Friday, August 1, 2003

Black death for a top blacklist


By Daniel Koffler
The editors at ZATZ would like to welcome Daniel Koffler as our latest, newly-minted Contributing Editor for DominoPower Magazine. With all the insanity this week about email systems, he's managed to keep up with it all and provide us with some of the most timely articles on the topic anywhere. We're proud to add Daniel to our editorial ranks. We're running this article in both OutlookPower and DominoPower because of the importance of the topic. -- DG

It has been a tough few weeks for mail administrators everywhere. Mail worms abound; at least three variations of the SoBig worm have appeared and spread like wildfire. The Bugbear.B, Mimail, and Fizzer mail worms have also caused large scale infections and hit the highest virus alert levels worldwide in the same time period.

To top it all off, many mail administrators realized today that their inbound SMTP servers were not accepting mail from anyone. Was this a new virus or worm? No, it was one of their spam fighting tools turned against them.

DNSBLs (DNS Blacklists) are a hot new weapon in the fight against spam. They allow mail servers to check to see if a system trying to deliver mail is a known spammer or potential source of spam (such as an open SMTP relay). OsiruSoft, publisher of the OsiruSoft and SPEWS blacklists and one of the most pre-eminent blacklist providers, shut down and took the servers configured to use those lists down with them.

Blacklisting the world

Since August 26th, every time a server asks if a connecting server is on the blacklist, the server responds "yes". This means that every connection to a server using these blacklists is rejected. This has left administrators scrambling to remove OsiruSoft blacklists from all their effected servers.

Debates are raging as to why OsiruSoft would bow out in this manner. OsiruSoft had been under a heavy DDoS (Distributed Denial of Service) attack for several days before they shut down, but this does not explain why they would blacklist the world and no official reason has been given by any OsiruSoft official.

Using DNS blacklists to stop spam is a concept still in its infancy and even before this incident there was much debate over its true merits. While blacklists can filter a large percentage of spam, critics argue that relying on a third party for mail delivery is tricky at best; OsiruSoft proved that point. As mail administrators it may be time to re-think how DNS blacklists are used.

Re-thinking policy

Most SMTP servers that support DNS blacklists will also provide more then one way to handle them. Logging or quarantining messages from sources appearing on blacklists is a much safer bet then rejecting messages outright, although it requires more administrative involvement. Logging will tell you how bad your spam problem is without attempting to resolve it. Quarantines require that users or administrators are regularly notified of items in quarantine and take the time to release or delete them.