v4bl.org anyone knows this ?

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

v4bl.org anyone knows this ?

Robert Schetterer-2
Hi , anyone knows this rbl ?

http://v4bl.org/about.html

...
A very extensive list of IPs; which include:
    » Well known spammer IPs
    » UBE/UCE abusive IPs
    » rfc-ignorant IPs
    » IPs with mismatched DNS and RDNS (FCrDNS failure)
    » IPs with mismatched rDNS and EHLO/HELO (FCrDNS failure)
    » IPs of SPAM friendly ESP/HSP/ISP
    » Obfuscated intermediaries / Alias domains / Disposable domains /
Email-only domains
    » Intermediaries without easily accessible contact information
    » botnet IPs
    » and much, much, more...
...



sounds very strange to me, this might result in massive problems at some
sites, in special checking EHLO/HELO missmatch


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Bill Cole-3
On 11 Apr 2014, at 11:07, Robert Schetterer wrote:

> Hi , anyone knows this rbl ?
>
> http://v4bl.org/about.html

I've had reason to glance at them a few times in the past year but have
never seen justification to pay ongoing attention...

http://v4bl.org/results.html was a bit startling when I first saw it. If
I had a spam-control tool that I wanted people to pay for, I would be
very reluctant to publish such unflattering metrics for a free subset.
Based on the source site for the data
(http://www.intra2net.com/en/support/antispam/index.php) that "Hit Rate"
appears to be unadjusted for overlap with other lists, but they also
have a page showing ~3/4 overlap with Spamhaus Zen. So if you are
already using Zen, the v4bl free list as an absolute rejection criteria
won't increase how much mail you properly reject by much more than ~3%.
On the other side, the persistent "False Positive" rate is usually well
over 0.1%, which I believe is the threshold between tools that are
"anti-spam" and those more accurately referred to as "career limiters"
by anyone running mail systems professionally. It is also unsettling
that the operator seems quite proud of the absolute scale of his "Full"
list (551M IPs) and of its robust growth (~250K/day). Those might be
interesting numbers in conjunction with less vague information on
listing & delisting criteria and evidence of acceptable accuracy, but in
isolation they imply an unhealthy fascination with size while devaluing
skill.

More generally, when considering any absolute spam-blocking tactic it is
wise to find or measure for yourself something like the Intra2net
metrics. You can't expect to get a perfect match of what some other site
sees, but what matters is marginal gain relative to FPs. IMHO, anything
offering less than a consistent *3 orders of magnitude* between the gain
and the pain has to be relegated to a scoring scheme (such as dnsblog
and/or SpamAssassin) where it is not individually conclusive but may
help somewhat to classify borderline spam.


> A very extensive list of IPs; which include:
> » Well known spammer IPs
> » UBE/UCE abusive IPs
> » rfc-ignorant IPs

There is so much said in RFCs and so little careful reading of them that
this criteria can only be deemed a sort of inside joke.

> » IPs with mismatched DNS and RDNS (FCrDNS failure)

That is going to catch a lot of non-spam, including some of the exit
points for Microsoft's Office365 (outlook.com) services. Back when I was
handling external mail for US subsidiaries of a major EU manufacturer
and later a major EU telecom/IT firm, such "failure" was almost as
common as "success" among the global pieces of those companies and their
major business partners. That probably has improved in the past 5 years
(it seems to have, based on the mail seen by smaller systems I run now)
but it surely has not disappeared. The root causes for DNS mismatch in
big companies vary, but the defensive accretion of excuses for not
cleaning it up is a shared feature.

> » IPs with mismatched rDNS and EHLO/HELO (FCrDNS failure)

Worse. It is worth noting that blocking based on a sender's EHLO/HELO
name fits the label "RFC-ignorant" quite well, which does not mean that
it can't be done in a useful & safe way. This is not that.

> » IPs of SPAM friendly ESP/HSP/ISP

That could include any or all of the IP space of any or all of the dozen
largest providers of email sending services, mailboxes, hosting,
colocation, & connectivity. Probably doesn't, but could. Might do so
tomorrow.

> » Obfuscated intermediaries / Alias domains / Disposable domains /
> Email-only domains

Unclear what those mean, especially in the context of a DNSBL, but I
might be includable in this nefarious group. I don't recall ever having
sent anything that could be called "spam" and surely have not from my
"email-only" domains...

> » Intermediaries without easily accessible contact information
> » botnet IPs
> » and much, much, more...

That's just another way of saying the list has no defined
listing/delisting criteria beyond whatever its automated components
happen to do in their current versions and whatever its owner feels like
listing or delisting at the moment.

Having worked at MAPS in its early days I can state from experience:
THAT IS VERY "LAST CENTURY!"

> sounds very strange to me, this might result in massive problems at
> some
> sites, in special checking EHLO/HELO missmatch

That one is going to catch a huge number of mail servers that don't send
any spam or much mail at all but also don't have a lot of technical
clues nearby. I can't advocate their survival, but on a personal level
it is routinely painful to get involved in the wetwork of their
extinction.
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Robert Schetterer-2
Am 12.04.2014 21:19, schrieb Bill Cole:

> On 11 Apr 2014, at 11:07, Robert Schetterer wrote:
>
>> Hi , anyone knows this rbl ?
>>
>> http://v4bl.org/about.html
>
> I've had reason to glance at them a few times in the past year but have
> never seen justification to pay ongoing attention...
>
> http://v4bl.org/results.html was a bit startling when I first saw it. If
> I had a spam-control tool that I wanted people to pay for, I would be
> very reluctant to publish such unflattering metrics for a free subset.
> Based on the source site for the data
> (http://www.intra2net.com/en/support/antispam/index.php) that "Hit Rate"
> appears to be unadjusted for overlap with other lists, but they also
> have a page showing ~3/4 overlap with Spamhaus Zen. So if you are
> already using Zen, the v4bl free list as an absolute rejection criteria
> won't increase how much mail you properly reject by much more than ~3%.
> On the other side, the persistent "False Positive" rate is usually well
> over 0.1%, which I believe is the threshold between tools that are
> "anti-spam" and those more accurately referred to as "career limiters"
> by anyone running mail systems professionally. It is also unsettling
> that the operator seems quite proud of the absolute scale of his "Full"
> list (551M IPs) and of its robust growth (~250K/day). Those might be
> interesting numbers in conjunction with less vague information on
> listing & delisting criteria and evidence of acceptable accuracy, but in
> isolation they imply an unhealthy fascination with size while devaluing
> skill.
>
> More generally, when considering any absolute spam-blocking tactic it is
> wise to find or measure for yourself something like the Intra2net
> metrics. You can't expect to get a perfect match of what some other site
> sees, but what matters is marginal gain relative to FPs. IMHO, anything
> offering less than a consistent *3 orders of magnitude* between the gain
> and the pain has to be relegated to a scoring scheme (such as dnsblog
> and/or SpamAssassin) where it is not individually conclusive but may
> help somewhat to classify borderline spam.
>
>
>> A very extensive list of IPs; which include:
>> » Well known spammer IPs
>> » UBE/UCE abusive IPs
>> » rfc-ignorant IPs
>
> There is so much said in RFCs and so little careful reading of them that
> this criteria can only be deemed a sort of inside joke.
>
>> » IPs with mismatched DNS and RDNS (FCrDNS failure)
>
> That is going to catch a lot of non-spam, including some of the exit
> points for Microsoft's Office365 (outlook.com) services. Back when I was
> handling external mail for US subsidiaries of a major EU manufacturer
> and later a major EU telecom/IT firm, such "failure" was almost as
> common as "success" among the global pieces of those companies and their
> major business partners. That probably has improved in the past 5 years
> (it seems to have, based on the mail seen by smaller systems I run now)
> but it surely has not disappeared. The root causes for DNS mismatch in
> big companies vary, but the defensive accretion of excuses for not
> cleaning it up is a shared feature.
>
>> » IPs with mismatched rDNS and EHLO/HELO (FCrDNS failure)
>
> Worse. It is worth noting that blocking based on a sender's EHLO/HELO
> name fits the label "RFC-ignorant" quite well, which does not mean that
> it can't be done in a useful & safe way. This is not that.
>
>> » IPs of SPAM friendly ESP/HSP/ISP
>
> That could include any or all of the IP space of any or all of the dozen
> largest providers of email sending services, mailboxes, hosting,
> colocation, & connectivity. Probably doesn't, but could. Might do so
> tomorrow.
>
>> » Obfuscated intermediaries / Alias domains / Disposable domains /
>> Email-only domains
>
> Unclear what those mean, especially in the context of a DNSBL, but I
> might be includable in this nefarious group. I don't recall ever having
> sent anything that could be called "spam" and surely have not from my
> "email-only" domains...
>
>> » Intermediaries without easily accessible contact information
>> » botnet IPs
>> » and much, much, more...
>
> That's just another way of saying the list has no defined
> listing/delisting criteria beyond whatever its automated components
> happen to do in their current versions and whatever its owner feels like
> listing or delisting at the moment.
>
> Having worked at MAPS in its early days I can state from experience:
> THAT IS VERY "LAST CENTURY!"
>
>> sounds very strange to me, this might result in massive problems at some
>> sites, in special checking EHLO/HELO missmatch
>
> That one is going to catch a huge number of mail servers that don't send
> any spam or much mail at all but also don't have a lot of technical
> clues nearby. I can't advocate their survival, but on a personal level
> it is routinely painful to get involved in the wetwork of their extinction.

thx for your info, i was contacted from sombody who is in big trouble by
results of this list using a corect but differnt helo then ptr , and
warned getting banned from his ip/net by third party ignorants.

I agree a RBL may created by whatever parameters , but if it is that
strict it leads to too much false postives used at smtp income level, it
maybe ok in some scoring system, in every case its results can not be
the base for third party ban warnings.


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

lists@rhsoft.net

Am 12.04.2014 21:53, schrieb Robert Schetterer:
> thx for your info, i was contacted from sombody who is in big trouble by
> results of this list using a corect but differnt helo then ptr , and
> warned getting banned from his ip/net by third party ignorants

in principals agreed that it is too much

but on the other what is that hard to have HELO/PTR/A matching?
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Robert Schetterer-2
Am 12.04.2014 22:03, schrieb [hidden email]:
>
> Am 12.04.2014 21:53, schrieb Robert Schetterer:
>> thx for your info, i was contacted from sombody who is in big trouble by
>> results of this list using a corect but differnt helo then ptr , and
>> warned getting banned from his ip/net by third party ignorants
>
> in principals agreed that it is too much
>
> but on the other what is that hard to have HELO/PTR/A matching?

i was not informed why this isnt/wasnt/cant be done

i advised use additional transport outgoing smtp bind address with
matching HELO/PTR/A with problematic domains as workaround

But the most problem seems not to be the rbl results itself, the real
problem seem to be that some ignorant hosting provider does base his
customer warnings on results of this list.


>



Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Stan Hoeppner
In reply to this post by lists@rhsoft.net
On 4/12/2014 3:03 PM, [hidden email] wrote:

> but on the other what is that hard to have HELO/PTR/A matching?

This has been asked and answered multiple times on this list.  The short
answer is that customers of some ISPs do not have control of rDNS.  For
a more thorough discussion of this topic please see the list archives.

Cheers,

Stan
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

lists@rhsoft.net


Am 13.04.2014 10:34, schrieb Stan Hoeppner:
> On 4/12/2014 3:03 PM, [hidden email] wrote:
>
>> but on the other what is that hard to have HELO/PTR/A matching?
>
> This has been asked and answered multiple times on this list. The short
> answer is that customers of some ISPs do not have control of rDNS.  For
> a more thorough discussion of this topic please see the list archives

the real answer is that most do if they only would call their ISP but
don't care or lack basic knowledge, look at a recent thread where somebody
even had a webinterface to set a PTR and it took 15 messages to explain
him the relation between IP/PTR and A-record

if the ISP refuses to do that in most cases there are no servers allowed
with the existing contract and then they can't run a mailsevrer on that IP


Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Robert Schetterer-2
In reply to this post by Stan Hoeppner
Am 13.04.2014 10:34, schrieb Stan Hoeppner:

> On 4/12/2014 3:03 PM, [hidden email] wrote:
>
>> but on the other what is that hard to have HELO/PTR/A matching?
>
> This has been asked and answered multiple times on this list.  The short
> answer is that customers of some ISPs do not have control of rDNS.  For
> a more thorough discussion of this topic please see the list archives.
>
> Cheers,
>
> Stan
>

Hi Stan it was not about ptr matching A Record , it was about matching
helo to ptr/A, i.e. A/ptr = mail.example.com but helo = smtp.example.com
and it was about ,this was classified by some hosting provider ( using
v4bl.org RBL helo mismatch results ) , as a customer "ban warning" which
is simply nonsense, but for sure it is best to have all parameters
matching ( dont kown why this is/was/cannot be done in this case )


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Stan Hoeppner
On 4/13/2014 8:38 AM, Robert Schetterer wrote:

> Am 13.04.2014 10:34, schrieb Stan Hoeppner:
>> On 4/12/2014 3:03 PM, [hidden email] wrote:
>>
>>> but on the other what is that hard to have HELO/PTR/A matching?
>>
>> This has been asked and answered multiple times on this list.  The short
>> answer is that customers of some ISPs do not have control of rDNS.  For
>> a more thorough discussion of this topic please see the list archives.
>>
>> Cheers,
>>
>> Stan
>>
>
> Hi Stan it was not about ptr matching A Record , it was about matching
> helo to ptr/A, i.e. A/ptr = mail.example.com but helo = smtp.example.com
> and it was about ,this was classified by some hosting provider ( using
> v4bl.org RBL helo mismatch results ) , as a customer "ban warning" which
> is simply nonsense, but for sure it is best to have all parameters
> matching ( dont kown why this is/was/cannot be done in this case )

Clearly I was responding specifically to 'what is hard about making them
match', which is why I snipped the rest.  If one controls PTR it's easy
to make all 3 match.  When one does not control PTR it is 'hard', in
fact impossible, to make them all match.

Our friend from Vienna seemed focused on incompetency of admins, while I
was pointing out that 'incompetency' of some ISPs is a larger problem,
as in the latter case there is often no option to set the PTR, whether
one reads the docs or not.

Cheers,

Stan

Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Peter Ajamian
In reply to this post by Robert Schetterer-2
On 04/12/2014 03:07 AM, Robert Schetterer wrote:
> Hi , anyone knows this rbl ?
>
> http://v4bl.org/about.html

My experience with them isn't very good.  They brag about the large
number of IPs they have and keep adding to the list, but for a DNSRBL
quality is much more important than quantity.  I have had dealings
trying to get some servers removed from their lists and they refused
with the following reason:

"Those IPs remain listed because the underlying domain lacks the
credibility/responsibility required of any outbound email sending system
(i.e. an ESP)."

Not very clear and basically they're saying that because we're not an
ESP they're going to blacklist us.

Personally I would not recommend that anyone use this DNSRBL unless you
want to be blocking a large portion of legitimate mail.

Fortunately my experience is that hardly anyone actually does use them,
so being on their list is not the end of the world.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

lists@rhsoft.net
In reply to this post by Stan Hoeppner

Am 14.04.2014 05:20, schrieb Stan Hoeppner:
> Clearly I was responding specifically to 'what is hard about making them
> match', which is why I snipped the rest.  If one controls PTR it's easy
> to make all 3 match.  When one does not control PTR it is 'hard', in
> fact impossible, to make them all match.
>
> Our friend from Vienna seemed focused on incompetency of admins, while I
> was pointing out that 'incompetency' of some ISPs is a larger problem,
> as in the latter case there is often no option to set the PTR, whether
> one reads the docs or not

don't get me wrong but that's the same weak excuse as
"i do not spam my customers do" so why blacklist me

in fact a sane PTR is a prerequisite for relieable mailservices
and if you are at planning a public MTA normally you make sure
the matching PTR and other things before send the first message

if you are at checking the prerequisites and realize you can't
get a PTR as needed you can't setup the mailserver on that ISP
or need to rent a relay-server - that's part of organize things
and at the end competence of a sysadmin
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Stan Hoeppner
On 4/14/2014 4:01 AM, [hidden email] wrote:

>
> Am 14.04.2014 05:20, schrieb Stan Hoeppner:
>> Clearly I was responding specifically to 'what is hard about making them
>> match', which is why I snipped the rest.  If one controls PTR it's easy
>> to make all 3 match.  When one does not control PTR it is 'hard', in
>> fact impossible, to make them all match.
>>
>> Our friend from Vienna seemed focused on incompetency of admins, while I
>> was pointing out that 'incompetency' of some ISPs is a larger problem,
>> as in the latter case there is often no option to set the PTR, whether
>> one reads the docs or not
>
> don't get me wrong but that's the same weak excuse as
> "i do not spam my customers do" so why blacklist me
>
> in fact a sane PTR is a prerequisite for relieable mailservices
> and if you are at planning a public MTA normally you make sure
> the matching PTR and other things before send the first message
>
> if you are at checking the prerequisites and realize you can't
> get a PTR as needed you can't setup the mailserver on that ISP
> or need to rent a relay-server - that's part of organize things
> and at the end competence of a sysadmin

In a perfect world yes, this is how it should work.  But we live in an
imperfect world, one in which even competent sysadmins are forced to
setup outbound MTAs on IPs with generic rDNS, because there are no
alternatives.

What you fail to understand is that in many parts of the world outside
your sphere of knowledge/experience, people's options are limited or non
existent, whether services not offered by the provider, lack of
competition, budget, administrative or policy constraints, etc, etc.

A couple of years ago I started receiving bot spam from multiple IPs in
a Southern California Verizon FIOS subnet.  I did a little research into
the block, polled the rDNS for the /16, and decided it was all
residential.  I added a regex to match the generic rDNS pattern to
fqrdns.pcre and copied it to the upload dir.  Within 12 hours I received
an angry email from a user whose Postfix MX had blocked mail from his
father who worked at a K-12 school.  Correspondence with the
administrator revealed that Verizon did not offer custom rDNS for FIOS
IP addresses.  When I asked why he didn't relay through their servers he
explained that their fee for "business SMTP relay" was ridiculous given
he had no direct delivery problems of any magnitude.

I myself have my SOHO SMTP outbound on an IP with generic rDNS, for the
same reason as the OP above.  In my case the provider is CentruyLink.
While I could use their relays I choose not to for the same reason I run
a mail server in my home office in the first place:  full control of my
email.  Co-locating a box is not an option for me as the nearest
facility is over an hour away.  I could rent a VPS, but many VPS
provider's IP space is widely blocked due to snowshoe spammer
infestations.  But why should I spend money on that when I have no
delivery issues relating to generic rDNS, and my outbound IP has a
Trustworthiness score of HIGH at dnswl.org?

You can call myself, the sysop at the SoCal school, and tens of
thousands of other OPs doing the same thing, incompetent all you like.
Whether RFCs state A/PTR/HELO *MUST* match, or whether *you* say they
must match does not make it so, because a large portion of the world
isn't paying attention to either of you, and the mail gets delivered.

Cheers,

Stan
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

Germain
This post has NOT been accepted by the mailing list yet.
In reply to this post by Robert Schetterer-2
Thank you Robert ;-)
Reply | Threaded
Open this post in threaded view
|

Re: v4bl.org anyone knows this ?

chimmney
This post has NOT been accepted by the mailing list yet.
In reply to this post by Robert Schetterer-2
Don't worry.

v4bl is a dysfunctional mailing list run by a couple of kids on a power trip and nobody in their right mind uses it.

They list half the Internet, including some major corporates, and make up their own arbitrary rules.

Do a quick Google.