>...
>
>At 09:59 PM 5/8/2005, mouss wrote:
>>rfci lists so many people that one can't rely on (they liste yahoo, aol,
>>hotmail, ....) except for a personal site (or a company where you can
>>enforce your rules). A fashist approach might (seem to) work, but it'll
>>never solve the real problems.
>
>/Agree.. I use most of RFCI as an informational indication that the domain
>doesn't handle things the normal or proper way.
>
>The only RFCI list I find to have any chance of usability is bogusmx.
>Although even that is slightly over-picky for real world applicability.
>It's unfortunate that RFCI doesn't differentiate between those with a MX
>record pointing to bogus IP space or is unresolvable, and those which are
>merely misconfigured by a well meaning but undereducated (read: just barely
>got a MCSE) IT staffer and point to a CNAME. While returning a MX record
>that returns a CNAME is a RFC violation, and may cause trouble for mail
>delivery, it's hardly worth blacklisting someone over.
>
>ipwhois performed very well in the SA tests, but it doesn't even have a
>published listing criteria anymore, thus I can't consider it trustworthy
>and wonder if it's maintained or not. (see for yourself
>:http://www.rfc-ignorant.org )
>
>
>RFCI is not nearly as Fascist as spews, but IMHO it's lack of
>differentiation between serious deception and minor misconfiguration limits
>it's real-world usability. While some parts of RFCI did very well in the
>pre 3.0 mass-checks, my own experience with them has been substantially
>less impressive. This is probably heavily biased by the number of small
>businesses my company works with. Small companies are the most likely to
>have a single IT guy running the show, and those usually have good
>knowledge of windows, and very poor knowledge of IP networking. They're the
>most prone to have minor mistakes, typos, etc.
>
>(Sorry Paul, I know you work hard to contribute to RFCI, and all the
>information the publish is correct, it's just becoming less and less
>useful in spam fighting for me.)
>
Matt,
I think you'd be surprised how much I do agree with you. I admit I
block at the MTA level on both bogusmx and whois lists, and I definitely am
one of the major reporters; However I generally won't report an innocent
person over a invalid fax number of CNAME in a 'MX' (in fact last month, I
called a contributor to a technical list I subscribe to and led him through
getting off the list - someone else had reported his MX was a CNAME, another
person on the same list - and you though my rules were strict - this other
person's servers refuse mail from my domain for the lack of an 'A' record,
which you have pointed out before). I do admit to occasionally listing
large companies who should know better - I had sbc. com nominated three
days ago and listed on the whois list yesterday; They should know better!
(I would have definitely hesitated if it were "sbcglobal.com", since that
would affect customers, not just the corporate operations). I have also
nominated people like askjeeves. com (their listed contact number is actually
directory assistance - i.e. 555-1212, which is inexcusable in my opinion);
That case was unusual in that a spammer was using their techical contact
as his own email contacts. Similarly, today I discovered a spammer had
registered a pornography domain in the name of and at the address of the
founder of CSL/Joker (that took a while to figure out, since this particular
spammer "always" lies, but all the data looked good).
I have found (despite the ocassional CNAME listing) that bogusmx is
the only URI sign in the same class as the SURBLs, and rfci.whois is a little
better than the SBL (and I assign it just a slightly higher score for URI
rules). Still, I do block at the MTA level on whois. It works well for
me, I wouldn't do it for any of my client's sites (who tend to be very large
companies).
BTW. I added up the connections from comcast for the past 60 days
last night; I had 2874 (not counting two or three from you), or which 2867
were blocked by the XBL and the other 7 were all spam. Clearly I get a very
biased set of mail, but you remain the only valid person to have ever sent
me valid email from comcast (again, not counting indirect mail through a list).
I push for rfci a lot, not just because I contribute (though that is
certainly a factor), but because I strongly believe that 10 small point rules
is much better than 2 or 3 "hammer" rules (though the SURBLs seem deserving
of the scores they get - and almost any two SURBLs will get a default install
to or near 5 points). Also, like the SURBLs, they are RHS lists and catch a
spammer even when he "jumps" IP addresses (the AHBL doesn't hit much, but is
good for the same reason).
Maybe I'll bring up the CNAME issue on the rfci-discuss list; I
tend to agree that there is a distinction between a 'MX' to 127.0.0.1 and a
CNAME, and they already make distinctions between TLDs and SLDs (I doubt
many people block or even assign points for the TLD listings, but then some
people do use both FIVETEN and ???.blackholes.us).
Clearly, there is a huge difference between the types of lists and
rules an ISP or large company should/would use and those appropriate for a
small company or individual. While I consider my own rules to be extremely
strict, on some points I allow mail to pass that either AOL or Hotmail/MSN
would refuse or bit-bucket.
One final point, despite the fact that the old ipwhois list at rfci
is gone, the people at the completewhois project have taken over the same
responsibility and the list from combined-HIB.dnsiplists.completewhois.com
performs very well - probably well enough to use even in ISP type enviroments.
You might want to give them and it a look. I find is catches quite a bit of
spam, and has an extremely low FP rate. I believe it was run through a SA
mass check on Apr. 28.
Paul Shupak
[EMAIL PROTECTED]
