TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: DAVID RITZ
date: 2014-11-01 11:45:00
subject: Re: An Urgent Court Notic

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1110380560-1414899825=:75122
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
Content-Transfer-Encoding: 8BIT
Content-ID: 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday, 01 November 2014 22:59 -0400, 
 in article , 
 Virus Guy  wrote:

> David Ritz wrote:

[restored]
>> On Saturday, 01 November 2014 19:44 -0400, 
>>  in article , 
>>  Virus Guy  wrote:

>>> So it's not clear if it would have been listed by the CBL at the
>>> time it hit my server.  We know that it's not listed at spamhaus
>>> - even now.

>> Very little is clear to you.

>> The only way you can determine whether a sending IP is listed in 
>> any DNSbl, when you first see it, is to check the DNSbl, when the 
>> connection occurs.

> There is one other way - if the DNSbl web portal would give the 
> date/time of first appearance (not just the last time it was 
> detected).

Would you like a pony with sprinkles on top, to go with that?

DNSbls generally do not include the date and time information you want 
them to include.  You're more than welcome to take the matter up with 
the maintainers of ever DNSbl in existence.  I would seriously 
recommend including C&C warnings, when you do.

The information you want is the same information the spammers want, in 
order to try to game the system.  This information could, for example, 
compromise traps.  That the CBL is telling the world, when it _last_ 
detected a compromised box doing the nasty, already goes over and 
beyond what is required and certainly goes beyond what most others 
provide.

>> It's your choice not to do so, but don't go jumping to conclusions 
>> based on your assumptions.  These seem to lead you to err.

> I said it wasn't clear, based on what the DNSbl was reporting 
> through it's web interface, if it would have flagged the IP at the 
> time it hit my server.  That is a factual statement.

… and you'll only know, if you check whatever DNSbl you're checking, 
at the time of the first connection to your MX.  I'd recommend 
checking zen.spamhaus.org.

Performing DNSbl lookups via a web interface is clumsy tedious and 
time consuming.  DNS tools are appropriate and far faster.

    $ date -u;dig +short 36.237.206.209.zen.spamhaus.org;date -u
    Sun Nov  2 03:40:24 UTC 2014
    127.0.0.4
    Sun Nov  2 03:40:24 UTC 2014

>> So far as your assertion, "We know that it's not listed at spamhaus 
>> - even now," you've already shown that 209.206.237.36 is listed in 
>> the Spamhaus XBL zone.  It's on the XBL, because it's listed at 
>> cbl.abuseat.org.  Seriously, WTF is your major malfunction?

> Does spamhaus operate the other DNSbl's that comprise the XBL zone?

See 

The XBL mirrors the CBL.

> Would a spamhaus query return only what spamhaus knows about an ip, 
> or (if it knows nothing) would spamhaus return an XBL result (if one 
> exists) ?

It's possible to receive multiple return codes, when querying ZEN.  
I've seen as many as three, from a single query: SBL, XBL, PBL.

Spamhaus knows about the XBL, as it's one of their zones.  There are 
other zones, too.

>> The CBL only shows when an IP address was last seen, ±30 minutes.

> Would it kill it to also show when it was first detected?

I doubt it would kill it, but the potential for harm is far greater 
than any potential benefit, to a luser who isn't going to look for it 
until hours or days after the fact.

Since your SMTP setup precludes you from using the available 
information, at the time it helps the most, isn't the matter moot?

Don't forget the C&C warnings.  The DNSbl maintainer who receive your 
requests will be greatly appreciative.

- -- 
David Ritz 
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0

iEYEARECAAYFAlRVqNQACgkQUrwpmRoS3utgIwCfcJcAE1+OHDmtFgwQWeZdNLNq
6ioAoI/YmS5HHNJtvd5Cc3WYUI+wvUVZ
=V0LK
-----END PGP SIGNATURE-----
--0-1110380560-1414899825=:75122--
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.