Re: [anti-abuse-wg] RBL policy
On 30 Jan 2017, at 06:13, ox <andre@ox.co.za> wrote:
Hello All,
May I please solicit some comments about Abuse Block lists (Without detracting from RFC 5782 and RFC 6471 or : https://www.ripe.net/publications/docs/ripe-409 )
Firstly, the background for the start of this thread is simply: As the use of machine learning technology is now also applied and adapted for the use of cyber criminals (including spammers, scammers, etc) the rules and what is socially acceptable is and has changed. Global politics, protectionism, nationalism and the other 'isms' are also causing change.
Considering that DNSBL tech is "reactive" (after he abuse)
This statement appears to be exclusionary — and is one often levelled against DNSBLs. All DNSBLs are not wholly reactive. Firstly, one needs to acknowledge that all DNSBLs are not they same. Secondly, some listings in some DNSBLs are proactive. i.e. Made before abuse is seen. As I work for the commercial arm of Spamhaus, I know their offerings quite well and can confidently state that some of the Spamhaus block lists contain proactive and/or precautionary listings. I imagine SURBL does likewise. Other block lists probably have similar policies / inputs. Simon
The block time policies of RBLs *********************************** There are two main types of block lists: No automatic removal and automatic removal
Is the policy to auto de-list after a period of time, still accurate?
Considering the change in abuse patterns and technology, should the block times be increased or de-creased?
Does society require more specialist non auto de-list DNSBLs? (Would it be helpful to law enforcement to have a "child pornography" dnsbl? or a phish dnsbl? - or is the reactive time to high in order for dynamic ipv4? - but on ipv6 allocations to devices could be more 'permanent'? etc)
Andre
On Mon, 30 Jan 2017 09:39:00 +0000 Simon Forster <simon-lists@ldml.com> wrote:
Considering that DNSBL tech is "reactive" (after he abuse)
This statement appears to be exclusionary — and is one often levelled against DNSBLs. All DNSBLs are not wholly reactive.
Firstly, one needs to acknowledge that all DNSBLs are not they same.
Yes, but they can be easily categorized into general groups
Secondly, some listings in some DNSBLs are proactive. i.e. Made before abuse is seen. As I work for the commercial arm of Spamhaus, I know their offerings quite well and can confidently state that some of the Spamhaus block lists contain proactive and/or precautionary listings. I imagine SURBL does likewise. Other block lists probably have similar policies / inputs. Simon
Thank you for that, so the grouping here is DNSBL that block pro actively (and without actual abuse) and DNSBL that block after evidence of abuse Can you comment on the method of de listing - auto de list after x time and/or no de-listing until removal request? Do the time periods of auto de-list take into consideration past abuse? And, in your obvious experience - when DNSBL blocks pro actively - does your de listing require adjustments or are they in step with what you are seeing?
The block time policies of RBLs *********************************** There are two main types of block lists: No automatic removal and automatic removal
Is the policy to auto de-list after a period of time, still accurate?
Considering the change in abuse patterns and technology, should the block times be increased or de-creased?
Does society require more specialist non auto de-list DNSBLs? (Would it be helpful to law enforcement to have a "child pornography" dnsbl? or a phish dnsbl? - or is the reactive time to high in order for dynamic ipv4? - but on ipv6 allocations to devices could be more 'permanent'? etc)
Andre
Please be aware that my understanding is of the general principles employed by the various Spamhaus block lists. I have no role in compiling the block lists — that is the remit of a completely different team. I can talk to the generalities but not to specifics as I have no more insight into specifics than anyone else with access to the Spamhaus Projects' Blocklist Removal Centre at <https://www.spamhaus.org/lookup/ <https://www.spamhaus.org/lookup/>>. And I’ll decline to post the rest of my reply following the abuse up thread. All the best Simon
On 30 Jan 2017, at 09:39, Simon Forster <simon-lists@ldml.com> wrote:
On 30 Jan 2017, at 06:13, ox <andre@ox.co.za> wrote:
Hello All,
May I please solicit some comments about Abuse Block lists (Without detracting from RFC 5782 and RFC 6471 or : https://www.ripe.net/publications/docs/ripe-409 )
Firstly, the background for the start of this thread is simply: As the use of machine learning technology is now also applied and adapted for the use of cyber criminals (including spammers, scammers, etc) the rules and what is socially acceptable is and has changed. Global politics, protectionism, nationalism and the other 'isms' are also causing change.
Considering that DNSBL tech is "reactive" (after he abuse)
This statement appears to be exclusionary — and is one often levelled against DNSBLs. All DNSBLs are not wholly reactive.
Firstly, one needs to acknowledge that all DNSBLs are not they same.
Secondly, some listings in some DNSBLs are proactive. i.e. Made before abuse is seen. As I work for the commercial arm of Spamhaus, I know their offerings quite well and can confidently state that some of the Spamhaus block lists contain proactive and/or precautionary listings. I imagine SURBL does likewise. Other block lists probably have similar policies / inputs.
Simon
The block time policies of RBLs *********************************** There are two main types of block lists: No automatic removal and automatic removal
Is the policy to auto de-list after a period of time, still accurate?
Considering the change in abuse patterns and technology, should the block times be increased or de-creased?
Does society require more specialist non auto de-list DNSBLs? (Would it be helpful to law enforcement to have a "child pornography" dnsbl? or a phish dnsbl? - or is the reactive time to high in order for dynamic ipv4? - but on ipv6 allocations to devices could be more 'permanent'? etc)
Andre
On Mon, 30 Jan 2017 11:14:44 +0000 Simon Forster <simon-lists@ldml.com> wrote:
Please be aware that my understanding is of the general principles employed by the various Spamhaus block lists. I have no role in compiling the block lists — that is the remit of a completely different team. I can talk to the generalities but not to specifics as I have no more insight into specifics than anyone else with access to the Spamhaus Projects' Blocklist Removal Centre at <https://www.spamhaus.org/lookup/ <https://www.spamhaus.org/lookup/>>. And I’ll decline to post the rest of my reply following the abuse up thread.
Okay, never mind Spamhaus, you have a mind yourself? This thread is not about Spamhaus or any specific DNSBL, it is about the timing of auto de-listing, specialist DNSBL and general society (you & me & all of us - even the assehole idiots (I am an asshole idiot myself) as well as those with strong POV. like Prince Olaf) - whether we agree or disagree with something or a pov - is not relevant but understanding of the different opinions, is actually of great value Also, MOST DNSBL are reactive. I do agree that many DNSBL are pro active - but there are just over 200 DNSBL (that I know of) and by far the majority are reactive. So, Simon, with that in mind, what do you think about my original posting / thread, instead of getting stuck on where the various DNSBL sources data from, can we maybe talk about the other questions? Andre
participants (2)
-
ox -
Simon Forster