as three, from a single query: SBL, XBL, PBL.
Spamhaus knows about the XBL, as it's one of their zones. There are
other zones, too.
>> The CBL only shows when an IP address was last seen, ±30 minutes.
> Would it kill it to also show when it was first detected?
I doubt it would kill it, but the potential for harm is far greater
than any potential benefit, to a luser who isn't going to look for it
until hours or days after the fact.
Since your SMTP setup precludes you from using the available
information, at the time it helps the most, isn't the matter moot?
Don't forget the C&C warnings. The DNSbl maintainer who receive your
requests will be greatly appreciative.
- --
David Ritz
Be kind to animals; kiss a shark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0
iEYEARECAAYFAlRVqNQACgkQUrwpmRoS3utgIwCfcJcAE1+OHDmtFgwQWeZdNLNq
6ioAoI/YmS5HHNJtvd5Cc3WYUI+wvUVZ
=V0LK
-----END PGP SIGNATURE-----
--0-1110380560-1414899825=:75122--
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|