Jeff,
Unfortunately, I don't see this as very useful. As a person directly affected by the issue, I would very much like to see something done to stop it. However, the chances of hitting proxies and DHCP pools for ISPs just seems too high.
If I used such a list, I would probably want to expire entries in something like 90 minutes. I use IP-based blocking with similar rules and it's quite effective with very minimal FPs. If we could add entries quickly and people could use the list to temporarily block traffic until expired, I think it would be very useful (and out of SURBL's mission).
However, then comes the point of a reverse attack where they start putting an IP address of an innocent 3rd party. Then we start assisting them.
Anyway, I stand ready to help. I just don't see this as a good idea, sorry.
Regards, KAM
As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including non-storm domain names and other URI hosts. This would only be a first step. It's also worth noting that we don't intend XS to be a malware list; we're still focussed on unsolicited messages and that is the aspect that arguably makes the storm IPs appropriate for inclusion: their appearance in huge amounts of bot-sent unsolicited messages. It just happens that the messages are primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS. Some are probably going onto JP and PH also. But the XS collection would probably be more comprehensive than the others for now.
Comments?
Jeff C.