Hi Jeff, At 01:49 18-08-2007, Jeff Chan wrote:
As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
That will cause false positives. Some ISPs don't assign long leases. The IP address of an infected host can be assigned to a "good" one in a matter of hours.
Regards, -sm