[RPZ] RPZ Findings.

Vernon Schryver vjs at rhyolite.com
Thu Dec 20 22:15:32 UTC 2012


> From: Raymond Dijkxhoorn <raymond at prolocation.net>

> So if i create a RPZ with random ip's on the list and it scores best
> in 'this test' its good? Doesnt make much sense.

I said nothing about random IP addresses but instead referred to
the domains and IP addresses seen at your site.

> While i do understand your point of view i dont understand that
> you are missing the point of a checked corpus. I do understand this
> is also subject to point of view but without more input i dont
> understand what this scoring tells me at all.

Why do you care about any corpus of IP addresses or any other signs
collected by others in the past?  Your situation differs.  Any fixed
corpus will be from the distant past by the time you hear about it.


> If people do execute test, setpoints and guidelines should be clear.
> If its the idea that it doesnt matter at all thats also fine. But then
> forget my first reply and i'll just silence here.
>
> Then i post tomorrow things like 'beautifull weather' since that
> does tell as much as this test.

I disagree.
I think the other person's message contained interesting information.
It told me that at the unnamed ISP, few DNS requests are hit.  However,
the reference to surbl.org suggests that domain names in URLs are
involved.  0.18% among the DNS requests from a consumer ISP's customers
could be a lot of evil stopped.  If that is what's happening, I would
not expect many details to be discussed in public or with strangers.
I've a guess about the identity of the site, but that is evidently
also non-public information.

The message also told me that if I were considering RPZ with free
policy zones, I might start with Spamhaus.
It also might set a lower bound on a commerical policy zone's hit rate.


By the way, the aborted SMTP transaction from relay10.prolocation.net
2a00:d00:ff:133:94:228:133:100 at 21:13:53 GMT was indistinguishable
from a standard dictionary probe and so was counted negatively by the
defenses at smtp.rhyolite.com.  I hope relay10.prolocation.net is not
using so called "sender verification" and certainly not against SMTP
From: headers instead of SMTP envelope Mail_From values.  Sender
verification is a bad idea and worse when applied to headers instead
of envelopes.


Vernon Schryver    vjs at rhyolite.com



More information about the DNSfirewalls mailing list