As we know, the storm malware is responsible for a large number of compromised
computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large
number of storm e-card-advertised URI IP addresses are available from the XS
data source but are not currently being listed on XS. (Those IPs, of course
are all or mostly bot-hosted web sites with malware loaders to further spread
storm by compromising more computers and growing the botnets by infecting
anyone who visits the sites.)
Shall we:
1. Blacklist those on XS
2. Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if
#1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including
non-storm domain names and other URI hosts. This would only be a first step.
It's also worth noting that we don't intend XS to be a malware list; we're
still focussed on unsolicited messages and that is the aspect that arguably
makes the storm IPs appropriate for inclusion: their appearance in huge amounts
of bot-sent unsolicited messages. It just happens that the messages are
primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS.
Some are probably going onto JP and PH also. But the XS collection would
probably be more comprehensive than the others for now.
Comments?
Jeff C.
http://lists.surbl.org/ seems to be down for me, can anyone else reach it?
--
Kindest regards
Paul Freeman,
NOC4 Limited
+44(0)1844 318 083 (Direct)
+44(0)1844 318 104 (Fax)
------------------------------------------------------------------------
*Confidential Information.*
This e-mail and any attachments (“the message”) contains information
from noc4, which may be privileged and/or confidential. The message is
intended for use only by the organisation(s) or individual(s) named
above (“the recipient”). If you are not the intended recipient, please
be aware that any form of disclosure, copying, distribution or use of
the contents of the message is strictly prohibited. If you have received
the message in error, please notify us by telephone or e-mail as
detailed at the bottom of this message immediately. Activity and use of
the noc4 e-mail system is monitored and recorded to secure its effective
operation and for other lawful business purposes.
The opinions and beliefs expressed in this email may not necessarily be
those of NOC4 Limited.
NOC4 Limited
2 Manor Farm Cottages, Rycote Lane, Thame, OX9 2HF
Registered in England and Wales, Company No. 05356870
VAT Registration No. GB 807 9233 20
*T* +44(0)1844 318 084
*F* +44(0)1844 318 104
*E* * * *sales(a)noc4.net <mailto:sales@noc4.net>*
*support(a)noc4.net <mailto:support@noc4.net>*
*accounts(a)noc4.net <mailto:accounts@noc4.net>*
* *
How can I tell when a specific URL was entered into SURBL? Is there an
RSS news feed or DNS text record or something that tells this?
My scenario: my tech-savvy user gets an email advertising spammer.com
and says "I did 'host spammer.com.multi.surbl.org' and SURBL's
blocking this domain-- why did it get through?".
I want to answer (accurately) "spammer.com is in SURBL *now*, but it
wasn't when you received the mail-- spammer.com was entered into SURBL
at xxxx, while the email you forwarded came in earlier, at yyy".
Any way to do this? We seem to get a lot of spam that slips by SURBL,
but shows up in multi.surbl.org shortly thereafter (I realize that
someone has to receive the spam before a URL can added to SURBL...)
Another interesting use would be figuring out how long to quarantine
possible spam-- in most cases, holding suspicious emails for just 12
hours would vastly reduce the amount of spam we get.
--
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.