I am making this available in the event it is interesting or useful to someone. It is a really rough first effort, and I expect to do something more useful with it as time goes on.
With the caveat that this should be considered "experimental data", I have finally begun to publish some abuse data. This data is presently re-generated hourly.
http://tighturl.com/tighturl-abuse-ips.csv http://tighturl.com/tighturl-abuse-domains.csv
The IP addresses are those that have submitted URLs that have been banned at tighturl.com within the last 7 days. They are in the format: unixtimestamp,IPv4address
The domains are base domains[1] that have been banned from tighturl.com or have been submitted by currently banned IP addresses within the last 7 days. They are in the format: unixtimestamp,basedomain
I have not found over time that an IP address that submits abuse also submits non-abuse.
I'm interested in comments or suggestions.
- Ron
[1] Based upon http://www.surbl.org/tld/two-level-tlds and http://www.surbl.org/tld/three-level-tlds
On Thu, Mar 22, 2012 at 6:20 PM, Ron Guerin ron@vnetworx.net wrote:
I am making this available in the event it is interesting or useful to someone. It is a really rough first effort, and I expect to do something more useful with it as time goes on.
With the caveat that this should be considered "experimental data", I have finally begun to publish some abuse data. This data is presently re-generated hourly.
http://tighturl.com/tighturl-abuse-ips.csv http://tighturl.com/tighturl-abuse-domains.csv
The IP addresses are those that have submitted URLs that have been banned at tighturl.com within the last 7 days. They are in the format: unixtimestamp,IPv4address
The domains are base domains[1] that have been banned from tighturl.com or have been submitted by currently banned IP addresses within the last 7 days. They are in the format: unixtimestamp,basedomain
I have not found over time that an IP address that submits abuse also submits non-abuse.
I'm interested in comments or suggestions.
- Ron
Hi Ron, Thanks for some interesting research. One thing we might caution about is forming an unintentional feedback loop with abusers. If abuse information is provided publically then it can be used by the attackers to improve their attacks. We don't know that it's happening in this case, but it's something to be aware of.
On 03/23/2012 05:47 AM, SURBL Whitelisters wrote:
Thanks for some interesting research. One thing we might caution about is forming an unintentional feedback loop with abusers. If abuse information is provided publically then it can be used by the attackers to improve their attacks. We don't know that it's happening in this case, but it's something to be aware of.
Is the concern that I'm publishing the list as opposed to requiring a specific query to answer? My intent has been to share abuse data among sites running my source code (potentially, after considering reputation issues), since I don't want to run a DNS lookup service for all my code users or be a central point of failure with the abuse data.
I don't feel I'm being particularly revealing here since I'm not disclosing how I end up deciding those IPs and those domains are abusive. But,... my code all gets released as Open Source, so that too, will become publicly available knowledge soon.
Since I started collecting instead of ignoring this data about 20 hours ago, the number of base domains involved in the abuse has only gone up to 246, only a few more than where it had been last night.
The number of IP addresses involved in this (bot) abuse continues to rise. It's at 6932 right now. It will be around 6945 by the time this message gets distributed by the mailing list.
- Ron
-
Ron Guerin -
SURBL Whitelisters