Topic: RBL Blacklist users READ THIS!!

[ryan]

Just posted slashdot:

Osirusoft Blacklists The World

 
Posted by timothy on Tuesday August 26, @11:15PM
from the wildcard-matches-for-evil dept.
ariehk writes "As of today, Osirusoft, distributer of the SPEWS and open relay blocklists, among others, is no longer operational. Servers using these lists (including the FTC) are currently rejecting ALL email. This shutdown seems to be in response to a several-week-long DDoS attack on Osirusoft, SPEWS and others, resulting in both sites being down. This has caused much discussion on n.a.n-a.e, including the suggestion that the attack is somehow related to the SoBig worm. The spammers must be hurting if they can devote these kinds of resources to attacking blocklists." Read on below a related submission.


I removed relays.osirusoft.com at 10:00 AZ time and a lot of emails suddenly came in....so SME is negatively affected by a down blacklist site.  Any osirusoft.com entry for a blacklist should be removed immediately.

ryan

[Shane]

So that explains it...Thanks
My mail servers are responding "451 Please stop using relays.osirusoft.com"

[Jesper Knudsen]

I have tried to figure out where to remove this and cannot find any files with RBL server list. Where should I locate this entry ?

Rgds,
JEsper

[Shane]

You'll need to edit /service/smtpfront-qmail/rblsmtpd.conf
Backup first

[Jesper Knudsen]

Hmm. I do not have such file in this directory.

/Jesper

[shane]

Then you have nothing to worry about.
Is anybody willing to share their ideas about the best rbl's to use?
bl.spamcop.net seems to be kicking a few goals for me although thats not the only one I use.
Can anybody recommend a good dialup rbl?

Thanks

Shane

[Michiel Blotwijk]

SpamAssassin also uses osirusoft.com. However, I fail to see how this could stop all my incoming mail. If SA can't connect to osirusoft.com, it will just not use their blacklist. This will result in a higher number of spam messages slipping through, not in stopping my mail. I see loads of "lame server resolving" entries in /var/log/messages, but all my regular mail seems to come through. Therefore I think this "recommendation" to no longer use osirusoft.com in reality is an atempt from some spammer to spread FUD.

Just my 0.02 Euro

Michiel

[Maggard]

Michiel Blotwijk babbled:

> SpamAssassin also uses osirusoft.com. However, I fail to see
> how this could stop all my incoming mail.

If you had actually bothered to go look at the resources Ryan pointed to before responding you'd have already known the answer, and thus you'd know you're wrong.

Basically before shutting down operations alltogether Osirusoft listed EVERYTHING as spam, a "*.*.*.*". The result was if your server used them as an RBL in that period then SA marked _all_ your incoming email and however you handle spam got done to everything.

If you /dev/nul yep, it's all gone. If you dump to a folder it's all there, the ham and the spam all together ready to be re-sorted (ugh.).

> If SA can't connect
> to osirusoft.com, it will just not use their blacklist. This
> will result in a higher number of spam messages slipping
> through, not in stopping my mail. I see loads of "lame server
> resolving" entries in /var/log/messages, but all my regular
> mail seems to come through.

But as just pointed out, and if you'd read the material you'd know, that's NOT all that happened and possibly not all that occured at your end. Indeed there's a distinct possibility you lost some email in that time period.

> Therefore I think this
> "recommendation" to no longer use osirusoft.com in reality is
> an atempt from some spammer to spread FUD.

I "think" you've got no idea what you're talking about and should reconsider posting without researching.

That Osirusoft is now gone is rather well documented and trivially tested. That they RBH'ed everything is also rather well documented as many folks will ruefully attest, you can check for evidence on your own machines. So unless several thousands of irate folks are all being impersonated by a spammer AND they've maanged to plant evidence on your systems _you're_ the one looking like a clueless conspiracy nut.
.
> Just my 0.02 Euro

Far more then it's worth.

Yeah, I get annoyed at folks without make inane pronouncements without the most trivial of efforts to determine what they're going on about. I mean, there was a link in the original post, that one had links, it was being discussed on usenet, it was easy to test for oneself, but this yammerhead couldn't bother to do ANY of those. It's the Internet for chrissakes, how hard is it do do research?

[Greg Zartman]

> Basically before shutting down operations alltogether
> Osirusoft listed EVERYTHING as spam, a "*.*.*.*". The result
> was if your server used them as an RBL in that period then SA
> marked _all_ your incoming email and however you handle spam
> got done to everything.

Not to be overly critical, but SA doesn't mark something as spam just because it is listed in an RBL.  Being listed in an RBL simply increases the spam score of the email in question by a couple of points (e.g. RAZOR2_CHECK       (2.0 points)  Listed in Razor2).

> But as just pointed out, and if you'd read the material you'd
> know, that's NOT all that happened and possibly not all that
> occured at your end. Indeed there's a distinct possibility
> you lost some email in that time period.

I think you need to do a little reading yourself Maggard...  An SME user only needs to worry about the Osiusoft RBL warning if they've configured mailfront to bounce messages based on listings in an RBL.  

> I "think" you've got no idea what you're talking about and
> should reconsider posting without researching.

See my previous, then re-read this comment.

 > That Osirusoft is now gone is rather well documented and
> trivially tested. That they RBH'ed everything is also rather

Really???  As of yesterday, google showed only two listings:  Slasdot and ZDnet.  Considering the plethora of listings that one normally gets from a google search, I don't think two listings isn't that well documented.

> Yeah, I get annoyed at folks without make inane
> pronouncements without the most trivial of efforts to
> determine what they're going on about.

You too huh??

Greg Zartman

[Maggard]

1. Lots of folks have given RBH email an arbitrarily high scoring, or even bouncing outright based on it. Lots of them are now regretting that.

2. For news of this sort, not the latest email nasty or big-corp announcement, usenet (and sometimes blogs) are the best pace to track it as it happens. Google does a reasonably good job of indexing usenet and there are numerous relevant hits on it. There's more to the 'net then just web pages.

3. Going off on some conspiracy theory, when one hasn't even read the source material, that's just plain sad. It was an inane posting and deserved to be disparaged. Others may differ.

[ryan]

FYI,

mailfront with rbl support stalls out when it does not get a response from a blacklist site.  This also impacts the ability to use smpt to send email from this server.  

ryan

[Charlie Brady]

Greg Zartman wrote:

> I think you need to do a little reading yourself Maggard...
> An SME user only needs to worry about the Osiusoft RBL
> warning if they've configured mailfront to bounce messages
> based on listings in an RBL.

My mailfront+rbl contrib will only defer delivery on an RBL match, IIRC. Mail would likely only bounce after being deferred for a week in that case. Plenty of time for folks to check their smtpfront-qmail logs and reconfigure rblsmtpd.

Charlie