Default DNS blacklists for Antispam plugin?

« Simple Turing Test for v0.9.1 :: [HACK] Bad Behavior / Bad Behaviour »
Author Message
blueyed
Posted: Fri Dec 9, 2005 01:47     Topic subject: Default DNS blacklists for Antispam plugin?

Phoenix will have a DNS blacklist plugin. Using
sbl-xbl.spamhaus.org
and
list.dsbl.org
as default lists to check it would have hit 100% of the last 8 trackback spams I've received and checked against.

I've added list.dsbl.org, because sbl-xbl.spamhaus.org did not catch all (just 80%).

Unfortunately I've not checked, if list.dsbl.org would have caught them all.

So, this thread should be about which blacklists to include by default. IMHO it should not be more than two, because it has to do an DNS lookup for each of them.

You can checkout the plugin at http://demo.b2evolution.net/post-phoenix/blogs/admin?login=admin&pwd=demopass (install it in Settings / Plugins and use the "Check DNSBL" tab in "Tools" to check an IP against the list. There are easier ways of course to check if an IP is in a list (nslookup), but it's just a demo.. ;)

Back to top
 
village_idiot
Posted: Fri Dec 9, 2005 07:31

thats a VERY nice addition, if I say so.

Back to top
 
edb
Posted: Fri Dec 9, 2005 07:58

Personally I'm glad it's a plugin because that means I can delete it.

Here's the deal. Back in the day I used a dialup account. I tried to visit a web from a visitor to these forums. I got blocked because they used the dsbl thing, or more accurately a hack that made the dsbl thing part of their b2evolution blog. Apparently the IP my dialup service put me on is 'spammy' according to that service, which meant that I personally was deemed unacceptable to the person who visited these forums. NEVER will I allow a third party to decide who visits my web and who doesn't, so thanks for making it a plugin (that I can delete)!

Back to top
 
village_idiot
Posted: Fri Dec 9, 2005 08:17

lol, thats so true .. I even reme only a cpl weeks ago complianing about those sorts of services too (doh).

I think though that it would be nice to have something that checked JUST known proxy ips .. ya know?

Back to top
 
blueyed
Posted: Thu Dec 15, 2005 22:46

My question was exactly about which lists should be used as default.

And anyway, by default the user can whitelist him/herself by clicking a button that stores it into his session. I'm not sure how easy it may get for the spammers to auto-whitelist themselves, but it's just one part of the whole Antispam thing.

Back to top
 
edb
Posted: Thu Dec 15, 2005 23:14

blueyed wrote:

My question was exactly about which lists should be used as default.

My apologies! I should read before reacting I guess.

Back to top
 
kwa
Posted: Sat Dec 17, 2005 01:55

On my blog, I've been using the following DNSBLs (see [url=http://forums.b2evolution.net/viewtopic.php?p=23293#23293]BlockUntrustedVisitors[/url]):

  • list.dsbl.org for IP only;
  • opm.blitzed.org for IP only;
  • bsb.empty.us for both IP and referrer domain.[/list:u](I wonder if sbl-xbl.spamhaus.org does not include opm.blitzed.org already.)
  • Those DNSBLs blocked most (all but a few ones) of my blog's referrer and trackback spammers.

    The issue with bsb.empty.us is that it's been down for a couple of days making DNS look up very long (until the timeout value is reached). To avoid it hangs your page display, it might be interesting to make the code use a low level sockets functions to perform the DNS look ups. In the general case, however, those DNS look ups don't exceed 10 ms each. With a caching system implemented, that might make those queries quicker. With new entries kept for 7 days or so, the full list of blacklisted IPs should not exceed a few hundreds entries on a very popular blog while whitelisted IPs depend of the blogs' traffic.

    To answer to the original question, I would recommend:

    • xbl.spamhaus.org
    • list.dsbl.org
    • opm.blitzed.org (if not covered by xbl.spamhaus.org)[/list:u]as default activated DNSBLs and
      • [*]bsb.empty.us for both IP and referrer domain[/list:u]as default but deactivated DNSBL.

Back to top
 
balupton
Posted: Sat Dec 17, 2005 23:34

an idea for blacklists is y don't you have them auto-update?

So say the admin of the blog goes to backoffice.
If his list is older than 2 weeks, he will get a message asking does he want to update his blacklist?

If this is already done please ignore me.

Back to top
 
kwa
Posted: Sun Dec 18, 2005 20:04

balupton wrote:

an idea for blacklists is y don't you have them auto-update?
So say the admin of the blog goes to backoffice.
If his list is older than 2 weeks, he will get a message asking does he want to update his blacklist?

The idea of a DNSBL (Dynamic Name Server Black List) is to make possible easily query the DNSBL with a given IP and know if it has been blacklisted or not.

Those DNSBLs are external blacklists generally updated by large networks (ISPs, server hosting companies, etc.) So, you don't have to update the blacklist, since it is updated in real time by third parties. (Caching such a blacklist makes it generally quicker to query.) Some DNSBLs reference open proxies (often used by spammers and hackers to hide their original IPs) and known spamming IPs. They are mainly used to filter incoming e-mails, but can also be used for other usage. In this case, they would be used to filter incoming visitors to prevent (or at least reduce) referrer, comment and trackback spamming on your blogs.

Back to top
 
balupton
Posted: Sun Dec 18, 2005 20:08

Alrite well i was talking about how if you go into anti-spam in the backoffice there is an option to update that blacklist....

Back to top
 
kwa
Posted: Sun Dec 18, 2005 20:09

balupton wrote:

Alrite well i was talking about how if you go into anti-spam in the backoffice there is an option to update that blacklist...

There is no update option of a DNS blacklist, since it is updated by third parties elsewhere than in the backoffice.

Back to top
 
balupton
Posted: Sun Dec 18, 2005 20:11

[Request abuse update from centralized blacklist!]

From: blogroot/admin/antispam.php

You click that and it will update the blacklist....

Back to top