Jeff Chan wrote:
As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
Sure, but to prevent any of the F.P. risks mentionned in the thread, checking them with something like : wget -S --spider -T5 -t1 -U"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" [ip] (better through proxy) and comparing the result with a known positive would make it (near) perfect and keep them listed just as long as they need to be... When they vanish, scanning the /24 would certainly allow to recapture most of them.
Can't wait for that list ... increasing amounts of those spams hitting ...
Eric.
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including non-storm domain names and other URI hosts. This would only be a first step. It's also worth noting that we don't intend XS to be a malware list; we're still focussed on unsolicited messages and that is the aspect that arguably makes the storm IPs appropriate for inclusion: their appearance in huge amounts of bot-sent unsolicited messages. It just happens that the messages are primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS. Some are probably going onto JP and PH also. But the XS collection would probably be more comprehensive than the others for now.
Comments?
Jeff C. _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss