[EMAIL PROTECTED] wrote on 05/02/2006 12:11:00 PM: > I tried this. Turns out a shocking number of ISPs and businesses don't > bother running AV software on their outbound servers and just blindly > relay their users' mail.
If you run the BL locally and no one knows about it. If it's a publicly available RBL that show up on some of the RBL lookup tools like DNSStuff.com, etc. then the mail server owner wouldn't take the heat. All you would have to do is point to the RBL and say "Your server has sent viruses, and is therefore blocked for security reasons. Please address the situation with the RBL. And by the way, you might want to install some antivirus software on your server." Maybe that way more ISP could be encouraged to run AV software and prevent the spread. > If you blacklist IPs based simply on if they've sent you a worm, then > you'll likely be blocking a lot of legit mail as well. I was just doing > this as an input to a greylisting system (send me a worm and get > greylisted for an hour, send mail to too many bad addresses and get > greylisted, etc.) and I *still* had a whole pile of complaints from my > users. :-( I tried maintaining a whitelist, but eventually gave it up > as a bad job. Blocking open relays used to block a lot of legitimate mail too until owners started closing them down. There is no reason to relay a virus either. By shaming owners and punishing them for poor behavior, maybe we can have the same effect and get them to clean up their act. > Sticking with SBL-XBL, at least I can be fairly certain that if an ISP > or business gets themselves blacklisted, they'll find out in short order > and get themselves removed. The same isn't really true if you're > running a local blacklist--I shudder to think what would have happened > if I'd blacklisted and bounced the mail, rather than just delaying it.... I use SBL-XBL. I'm looking to enhance it by listing anything that sends a virus and another sign of poor server management. I am not talking about this being a local blacklist, but a public one where anyone can query 1.2.3.4.virusrbl.org and find out whether that address is a known virus source, and www.virusrbl.org will provide information about why the address is blocked. I'm fairly sure that if an ISP or business gets listed for passing a virus, they'll find our in short order and get themselves removed. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang