What does "SFS_Toxic_BD" mean? – Is Zoho bad?



  • I tried to access zoho.com and I was redirected by pfBlockerNG. I host my own email but my emergency email (if when Exchange fails) is hosted by Zoho and it's redirected but I still log in from time to time.

    I digged on the web a little and found the list to be located in /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt in the firewall, I opened it and it's really long, most of the domains I don't know but they all seem to be all email-y.

    Is there something I should watch out with this host? I didn't know it had a bad rep, I've had no problems with it ever, spam or delivery or anything else. :/


  • Galactic Empire

    Have a look at the feeds section of DNSBL.

    SFS_Toxic_BD points to https://www.stopforumspam.com/downloads/toxic_domains_whole.txt

    I'm guessing its a major source of spam email.


  • LAYER 8 Global Moderator

    Yeah just because there is a feed listed in pfblocker, doesn't mean you have to enable it ;) If it doesn't pertain to you.

    That list would be good in say blocking known spam senders from talking to your forum or sending you email, etc.


  • Moderator

    If you want to know why a particular domain was added to a feed, its best to ask the Feed Maintainer.

    For StopForumSpam:
    https://twitter.com/StopForumSpam
    https://www.stopforumspam.com/contact



  • Thanks!

    I've been reading a lot of these and man!...there are a lot of domains. I manually unblocked Zoho, I just hope not to get into trouble.

    Speaking of, just now I tried logging in to this very forum and discovered that my IP address was banned. It scared the living **** out of me until I remembered I'm using a VPN service and changed the region earlier in the day. :)


  • LAYER 8 Moderator

    Why did you include SFS lists in your blacklists anyway? SFS is mostly targeted to forums and communities that are getting spam/bot posts from certain IPs/IP ranges. If you don't run a forum, community or any services, I see no particular need to block outgoing connections to lists that are primarily focused on stopping bad IPs TO your services instead of connections from your clients?



  • I didn't exactly, I setup the firewall from scratch restoring selectively from the old one I left the defaults; pfBlockerNG is very different now and I haven't got around it. It's fine that it blocks stuff, I usually just block everything out from the servers and only allow them to connect upon request from outside, specially since I have several Windows Server VMs.

    I'm updating federation certificates/HAProxy now, relearning pfBlockerNG is next. :) Thanks for your help. Those links/lists are really interesting--I'm doing what you're not supposed to do and go to them from a phone on cellular to see what happens. 😂


  • Galactic Empire

    @JeGr said in What does "SFS_Toxic_BD" mean? – Is Zoho bad?:

    Why did you include SFS lists in your blacklists anyway? SFS is mostly targeted to forums and communities that are getting spam/bot posts from certain IPs/IP ranges. If you don't run a forum, community or any services, I see no particular need to block outgoing connections to lists that are primarily focused on stopping bad IPs TO your services instead of connections from your clients?

    It's by default enabled.


  • Moderator

    There are also filtered version of that feed which are available in the Feeds Tab:
    https://www.stopforumspam.com/downloads


  • LAYER 8 Moderator

    @NogBadTheBad said in What does "SFS_Toxic_BD" mean? – Is Zoho bad?:

    It's by default enabled.

    Nope. On pfBNG-devel feeds are only there if you select/enable them. I have it setup with e.g. PRI1 and PRI1v6. If one scrolls through the list there are many different selections available but all of them have an info. E.g. mail/smtp. sfs. etc. etc. -> they serve a different purpose. So I only select the lists that are or may be useful for my case. If I host social apps/forums/etc. SFS would be on my list. If I host some SMTP services, Mail Blacklists/IP blacklists for mails are absolutely useful. If I just run e.g. OpenVPN for my home network -> they don't do anything meaningful for my job at hand, so why select them? ;)

    That why I asked - if @skilledinept would have said he hosts various webapps/websites, SFS isn't that bad a choice to protect against spam/bots or (sometimes) malware or shell/sql injection attacks. But yeah, coming from the old pfBNG it definetly could be confusing, so just see what you need. :)

    My hint would be: use pfBNG-devel in "alias deny" (or alias xy) mode instead of "alias block/permit" for auto-rule generation. This way, pfBNG-devel only fetches the IP lists and creates the aliases (pfB_PRI1 for example) and you can create and arrange the necessary rules yourself and have finer control about where, what and why you block specific lists/things.

    Greets



  • Just to be clear, I'm not blaming anyone or anything, it's only curiosity and, I did install the developer version. The whole UI change threw me for a loop so I followed the little walkthrough just enough to get filtered DNS and left the rest for later.

    I'm hosting my own email but my server connects only to relay servers, in and out. It makes it easier to create a targeted rule: TCP25 can only flow between that single server and my relay and my server itself doesn't relay. I go to Zoho on the web for the administrative stuff only.

    This new version seems like a lot more comprehensive though, maybe I didn't see find them before but it seems like it comes with a ton more block lists and might not need to add feeds manually at all. It's awesome. <3


  • Galactic Empire

    @skilledinept said in What does "SFS_Toxic_BD" mean? – Is Zoho bad?:

    Just to be clear, I'm not blaming anyone or anything, it's only curiosity and, I did install the developer version. The whole UI change threw me for a loop so I followed the little walkthrough just enough to get filtered DNS and left the rest for later.

    Those in the know install the developer version ☺


Log in to reply