[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: db.debian.org (and related infrastructure) updates

On Tue, Jan 02, 2007 at 01:12:56PM +0100, Santiago Vila wrote:
> For those of you who are afraid about reliability of a DNSBL,
> I can highly recommend cbl.abuseat.org as the absolute minimum.
> This list (called CBL for short) has the following properties:
> * Takes its data from very large spamtraps.
> * Only lists IPs which are open-proxy-like.
> * Only lists individual IPs, never lists "IP ranges".
> * It's completely automated to prevent human error.
> * Tries very hard not to list "real" SMTP servers.
> * Everybody can remove any IP from the list without any questions at all.

Well, let's not get too ahead of ourselves praising CBL. I've recently
experienced the situation where the CBL people were way too trigger-happy
in listing IPs in their blacklist.

I happen to have one group of users whose traffic is routed through a server
that I run, and I block their outgoing SMTP traffic and route their outgoing
HTTP traffic transparently through a Squid proxy. At one point, half a dozen
machines (out of around two hundred) contracted some sort of a worm-virus
which wanted to send spam. The problem was the fact that the same worm-virus
was trying to be a bit too shrewd for its own good, and before trying to
actually send spam, it went and preemptively sent a HTTP request to the
CBL web site in order to de-list itself from that blacklist.

The CBL folks experienced a DDoS due to the sheer volume of these requests,
and decided to automatically list all IPs that sent them those HTTP requests
in the blacklist. Unfortunately, they did not check for X-Forwarded-For
headers (or whatsitcalled) to see whether the queries were actually proxied,
nor did they cross-reference the list of those IPs with their actual
spamtraps to see whether they actually sent any spam.

This resulted in my gateway IP address being banned, because of two dozen
HTTP requests of clients behind it. There was no notification to hostmaster,
postmaster, nothing (admin contacts readily available via WHOIS and/or DNS).
Because the same IP also happened to run a (legitimate) mail server, it
caused other mail servers which check on SBL-XBL (which includes CBL) to
reject our (legitimate) mails. (I later separated these two functions to
different IPs in order to avoid this kind of nonsense in the future.)

I had to send several e-mails to CBL people and it took us two days before
we finally cleared up the situation. The first operator that I talked to
didn't really understand what was going on, until I managed to guess what
they were doing and then another person finally started talking in real
technical terms to me and then we wrapped it up nicely (based on information
that that person gave me, I was able to ban rogue HTTP requests and isolate
infected machines).

Hence, I must disagree with the blanket assessment that they "try very hard"
not to list real servers. I know getting DoSed is a pain in the ass, and
I know that my users need to be shot for running Windows^W^W letting viruses
abuse their machines. Yet, reacting to such things with knee-jerk measures
is not really trying very hard.

     2. That which causes joy or happiness.

Reply to: