[SURBL-Discuss] Fwd: Re: Bill Stearns' sa-blacklist available as SURBL: ws.surbl.org

Justin Mason jm at jmason.org
Tue Apr 20 18:48:15 CEST 2004

Hash: SHA1

Jeff Chan writes:
>Here are some good comments from Dave Funk about the
>handling/creation of the SURBLs.  Please comment on his
>suggestions, several of which we may want to implement as time

FWIW, we support multi-meaning DNSBL results with TXT records
as well as A records; just ensure that the TXT result includes
a short string we can match on (e.g. "ws" results contain
the string "/sa-blacklist" and "sc" results contain
something else similarly well-defined.)

- --j.

>Jeff C.
>On Tue, 20 Apr 2004, Jeff Chan wrote:
>> On Tuesday, April 20, 2004, 1:20:05 PM, Charles Gregory wrote:
>> > Would it be possible to have 'surbl.org' run a *combined* blacklist, so
>> > that people who want to check both 'ws.surbl.org' *and* 'sc.surbl.org' can
>> > do it with ONE dns lookup request, instead of two?
>> Good question, which Matt asks also.  Here's my response :-)
>> > Because ws is larger and more stable, the zone files for it
>> > gets a six hour TTL compared to 10 minutes for sc. Due to the
>> > differences between the time scales, sizes, and data sources of
>> > ws and sc, we probably won't be offering a combined ws plus sc
>> > list. For example it would be difficult to say what TTL a
>> > merged list should get, and you probably would not want a
>> > megabyte plus BIND zone file refreshing every 10 minutes. For
>> > those using rsynced zone files that would probably not be an
>> > issue, but for those using BIND, the DNS traffic quite well
>> > could be.
>> So the quick answer is they'll probably not be combined.
>> However we probably will offer a combined version of Bill's
>> list and Chris' BigEvil list since they are more similar in
>> character.
>A few comments.
>1) It is possible to set a TTL in a DNS zone on a per-record basis.
>   (at least with BIND). So you could combine the two zones and
>   have the 'sc' records flagged with a short TTL, and 'ws' with
>   longer.
>2) Newer versions of BIND support incremental zone-transfer, and
>   so will just push changes.
>3) We also secondary MAPS RBL+ zone, that's a 54Mbyte zone that updates
>   every 3 hours. (IE 18Mbyte/hour). A 1Mbyte x 10 minutes would be
>   only 6Mbytes/hour, chicken feed. ;)
>4) Over half the size of those zones is in the TXT records. Just
>   changing 'Message body contains domain in sa-blacklist. See:
>   http://www.stearns.org/sa-blacklist/' to 'Blocked, See:
>   http://www.stearns.org/sa-blacklist/' reduced the 'ws' zone size by 33%
>5) It's possible to combine the zones but keep the data logically seperate
>   so people can differentiate and adjust scores/policys accordingly.
>   Check out how MAPS does RBL+, the A record returns an "IP address"
>   that is effectivly a bit-mask flag to indicate which MAPS zone
>   the original hit was from (DUL, RSS, RBL, OPS, etc).
>   Look at how the 'check_rbl' and 'check_rbl_sub' routines are
>   used inside SA to pull apart a single DNS query against RBL+
>   (at least in SA 2.6*, havn't looked at 3.0 yet ;)
>This is not to imply criticism if your response, just some tech info
>to show alternatives.
>Regardless, I would recommend using 5) when you combine Bill's list
>and Chris' BigEvil so that people can differentiate in case they have
>score/policy concerns regarding the two. People who just look for
>the existence of the A record won't notice the difference but people
>who know and care can utilize the additional info.
>Dave Funk                                  University of Iowa
><dbfunk (at) engineering.uiowa.edu>        College of Engineering
>319/335-5751   FAX: 319/384-0549           1256 Seamans Center
>Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
>#include <std_disclaimer.h>
>Better is not better, 'standard' is better. B{
>Jeff Chan
>mailto:jeffc at surbl.org-nospam
>Discuss mailing list
>Discuss at lists.surbl.org
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS


More information about the Discuss mailing list