[SURBL-Discuss] Fwd: Re: Bill Stearns' sa-blacklist available as SURBL: ws.surbl.org

Jeff Chan jeffc at surbl.org
Tue Apr 20 18:27:19 CEST 2004

Here are some good comments from Dave Funk about the
handling/creation of the SURBLs.  Please comment on his
suggestions, several of which we may want to implement as time

Jeff C.

On Tue, 20 Apr 2004, Jeff Chan wrote:

> On Tuesday, April 20, 2004, 1:20:05 PM, Charles Gregory wrote:
> > Would it be possible to have 'surbl.org' run a *combined* blacklist, so
> > that people who want to check both 'ws.surbl.org' *and* 'sc.surbl.org' can
> > do it with ONE dns lookup request, instead of two?
> Good question, which Matt asks also.  Here's my response :-)
> > Because ws is larger and more stable, the zone files for it
> > gets a six hour TTL compared to 10 minutes for sc. Due to the
> > differences between the time scales, sizes, and data sources of
> > ws and sc, we probably won't be offering a combined ws plus sc
> > list. For example it would be difficult to say what TTL a
> > merged list should get, and you probably would not want a
> > megabyte plus BIND zone file refreshing every 10 minutes. For
> > those using rsynced zone files that would probably not be an
> > issue, but for those using BIND, the DNS traffic quite well
> > could be.
> So the quick answer is they'll probably not be combined.
> However we probably will offer a combined version of Bill's
> list and Chris' BigEvil list since they are more similar in
> character.

A few comments.
1) It is possible to set a TTL in a DNS zone on a per-record basis.
   (at least with BIND). So you could combine the two zones and
   have the 'sc' records flagged with a short TTL, and 'ws' with
2) Newer versions of BIND support incremental zone-transfer, and
   so will just push changes.
3) We also secondary MAPS RBL+ zone, that's a 54Mbyte zone that updates
   every 3 hours. (IE 18Mbyte/hour). A 1Mbyte x 10 minutes would be
   only 6Mbytes/hour, chicken feed. ;)
4) Over half the size of those zones is in the TXT records. Just
   changing 'Message body contains domain in sa-blacklist. See:
   http://www.stearns.org/sa-blacklist/' to 'Blocked, See:
   http://www.stearns.org/sa-blacklist/' reduced the 'ws' zone size by 33%
5) It's possible to combine the zones but keep the data logically seperate
   so people can differentiate and adjust scores/policys accordingly.
   Check out how MAPS does RBL+, the A record returns an "IP address"
   that is effectivly a bit-mask flag to indicate which MAPS zone
   the original hit was from (DUL, RSS, RBL, OPS, etc).
   Look at how the 'check_rbl' and 'check_rbl_sub' routines are
   used inside SA to pull apart a single DNS query against RBL+
   (at least in SA 2.6*, havn't looked at 3.0 yet ;)

This is not to imply criticism if your response, just some tech info
to show alternatives.

Regardless, I would recommend using 5) when you combine Bill's list
and Chris' BigEvil so that people can differentiate in case they have
score/policy concerns regarding the two. People who just look for
the existence of the A record won't notice the difference but people
who know and care can utilize the additional info.

Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Jeff Chan
mailto:jeffc at surbl.org-nospam

More information about the Discuss mailing list