In the case of this particular worm blacklist, only the infected users
and the people with whom they correspond will be affected, ...
....assuming an IP sending viruses actually gets listed _and_ that the
recipient's mail service chooses to block mail from virbl'ed IPs.
... which is
better for non-infected users but puts no pressure on the ISP to more
effectively block worms.
Except, folk on dynamic IPs are likely to be wrongly virbl'ed for 24
hours as they pick up IPs that have been seen posting viruses in the
last 24 hours. This _was not_ such a large problem with spam when
the spam blacklists started as spamming tended to be very static --
sure, they moved servers much faster than anyone else on the planet,
but still at a rate measured in weeks to months. The blacklists
probably helped puch that down into the days to weeks range...
But mass-mailing viruses are different, as their distribution points
have always been much more widely dispersed _and_ they tend to be
concentrated in dynamic IP address space (well, originally they were
concentrated in corporate and institutional America, but that has
largely been fixed now).
Note that spammers have noticed and are now building and using "bot
armies" for spam relaying and direct spam sending.
Given recent trends and developments in virus distribution patterns
and in spam techniques, the mid-term usefulness of such lists, for
both spam and virus reduction is close to nil. This is obvious to
anyone with two functioning brain cells who works closely in either
industry, but I guess running this project is a nice little hobby for
somebody who will pat themselves on the back, happy in the misguided
belief that they are doing something useful and helpful.
I also see that it's possible for Dutch MXes to be whitelisted, so that
their users are never inconvenienced. I don't understand why only
Dutch ISPs can be whitelisted.
You misread that question in the FAQ. Dutch ISPs can get their _mail
servers_ (aka "MX boxes" -- that is, IPs that are listed in the DNS as
having mail delivery responsibility for a domain) whitelisted. I see
nothing on the virbl site suggesting an ISP (Dutch or otherwise) can
have whole IP blocks excepted. The virbl site says that it attempts
to determine the originating IP of the virus-carrying messages that
"inform" its blacklisting, so a customer of a Ducth ISP with a virus
that happens that to send its outgoing mail via the ISP's mail server
would still get listed as the client's IP, not the ISps mail server IP
should be the one seen as the originating IP.
Of course, this raises one of the problems of non-authentication of
SMTP -- it is trivial to programmatically forge an extra Received:
header into a virus' outgoing Email messages, pointing the finger
somewhere else.
And the virbl page says nothing useful about how it handles messages
with originating IPs in private IP address space...
Think carefully (well, maybe not -- it took me about a microsecond to
realize this the first time I heard a hare-brained suggestion along
much the same lines as what virbl.bit.nl has implemented) about those
last two for a clear and obvious flaw in the whole shebang. Something
that will be trivially exploited to entirely sidestep virbl in future
_IF_, in the _very unlikely_ circumstance, virbl actually does start
to make any noticeable impact on the self-mailing virus problem...
In short, virbl is a solution loking for a problem, because it is
clearly never going to be a useful piece of the solution to the
problem that it is claimed to be a solution for. (In this, it is much
like SPF and all the other non-anti-spam techniques that are being
seriously oversold as anti-spam "solutions" at the moment...)
