Mailing List Archive

On Wed, Mar 18, 2009 at 21:28, Tony Gore <tony@aspen.uk.com> wrote:
> Dear all
>
> I recently spent several days trying to figure out why a customer was getting blacklisted on CBL after several years of unchanged configuration.
>
> It turned out that CBL have suddenly and arbitrarily decided to blacklist any mail server that answers with HELO that looks like a dynamic address, even if it is not.

What have you got to support this theory? Given that the CBL (like
other DNSBLs) is applied to the connecting host IP, not the HELO,
there's no way for the CBL to make this decision. It sounds more like
the recipient has made this decision and is blaming it on the CBL
(I've seen enough rejections because of failing SPF checks, when there
is no SPF record to check against).

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

> It turned out that CBL have suddenly and arbitrarily decided to blacklist any mail
> server that answers with HELO that looks like a dynamic address, even if it is not.

Rob has a point about HELO but there are ISPs that will use reverse DNS. AOL says:

"All e-mail servers connecting to AOL's mail servers must have valid and meaningful (not dynamic-looking) reverse DNS records."

http://postmaster.aol.com/guidelines/standards.html

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- A conscience is what hurts when all your other parts feel so good.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

I've had excellent communications with CBL staff on several occasions.

If your IP is getting black listed by them, simply contact them via the methods on their website.

I'm unaware of any policy by CBL to begin listing dynamimc IPs.

http://cbl.abuseat.org/

You can also go to that website and plug in your IP and receive a status report as to if and why you got listed.


John.

At 04:55 PM 3/18/2009, you wrote:
>On Wed, Mar 18, 2009 at 21:28, Tony Gore <tony@aspen.uk.com> wrote:
>> Dear all
>>
>> I recently spent several days trying to figure out why a customer was getting blacklisted on CBL after several years of unchanged configuration.
>>
>> It turned out that CBL have suddenly and arbitrarily decided to blacklist any mail server that answers with HELO that looks like a dynamic address, even if it is not.
>
>What have you got to support this theory? Given that the CBL (like
>other DNSBLs) is applied to the connecting host IP, not the HELO,
>there's no way for the CBL to make this decision. It sounds more like
>the recipient has made this decision and is blaming it on the CBL
>(I've seen enough rejections because of failing SPF checks, when there
>is no SPF record to check against).
>
>--
> Please keep list traffic on the list.
>
>Rob MacGregor
> Whoever fights monsters should see to it that in the process he
> doesn't become a monster. Friedrich Nietzsche
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>No virus found in this incoming message.
>Checked by AVG - www.avg.com
>Version: 8.0.238 / Virus Database: 270.11.18/2009 - Release Date: 03/18/09 07:17:00



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

CBL clearly states they do not care if the IP is dynamic.

It is more likely that your client ended up with a virus and is sending out spam to cbl spam traps.



From the CBL webiste:

NEW! The CBL also lists certain portions of SpamBot infrastructure, such as Spam BOT/virus infector download web sites, and other web sites or name servers exclusively dedicated to the use of Spam BOTs. Considerable care is taken to avoid listing IP addresses that have are or are likely to be shared with legitimate use, except in the case of infector download websites.

In other words, the CBL only lists IPs that have attempted email connections to one of our servers in such a way as to indicate that the sending IP is infected, OR, IPs specifically dedicated to the propagation/use of Spam BOTs.

The CBL does NO probes. In other words, the CBL NEVER makes connections to other machines to "test" anything.

The CBL does NOT test for nor list open SMTP relays.

The CBL only lists individual IPs, it NEVER lists ranges.

The CBL does NOT care whether an IP is dynamic or not, if connections the IP makes indicate that it's infected, it is listed regardless.

The CBL does NOT attempt to associate IP addresses to persons or organizations, and furthermore, a CBL listing should NOT be construed as accusing anyone of spamming - virtually all listees are the victims of a virus or other compromise, not deliberately spamming.

The CBL does NOT accept external submissions for listing. Hence it is not possible for the CBL to be used as an instrument of revenge (eg: "disgruntled ex-employee" or "competitor").

The CBL operates in an entirely automated way designed to avoid listings of spamtrap hits due to bounces of forged spam, virus bounces, and "real" mail servers emitting the occasional spam. It tries very hard to avoid listing legitimate mail sources. It does not attempt to list every possible spam source.






******************************

I've had excellent communications with CBL staff on several occasions.

If your IP is getting black listed by them, simply contact them via the methods on their website.

I'm unaware of any policy by CBL to begin listing dynamimc IPs.

http://cbl.abuseat.org/

You can also go to that website and plug in your IP and receive a status report as to if and why you got listed.


John.

At 04:55 PM 3/18/2009, you wrote:
>On Wed, Mar 18, 2009 at 21:28, Tony Gore <tony@aspen.uk.com> wrote:
>> Dear all
>>
>> I recently spent several days trying to figure out why a customer was getting blacklisted on CBL after several years of unchanged configuration.
>>
>> It turned out that CBL have suddenly and arbitrarily decided to blacklist any mail server that answers with HELO that looks like a dynamic address, even if it is not.
>
>What have you got to support this theory? Given that the CBL (like
>other DNSBLs) is applied to the connecting host IP, not the HELO,
>there's no way for the CBL to make this decision. It sounds more like
>the recipient has made this decision and is blaming it on the CBL
>(I've seen enough rejections because of failing SPF checks, when there
>is no SPF record to check against).
>
>--
> Please keep list traffic on the list.
>
>Rob MacGregor
> Whoever fights monsters should see to it that in the process he
> doesn't become a monster. Friedrich Nietzsche
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>No virus found in this incoming message.
>Checked by AVG - www.avg.com
>Version: 8.0.238 / Virus Database: 270.11.18/2009 - Release Date: 03/18/09 07:17:00


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On 18-Mar-09, at 6:29 PM, John Blazek wrote:

> I've had excellent communications with CBL staff on several occasions.
>
> If your IP is getting black listed by them, simply contact them via
> the methods on their website.
>
> I'm unaware of any policy by CBL to begin listing dynamimc IPs.
>
> http://cbl.abuseat.org/
>
> You can also go to that website and plug in your IP and receive a
> status report as to if and why you got listed.
>
>
> John.
>
> At 04:55 PM 3/18/2009, you wrote:
>> On Wed, Mar 18, 2009 at 21:28, Tony Gore <tony@aspen.uk.com> wrote:
>>> Dear all
>>>
>>> I recently spent several days trying to figure out why a customer
>>> was getting blacklisted on CBL after several years of unchanged
>>> configuration.
>>>
>>> It turned out that CBL have suddenly and arbitrarily decided to
>>> blacklist any mail server that answers with HELO that looks like a
>>> dynamic address, even if it is not.


As John alluded to...right from their home page,

"The CBL does NOT care whether an IP is dynamic or not, if connections
the IP makes indicate that it's infected, it is listed regardless."

Why don't you go to their site and enter your IP address and find out
if it is actually listed in the CBL and why.

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Sorry for the delay in replying

A number of people think I made this up

From cbl@cbl.abuseat.org I got this when I did contact them - it took a couple of contacts before they replied with the following (this was days before I posted my message here)

-----------------
" What is going on here is that you are HELOing as something that looks like a dynamic assignment to us."
------------------

i.e. CBL stated that they considered that what they were seeing looked like a dynamic IP address (which it was not)

So as they were telling me directly that this was what they are doing (as I said, nothing had changed in 2 years and suddenly the address was blacklisted) that is why I decided to share it.

This was because I had spent two days billed to the client going through every machine in the place, installing packet sniffers all on the CBL assertions that "no matter how good your AV if you are getting blacklisted it means you are generating traffic".

It was not conjecture, but fact from CBL response directly.

In this case, there never had been anything - they are no looking at the HELO string and if they think it looks dynamic, they blacklist"

This was not listed on their site (the rest of their message was suppressed because it listed reverse DSN configurations).

I changed Exchange's FQDNS name and the problem went away (it doesn't matter or not whether you go direct or via the ISP's smart host, the result is the same).

I just thought passing on the unpublished addition to how CBL is now blacklisting might save someone else 2 days digging to find that CBL have arbitrarily started making new decisions about what constitutes a rogue email server.

Since the FQDN and what you put in your SPF string may have to be consistent, I thought it was relevant.

As for plugging in your IP to CBL to find out why you got listed, in this case it was of now help and let me to a considerable wasted effort because I believed that their published list of reasons was correct. Unfortunately, it is only a partial list of reasons.

The inferences you can draw from CBL's statement are

1) They are looking at the HELO string, not just the IP
2) They are comparing it to various forms that they believe are indicative of dynamic addresses
3) Their understanding of reverse DNS is different from the ISPs as far as mail goes (On this one, I think their understanding is better that the ISP's, but when this was set up 2 years ago, I could only go on what the ISP recommended when we had been having trouble getting email through to AOL; following the ISP's recommendation at that time actually solved the AOL email problem)

So thanks for the comments, but I had actually been through all of that first.


Tony Gore
email  tony@aspen.uk.com
tel +44-1278-761000  FAX +44-1278-760006  GSM +44-7768-598570
URL: www.aspen.uk.com
Aspen Enterprises Limited
Registered in England and Wales no. 3055963 Reg.Office Aspen House, Burton Row, Brent Knoll, Somerset TA9 4BW.  UK



-----Original Message-----
From: Gino Cerullo [mailto:gcerullo@pixelpointstudios.com]
Sent: 18 March 2009 22:40
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] May be off topic, but it is relevant


On 18-Mar-09, at 6:29 PM, John Blazek wrote:

> I've had excellent communications with CBL staff on several occasions.
>
> If your IP is getting black listed by them, simply contact them via
> the methods on their website.
>
> I'm unaware of any policy by CBL to begin listing dynamimc IPs.
>
> http://cbl.abuseat.org/
>
> You can also go to that website and plug in your IP and receive a
> status report as to if and why you got listed.
>
>
> John.
>
> At 04:55 PM 3/18/2009, you wrote:
>> On Wed, Mar 18, 2009 at 21:28, Tony Gore <tony@aspen.uk.com> wrote:
>>> Dear all
>>>
>>> I recently spent several days trying to figure out why a customer
>>> was getting blacklisted on CBL after several years of unchanged
>>> configuration.
>>>
>>> It turned out that CBL have suddenly and arbitrarily decided to
>>> blacklist any mail server that answers with HELO that looks like a
>>> dynamic address, even if it is not.


As John alluded to...right from their home page,

"The CBL does NOT care whether an IP is dynamic or not, if connections
the IP makes indicate that it's infected, it is listed regardless."

Why don't you go to their site and enter your IP address and find out
if it is actually listed in the CBL and why.

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

I have requested a response from CBL about this.

Based on what Tony has said, and depending on their response, I will stop using cbl and spamhaus.

It is my understanding that Spamhaus funds CBL, and uses the CBL output as a basis for one of the Spamhaus rbls.

While I also utilize dynamic ip rbl's, mixing the two is unacceptable.



John.


At 06:34 PM 3/22/2009, you wrote:
>Sorry for the delay in replying
>
>A number of people think I made this up
>
>>From cbl@cbl.abuseat.org I got this when I did contact them - it took a couple of contacts before they replied with the following (this was days before I posted my message here)
>
>-----------------
>" What is going on here is that you are HELOing as something that looks like a dynamic assignment to us."
>------------------
>
>i.e. CBL stated that they considered that what they were seeing looked like a dynamic IP address (which it was not)
>
>So as they were telling me directly that this was what they are doing (as I said, nothing had changed in 2 years and suddenly the address was blacklisted) that is why I decided to share it.
>
>This was because I had spent two days billed to the client going through every machine in the place, installing packet sniffers all on the CBL assertions that "no matter how good your AV if you are getting blacklisted it means you are generating traffic".
>
>It was not conjecture, but fact from CBL response directly.
>
>In this case, there never had been anything - they are no looking at the HELO string and if they think it looks dynamic, they blacklist"
>
>This was not listed on their site (the rest of their message was suppressed because it listed reverse DSN configurations).
>
>I changed Exchange's FQDNS name and the problem went away (it doesn't matter or not whether you go direct or via the ISP's smart host, the result is the same).
>
>I just thought passing on the unpublished addition to how CBL is now blacklisting might save someone else 2 days digging to find that CBL have arbitrarily started making new decisions about what constitutes a rogue email server.
>
>Since the FQDN and what you put in your SPF string may have to be consistent, I thought it was relevant.
>
>As for plugging in your IP to CBL to find out why you got listed, in this case it was of now help and let me to a considerable wasted effort because I believed that their published list of reasons was correct. Unfortunately, it is only a partial list of reasons.
>
>The inferences you can draw from CBL's statement are
>
>1) They are looking at the HELO string, not just the IP
>2) They are comparing it to various forms that they believe are indicative of dynamic addresses
>3) Their understanding of reverse DNS is different from the ISPs as far as mail goes (On this one, I think their understanding is better that the ISP's, but when this was set up 2 years ago, I could only go on what the ISP recommended when we had been having trouble getting email through to AOL; following the ISP's recommendation at that time actually solved the AOL email problem)
>
>So thanks for the comments, but I had actually been through all of that first.
>
>
>Tony Gore
>email tony@aspen.uk.com
>tel +44-1278-761000 FAX +44-1278-760006 GSM +44-7768-598570
>URL: www.aspen.uk.com
>Aspen Enterprises Limited
>Registered in England and Wales no. 3055963 Reg.Office Aspen House, Burton Row, Brent Knoll, Somerset TA9 4BW. UK
>
>
>
>-----Original Message-----
>From: Gino Cerullo [mailto:gcerullo@pixelpointstudios.com]
>Sent: 18 March 2009 22:40
>To: spf-help@v2.listbox.com
>Subject: Re: [spf-help] May be off topic, but it is relevant
>
>
>On 18-Mar-09, at 6:29 PM, John Blazek wrote:
>
>> I've had excellent communications with CBL staff on several occasions.
>>
>> If your IP is getting black listed by them, simply contact them via
>> the methods on their website.
>>
>> I'm unaware of any policy by CBL to begin listing dynamimc IPs.
>>
>> http://cbl.abuseat.org/
>>
>> You can also go to that website and plug in your IP and receive a
>> status report as to if and why you got listed.
>>
>>
>> John.
>>
>> At 04:55 PM 3/18/2009, you wrote:
>>> On Wed, Mar 18, 2009 at 21:28, Tony Gore <tony@aspen.uk.com> wrote:
>>>> Dear all
>>>>
>>>> I recently spent several days trying to figure out why a customer
>>>> was getting blacklisted on CBL after several years of unchanged
>>>> configuration.
>>>>
>>>> It turned out that CBL have suddenly and arbitrarily decided to
>>>> blacklist any mail server that answers with HELO that looks like a
>>>> dynamic address, even if it is not.
>
>
>As John alluded to...right from their home page,
>
>"The CBL does NOT care whether an IP is dynamic or not, if connections
>the IP makes indicate that it's infected, it is listed regardless."
>
>Why don't you go to their site and enter your IP address and find out
>if it is actually listed in the CBL and why.
>
>--
>Gino Cerullo
>
>Pixel Point Studios
>21 Chesham Drive
>Toronto, ON M3M 1W6
>
>416-247-7740
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>No virus found in this incoming message.
>Checked by AVG - www.avg.com
>Version: 8.0.238 / Virus Database: 270.11.23/2016 - Release Date: 03/21/09 17:58:00



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-----Original Message-----
From: Tony Gore [mailto:tony@aspen.uk.com]
Sent: maandag 23 maart 2009 0:36
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] May be off topic, but it is relevant

> The inferences you can draw from CBL's statement are
>
> 1) They are looking at the HELO string, not just the IP
> 2) They are comparing it to various forms that they believe
> are indicative of dynamic addresses

I'd like to withhold judgement for a while until we get confirmation. It's
namely not a foregone conclusion that checking HELO's for signs of being
dynamic is done in the same manner as one would a PTR. Several reasons:

1) Consider, for instance, the following:

asarian-host sendmail[10075]: n2N1aDYc010075: <-- HELO s8r9uu2
asarian-host sendmail[10075]: n2N1aDYc010075: --- 250 mail.asarian-host.net
Hello 123.Red-83-58-96.dynamicIP.rima-tde.net [83.58.96.123], pleased to
meet you

Now, "163.Red-83-58-96.dynamicIP.rima-tde.net" can easily be identified as
a 'dynamic' PTR (duh). But remove the word 'dynamic', and it's already a
lot harder. Sure, you could say that in-addr-arpa lookalike PTRs (with the
octects in them and all) are probably dynamic. But can it be established
with so much certainty so as to put them on an offical blocklist for that
reason alone? Probably not.

2) Which bring me to my second point. Why would any spammer even set its
HELO to look like a dynamic PTR? Usually they just connect with something
like "HELO hotmail.com" (or whatever the flavor du jour is). So, when the
CBL folks say they're looking for 'dymamic' looking HELO's, I think they
probably ere mean ones that look like in my above log excerpt. Because,
again, testing HELO to see if it looks like a PTR belonging to a dynamic
IP address is kinda pointless. A PTR, after all, is something a spammer in
a spambot net can't change (he just uses people's home computers: he can't
change their PTR), so it makes sense to check against the PTR. So, if
anything, he'd choose a non-dynamic looking HELO, as HELO is the one thing
he *can* change.

So, based on these thought, I'd like to hear a little more about what
"HELOing as something that looks like a dynamic assignment to us" means
exactly.

- Mark



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-----Original Message-----
From: Tony Gore [mailto:tony@aspen.uk.com]
Sent: maandag 23 maart 2009 0:36
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] May be off topic, but it is relevant

> The inferences you can draw from CBL's statement are
>
> 1) They are looking at the HELO string, not just the IP
> 2) They are comparing it to various forms that they believe
> are indicative of dynamic addresses

I'd like to withhold judgement for a while until we get confirmation. It's
namely not a foregone conclusion that checking HELO's for signs of being
dynamic is done in the same manner as one would a PTR. Several reasons:

1) Consider, for instance, the following:

asarian-host sendmail[10075]: n2N1aDYc010075: <-- HELO s8r9uu2
asarian-host sendmail[10075]: n2N1aDYc010075: --- 250 mail.asarian-host.net
Hello 123.Red-83-58-96.dynamicIP.rima-tde.net [83.58.96.123], pleased to
meet you

Now, "163.Red-83-58-96.dynamicIP.rima-tde.net" can easily be identified as
a 'dynamic' PTR (duh). But remove the word 'dynamic', and it's already a
lot harder. Sure, you could say that in-addr-arpa lookalike PTRs (with the
octects in them and all) are probably dynamic. But can it be established
with so much certainty so as to put them on an offical blocklist for that
reason alone? Probably not.

2) Which bring me to my second point. Why would any spammer even set its
HELO to look like a dynamic PTR? Usually they just connect with something
like "HELO hotmail.com" (or whatever the flavor du jour is). So, when the
CBL folks say they're looking for 'dymamic' looking HELO's, I think they
probably ere mean ones that look like in my above log excerpt. Because,
again, testing HELO to see if it looks like a PTR belonging to a dynamic
IP address is kinda pointless. A PTR, after all, is something a spammer in
a spambot net can't change (he just uses people's home computers: he can't
change their PTR), so it makes sense to check against the PTR. So, if
anything, he'd choose a non-dynamic looking HELO, as HELO is the one thing
he *can* change.

So, based on these thought, I'd like to hear a little more about what
"HELOing as something that looks like a dynamic assignment to us" means
exactly.

- Mark



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Their prompt reply follows.

I've only skimmed it so I'll withhold comment for now.


-john


>From: "CBL Team" <cbl@cbl.abuseat.org>
>Subject: CBL patterning
>Date: Mon, 23 Mar 2009 01:42:55 +0000
>
>
>The CBL lists for idiosyncrasies or specific bot fingerprints that have
>an extremely high positive correlation to spam, with vanishingly small FPs.
>
>When you think about it from that perspective, the actual mechanisms don't
>matter, _only_ the results do.
>
>In a bit more detail:
>
>1 The CBL _NEVER_ lists based on rDNS values.
>
>2 Even when small businesses operate off dynamic/patterned rDNS space,
>they tend to have their machines configured as to their registered domain
>name, which is reflected in the helo. So, their rDNS may well be something
>like 3.4.4.5.dynamic.isp.net, but their names are, eg, mail.example.com.
>
>Since the CBL doesn't list based on rDNS, this won't cause a listing.
>
>3 Most spambots will use their host's rDNS value as HELO. Hence,
>identifying patterns that reflect machines that shouldn't be emitting
>email at all is a goal.
>
>4 The CBL has been using a small set of simplistic patterning on HELOs
>for a very long time. We were using it on most of our feeds. It
>yielded reasonably well, and it's FP rate was, well, average.
>
>Persons colliding with it were still rare, and we'd provide guidance
>on how to resolve the issue. When you point out that helo patterning
>matching simplistic dynamic patterns is bad, and that using
>their own domain name consistently was to their benefit entirely aside
>from the CBL (eg: branding, other filtering mechanisms), they're happy
>to make the changes to fall under (2) above.
>
>5 We've been experimenting with a new mechanism which has extremely
>detailed and precise patterns, that are defined per _domain_. Each pattern
>is classified in a variety of ways as to what the pattern means (per
>domain). We only use a very narrow set of the classifications.
>
>We've been using this for several months on a subset of CBL input. The
>results have been quite gratifying - a very much higher catch rate than
>(4), with a SRR rate (self-removal rate, considered an indicator of
>FP rate) less than a quarter of the average.
>
>We've just discontinued the mechanism in (4) and have been turning up
>the mechanism in (5) over the past few weeks - slowly so as to find
>any problems with the pattern classifications.
>
>Naturally, a new mechanism will have the occasional teething problems.
>
>In the case at hand, the pattern was misclassified. It was immediately
>disabled for investigation. The classification has since been corrected
>to a value that the CBL does not list on.
>
>We've identified and corrected 3 other patterns in the past several weeks.
>We're not aware of any other FPs in this, each hit that we've investigated
>has turned out to be accurately identified as spam/viral emission.
>
>Meanwhile, the mechanism's yield has skyrocketed, and the SRR rate is still
>just as low as when we started - lower than most other mechanisms.
>
>The mechanism isn't deployed to all of our feeds yet - expansion is
>on hold until we have a substantial period with no misclassified patterns
>being identified.
>
>As I mentioned at the beginning, the CBL is results oriented. The
>mechanisms themselves don't matter, the effectiveness and safety
>do.
>
>While patterning (especially when you think of the SORBS example) has a bit
>of a smell, I think we've managed to do it in a way that is
>extremely effective, has vanishingly small FPs, and the FPs do get
>resolved (without the pain and agony that SORBS can sometimes be ;-)
>
>
>--
>Ray, CBL Team



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

I followed up with CBL regarding the inconsistency between Tony's claim of spending 2 days, and Ray's claim that it is a simple process to get FP's (false positives) removed and to work with SPF to find a solution.

Ray, again, responded promptly with a fairly detailed disclosure.

I have forwarded his reply, you can draw your on conclusions.

-john


>From: "CBL Team" <cbl@cbl.abuseat.org>
>Subject: Re: CBL patterning
>To: jwblazek@logicalsolutns.com
>Cc: cbl@cbl.abuseat.org
>Date: Mon, 23 Mar 2009 04:49:13 +0000
>
>John wrote:
>> At this point I would only point out that the gentlemen in
>> question claims to have spent several days trying to track
>> down a virus, and was misled by your online information.
>
>The reality is that we can't give away much on the online documentation.
>FPs here really do have to have the person contact us - we'll consider
>special-casing the lookup to indicate that.
>
>But we still expect the online documentation to be sufficient in most
>cases, only if directed otherwise by the lookup tool, or unable to
>identify the infection, should people contact us directly.
>
>In normal circumstances people MUST NOT simply email us when there's
>a CBL detection. They should go through the lookup, online documentation
>and self-removal. Only if that is not working out to identify and
>swat the problem should they contact us.
>
>We're currently doing 1.2 million detections per day. You can only imagine
>what things would be like if everyone emailed us instead of using the
>online facilities.
>
>Once they got the boilerplate by email, it's completely laid out, and
>flailing about should ot be necessary.
>
>This, however, was the first of the pattern-errors we've encountered in
>quite some time (the others were later), and the procedures for double-checking,
>er, "oddities" wasn't very well developed - meaning we weren't as good as
>we could have been about zeroing on in the pattern itself being in error.
>
>We've since instituted procedural changes to prevent that, and subsequent
>resolutions were much quicker.
>
>--
>Ray, CBL Team



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

CBL not SPF.. sorry. my mind is only working on 1 cup of coffee this morning.

-john





I followed up with CBL regarding the inconsistency between Tony's claim of spending 2 days, and Ray's claim that it is a simple process to get FP's (false positives) removed and to work with SPF CBL to find a solution.

Ray, again, responded promptly with a fairly detailed disclosure.

I have forwarded his reply, you can draw your on conclusions.

-john


>From: "CBL Team" <cbl@cbl.abuseat.org>
>Subject: Re: CBL patterning
>To: jwblazek@logicalsolutns.com
>Cc: cbl@cbl.abuseat.org
>Date: Mon, 23 Mar 2009 04:49:13 +0000
>
>John wrote:
>> At this point I would only point out that the gentlemen in
>> question claims to have spent several days trying to track
>> down a virus, and was misled by your online information.
>
>The reality is that we can't give away much on the online documentation.
>FPs here really do have to have the person contact us - we'll consider
>special-casing the lookup to indicate that.
>
>But we still expect the online documentation to be sufficient in most
>cases, only if directed otherwise by the lookup tool, or unable to
>identify the infection, should people contact us directly.
>
>In normal circumstances people MUST NOT simply email us when there's
>a CBL detection. They should go through the lookup, online documentation
>and self-removal. Only if that is not working out to identify and
>swat the problem should they contact us.
>
>We're currently doing 1.2 million detections per day. You can only imagine
>what things would be like if everyone emailed us instead of using the
>online facilities.
>
>Once they got the boilerplate by email, it's completely laid out, and
>flailing about should ot be necessary.
>
>This, however, was the first of the pattern-errors we've encountered in
>quite some time (the others were later), and the procedures for double-checking,
>er, "oddities" wasn't very well developed - meaning we weren't as good as
>we could have been about zeroing on in the pattern itself being in error.
>
>We've since instituted procedural changes to prevent that, and subsequent
>resolutions were much quicker.
>
>--
>Ray, CBL Team


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com