On Sat, 16 Feb 2002, furio ercolessi wrote:
On Fri, Feb 15, 2002 at 12:18:41PM +0100, Anne Marcel Roorda wrote:
>
> Educating admins on how to maintain a blacklist if they so choose
> would be a better sollution. Getting them to drop the local blacklist
> and move to one of the several publicly available blacklists would be
> even better.
We are an ISP using publicly available blacklists (a bunch of them)
and subscription-based ones; but we also have our own, at present
containing about 4000 IP numbers or blocks (and also 6000 domains and
4000 single email addresses; but we are discussing IPs now).
The local blacklist is extremely important to us, because it gives
us an easy and fast way to block established spam sources without
going through the effort of submitting nominations to public
blacklists and wait for them to be accepted. We often do that
(Steve knows..), but there are just too many spammers and too
few people reporting, and a day is only 24h.
you block quickly...
how often do you check/recheck/unblock an ip?
Having said that, we do not "maintain"
the local blacklist other than adding spam sources, and removing
IPs _on demand_ (after having determined that those IPs are no
longer a spam source).
I believe that several ISPs work in this way, and I expect anybody
taking on a block previously used by a spammer to do quite a bit
of work to have his block removed from local blacklists, even
if the spammer was there years before.
Bascially ISP are expected by their customers to stop incoming spam
"now" (as Clive knows well when I was a Demon customer myself in 95,
I used to yell at Demon to do something about the spam, then later
when I became an ISP myself I thought "poor Clive!" :) But ISPs can't
spend their time rechecking every blocked IP to see if the reason
they blocked it has been removed. So local blocklists tend to
accumulate IPs which sit there until somebody contacts them about it.