As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
1. Blacklist those on XS 2. Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including non-storm domain names and other URI hosts. This would only be a first step. It's also worth noting that we don't intend XS to be a malware list; we're still focussed on unsolicited messages and that is the aspect that arguably makes the storm IPs appropriate for inclusion: their appearance in huge amounts of bot-sent unsolicited messages. It just happens that the messages are primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS. Some are probably going onto JP and PH also. But the XS collection would probably be more comprehensive than the others for now.
Comments?
Jeff C.
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Saturday, August 18, 2007 9:49 AM Subject: [SURBL-Discuss] RFC: Storm URI IPs to XS list?
As we know, the storm malware is responsible for a large number of
compromised
computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A
large
number of storm e-card-advertised URI IP addresses are available from the
XS
data source but are not currently being listed on XS. (Those IPs, of
course
are all or mostly bot-hosted web sites with malware loaders to further
spread
storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
If it were put on the 128 bit, would that not mean SA rules would have to be modified to use it ?
Many thanks
Phil
_____________________________________________
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Jeff,
Unfortunately, I don't see this as very useful. As a person directly affected by the issue, I would very much like to see something done to stop it. However, the chances of hitting proxies and DHCP pools for ISPs just seems too high.
If I used such a list, I would probably want to expire entries in something like 90 minutes. I use IP-based blocking with similar rules and it's quite effective with very minimal FPs. If we could add entries quickly and people could use the list to temporarily block traffic until expired, I think it would be very useful (and out of SURBL's mission).
However, then comes the point of a reverse attack where they start putting an IP address of an innocent 3rd party. Then we start assisting them.
Anyway, I stand ready to help. I just don't see this as a good idea, sorry.
Regards, KAM
As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including non-storm domain names and other URI hosts. This would only be a first step. It's also worth noting that we don't intend XS to be a malware list; we're still focussed on unsolicited messages and that is the aspect that arguably makes the storm IPs appropriate for inclusion: their appearance in huge amounts of bot-sent unsolicited messages. It just happens that the messages are primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS. Some are probably going onto JP and PH also. But the XS collection would probably be more comprehensive than the others for now.
Comments?
Jeff C.
Hi!
Unfortunately, I don't see this as very useful. As a person directly affected by the issue, I would very much like to see something done to stop it. However, the chances of hitting proxies and DHCP pools for ISPs just seems too high.
And you mail urls with your ip inside? Possible, but would surprise me.
However, then comes the point of a reverse attack where they start putting an IP address of an innocent 3rd party. Then we start assisting them.
So what, if you insert my ip, what harm will i be done, for me zero. You?
Anyway, I stand ready to help. I just don't see this as a good idea, sorry.
You didnt convince me yet. Examples?
Bye, Raymond.
And you mail urls with your ip inside? Possible, but would surprise me.
Never. That's not the point.
However, then comes the point of a reverse attack where they start putting an IP address of an innocent 3rd party. Then we start assisting them.
So what, if you insert my ip, what harm will i be done, for me zero. You?
If I, as the storm network, start adding http://<AOL's IP ADDRESSES>/ to my spam solely as a denial of service against AOL, then it ends up in XS, people all over start getting FPs.
Replace AOL with anyone you want to target and we can be turned into a DoS of sorts.
Regards, KAM
Hi!
If I, as the storm network, start adding http://<AOL's IP ADDRESSES>/ to my spam solely as a denial of service against AOL, then it ends up in XS, people all over start getting FPs.
Replace AOL with anyone you want to target and we can be turned into a DoS of sorts.
Uhm for me it doesnt work like that, we fetch a URL. If there is a webserver running with specific things we match on THEN it will be listed. Not very likely they only fake a entry and also fake a webserver on it right?
Bye, Raymond.
Hi Jeff, At 01:49 18-08-2007, Jeff Chan wrote:
As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
That will cause false positives. Some ISPs don't assign long leases. The IP address of an infected host can be assigned to a "good" one in a matter of hours.
Regards, -sm
----- Original Message ----- From: "SM" sm@resistor.net To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Saturday, August 18, 2007 4:21 PM Subject: Re: [SURBL-Discuss] RFC: Storm URI IPs to XS list?
That will cause false positives. Some ISPs don't assign long leases. The IP address of an infected host can be assigned to a "good" one in a matter of hours.
Am I missing something ? I thought we were talking about IP's as URL's ? How many false positives are there likely to be when hardly anyone on dynamic IP's are going to be running a web server and hand out their IP as a URL ? And if there WERE any false positives does anyone really care ? If they want to run a reliable web server then get a proper one. My opinion.
All the best
Phil
_____________________________________________
Website Hosting from only �5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Am I missing something ? I thought we were talking about IP's as URL's ? How many false positives are there likely to be when hardly anyone on dynamic IP's are going to be running a web server and hand out their IP as a URL ? And if there WERE any false positives does anyone really care ? If they want to run a reliable web server then get a proper one. My opinion.
They aren't running it on purpose. It's a bot-network-installed web server that runs to then serve as a landing place for others to get the payload file. Like all those ecard emails with http://123.123.123.123/. This is someone's machine that is infected that is sending out spams and saying, here's a payload file.
Regards, KAM
----- Original Message ----- From: "Kevin A. McGrail" kmcgrail@pccc.com To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Saturday, August 18, 2007 5:11 PM Subject: Re: [SURBL-Discuss] RFC: Storm URI IPs to XS list?
Am I missing something ? I thought we were talking about IP's as URL's ? How many false positives are there likely to be when hardly anyone on
dynamic
IP's are going to be running a web server and hand out their IP as a URL
?
And if there WERE any false positives does anyone really care ? If they want to run a reliable web server then get a proper one. My opinion.
They aren't running it on purpose. It's a bot-network-installed web
server
that runs to then serve as a landing place for others to get the payload file. Like all those ecard emails with http://123.123.123.123/. This is someone's machine that is infected that is sending out spams and saying, here's a payload file.
Yup I know. I have 000's on file. But where are the false positives going to come from ?
All the best
Phil
_____________________________________________
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Hi!
A) From DHCP IPs where one user at an ISP is infected and another isn't. B) From the Spammers themselves purposefully poisoning the list and using it for DoS.
Nope, a IP dont get listed since its inside a mail. Its getting listed once we see evidence, the scrapers take care of that.
Bye, Raymond.
At 08:51 18-08-2007, Phil (Medway Hosting) wrote:
Am I missing something ? I thought we were talking about IP's as URL's ? How
Yes, that's what we are talking about.
many false positives are there likely to be when hardly anyone on dynamic IP's are going to be running a web server and hand out their IP as a URL ?
There are many people who run a web server on a dynamic IP address.
And if there WERE any false positives does anyone really care ? If they want to run a reliable web server then get a proper one. My opinion.
I could say that too but then there are valid reasons for a user to run a web service.
Regards, -sm
----- Original Message ----- From: "SM" sm@resistor.net To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Saturday, August 18, 2007 5:51 PM Subject: Re: [SURBL-Discuss] RFC: Storm URI IPs to XS list?
At 08:51 18-08-2007, Phil (Medway Hosting) wrote:
Am I missing something ? I thought we were talking about IP's as URL's ?
How
Yes, that's what we are talking about.
many false positives are there likely to be when hardly anyone on dynamic IP's are going to be running a web server and hand out their IP as a URL
?
There are many people who run a web server on a dynamic IP address.
And if there WERE any false positives does anyone really care ? If they
want
to run a reliable web server then get a proper one. My opinion.
I could say that too but then there are valid reasons for a user to run a web service.
On a dynamic IP with that short a TTL ? If they had a legitimate reason then most likely they would use dyndns or similar. I think the argument about them using IP links is a non starter. Blacklist em.
All the best
Phil
_____________________________________________
Website Hosting from only �5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
On a dynamic IP with that short a TTL ? If they had a legitimate reason then most likely they would use dyndns or similar. I think the argument about them using IP links is a non starter. Blacklist em.
I apologize. I think I am explaining myself very poorly. Let me try one more straightforward example:
You have two customers (A & B) of an ISP that uses DHCP. Customer A gets an IP address, has a storm infection and sends out some emails that list his IP address (or possibly even other machines in the P2P Storm Network).
A few minutes, hours, days, whatever later, Customer B of the same ISP gets the same DHCP address. Customer B will now be a victim of FPs for anyone using the list being discussed.
Regards, KAM
----- Original Message ----- From: "Kevin A. McGrail" kmcgrail@pccc.com To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Saturday, August 18, 2007 6:45 PM Subject: Re: [SURBL-Discuss] RFC: Storm URI IPs to XS list?
You have two customers (A & B) of an ISP that uses DHCP. Customer A gets
an
IP address, has a storm infection and sends out some emails that list his
IP
address (or possibly even other machines in the P2P Storm Network).
A few minutes, hours, days, whatever later, Customer B of the same ISP
gets
the same DHCP address. Customer B will now be a victim of FPs for anyone using the list being discussed.
Hiya
Yes I understand you completely - and I still say leave it blocked. If someone is running a server on a dynamic IP then they should really be using dyndns or similar so instead of giving out URL's like http://123.123.12.1 or similar they could give people a URL like http://dynamicexample.dyndns.org which also would not have the disadvantage of having to tell people a different URL every time their IP changes. Anyone simply using an IP in a link on a dynamic IP needs to learn how to do it properly. I don't see why WE (email admins etc) should make allowances for the uninformed.
I have a webserver on a dynamic IP myself. Only for testing things, but its there. I am lucky in that my ISP only changes the IP every 2 years or so, so a normal DNS setup suits me just fine. IF the IP were to change every week however then I would use dyndns.
As far as this issue is concerned however the "false positives" you speak of would be negligible, and as an email admin (amongst other things) the 1 or 2 people worldwide who would be adversely affected by this would be able to get around the problem simply by using google for 5 mins.
Sorry but I really can't see where your argument against them being blacklisted has any validity. It would ONLY be a problem if the IP itself were in the URL and that is a pretty stupid thing to do for any critical uses if it's a dynamic IP.
All the best
Phil
_____________________________________________
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Yes I understand you completely - and I still say leave it blocked. If someone is running a server on a dynamic IP then they should really be using dyndns or similar so instead of giving out URL's like http://123.123.12.1 or similar they could give people a URL like http://dynamicexample.dyndns.org which also would not have the disadvantage of having to tell people a different URL every time their IP changes. Anyone simply using an IP in a link on a dynamic IP needs to learn how to do it properly. I don't see why WE (email admins etc) should make allowances for the uninformed.
If you are saying this, then you don't need a list. Just use the __KAM_IPHTTP rule below as a standalone rule with a score of your choice. No need for an RBL.
#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|friend|father|daughter|son|nephew)((.{0,35}))? has (sent you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|e)\s*(e|post)?-?card/i body __KAM_CARD2 /enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)/i body __KAM_CARD3 /I['`]m in hurry, but i still love you.../i
body __KAM_IPHTTP /https?://\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/i
describe KAM_CARD Trojan or Virus Payload from fake ecard notice score KAM_CARD 4.5 meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_IPHTTP >= 3)
Regards, KAM
----- Original Message ----- From: "Kevin A. McGrail" kmcgrail@pccc.com To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Saturday, August 18, 2007 7:45 PM Subject: Re: [SURBL-Discuss] RFC: Storm URI IPs to XS list?
If you are saying this, then you don't need a list. Just use the __KAM_IPHTTP rule below as a standalone rule with a score of your choice. No need for an RBL.
#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD body __KAM_CARD1 /(worshipper|friend|Neighbou?
<SNIPPED EXAMPLE>
Doesn't scale.
Plus - (not being an expert on SA rules) I don't believe that takes into account legitimate servers on fixed IP's where you WOULD expect to find IP URL's ? e.g. new server is set up, new users/owners need to be able to set it up/configure it etc & DNS not fully filtered though the net yet.
All the best
Phil
_____________________________________________
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Thanks to everyone for the comments so far. To respond to some of the questions:
1. A Spamassassin rule would need to be added to tell it to use the 128th bit if we added XS to multi; for 3.2:
urirhssub URIBL_XS_SURBL multi.surbl.org. A 128 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Contains an URL listed in the XS SURBL blocklist tflags URIBL_XS_SURBL net #reuse URIBL_XS_SURBL
(Don't add this yet, the list is not active yet.)
2. Generally IPs are not used in URIs, so the chance of FPs should be small. People hosting web sites on dynamic IPs usually use dynamic DNS to refer to them by domain names instead.
3. Risk of FPs generally increase where SURBLs are incorrectly used as IP blacklists, where domains are resolved and checked against SURBLS, where SURBLs are used to check headers, etc. All of those are arguably misuses. SURBLs should only be used to check message body URIs. Other unintended uses may give unexpected results.
4. Yes, the IPs would be expired. (All SURBL records should be expired.) The optimal expiration time is yet to be determined but would probably be a few days. Does anyone have data on how long a give IP is advertised?
5. Regarding blacklisting AOL's web site IP addresses, given that they are usually referred to by domain name and not IP, it should not have any significant impact. (But see #3.) If they did get added, we could remove or whitelist them.
6. We may put additional filters on the IPs like needing to be on PBL, SBL, XBL, etc. AOL/Google/Yahoo/MSN's IPs probably aren't on any major blacklists, so that would be another way to prevent possible FPs. We may also use internal IP whitelists.
7. Regarding Paul's concern about cracked university servers, #2 should apply. Presumably most universities, etc., refer to their web sites by domain name and not IP. (See #3 again too.)
Comments?
Jeff C.
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Saturday, August 18, 2007 10:18 PM Subject: Re: [SURBL-Discuss] RFC: Storm URI IPs to XS list?
- A Spamassassin rule would need to be added to tell it to use the 128th
bit
if we added XS to multi; for 3.2:
urirhssub URIBL_XS_SURBL multi.surbl.org. A 128 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Contains an URL listed in the XS SURBL blocklist tflags URIBL_XS_SURBL net #reuse URIBL_XS_SURBL
(Don't add this yet, the list is not active yet.)
Any news on this please ? An ETA perhaps ?
Many thanks
Phil
_____________________________________________
Website Hosting from only £5.00 per month. www.medwayhosting.com - +44 (0)1634 856965 _____________________________________________
Digital & Traditional Printing, and much more www.medwayprint.com - +44 (0)1634 281199 _____________________________________________
Hi!
You have two customers (A & B) of an ISP that uses DHCP. Customer A gets an IP address, has a storm infection and sends out some emails that list his IP address (or possibly even other machines in the P2P Storm Network).
A few minutes, hours, days, whatever later, Customer B of the same ISP gets the same DHCP address. Customer B will now be a victim of FPs for anyone using the list being discussed.
I think we do understand. But :)
What does this victim notice? ZERO! Unless he starts out sending mails with http://123.123.123.123 (his IP) and this is not very likely is it? I dont see anything liked yet that would surprise me, you?
Bye, Raymond.
What does this victim notice? ZERO! Unless he starts out sending mails with http://123.123.123.123 (his IP) and this is not very likely is it? I dont see anything liked yet that would surprise me, you?
Good point yes, as long as the RBL lookup implementation only checks for URI's as you state.
Regards, KAM
--On Saturday, August 18, 2007 1:45 PM -0400 "Kevin A. McGrail" kmcgrail@pccc.com wrote:
You have two customers (A & B) of an ISP that uses DHCP. Customer A gets an IP address, has a storm infection and sends out some emails that list his IP address (or possibly even other machines in the P2P Storm Network).
The botnet host that sends the mail is never the botnet host mentioned in the message. We analyzed about 10,000 examples.
Data from one day, July 15:
6,511 Storm messages
3,352 hosts sent mail to columbia.edu 2,030 web sites were given ----- 5,381 different IP addresses involved 1 IP address both sent mail (12:42) and was a web site (16:01)
Very roughly, 2 messages per mail host, and 3 references per web site.
It is probably the case that every infected host is both a mail sender and a web server, maybe at different times.
The botnet is believed to be millions. Observers have wondered what the owner is planning, because this well exceeds what is needed for a spam botnet. Yet so far all they have done is send stock pump-n-dump.
All of it could be stopped by one simple regexp, for five weeks or so. On August 14 the entire botnet suddenly changed to a different pattern, in about an hour's time. It could happen again.
Because of the size and volatility of the botnet, I wonder how useful it is to list the URIs. But we could find out. I won't be at work for a week, but after that, if you put this into SURBL, we could report how much of Storm worm it catches.
Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Hi!
I could say that too but then there are valid reasons for a user to run a web service.
On a dynamic IP with that short a TTL ? If they had a legitimate reason then most likely they would use dyndns or similar. I think the argument about them using IP links is a non starter. Blacklist em.
There are allreasdy a lot of abuse IP's on the list as we speak, so far we have to see a abuse complaint on the whitelist@ alias. So for now its a non discussion. I dont see much colleteral damage issues that couyld arise.
Bye, Raymond.
Hi!
many false positives are there likely to be when hardly anyone on dynamic IP's are going to be running a web server and hand out their IP as a URL ?
There are many people who run a web server on a dynamic IP address.
And then they point a domain to their server. Like bleh.myip.com or www.thisisme.com or alike. Never seen my friends telling me, hey visit my website, its http://123.123.123.123
And if there WERE any false positives does anyone really care ? If they want to run a reliable web server then get a proper one. My opinion.
I could say that too but then there are valid reasons for a user to run a web service.
See above. Lets end the discussion. Its silly. Spamcop and the likes do the exact same thing on lists that are used widely to block stuff on mailservers with. Its really not worth the fuzz.
Bye, Raymond.
Hi Raymond, At 11:18 18-08-2007, Raymond Dijkxhoorn wrote:
And then they point a domain to their server. Like bleh.myip.com or www.thisisme.com or alike. Never seen my friends telling me, hey visit my website, its http://123.123.123.123
I've see that in use. For example, you may be accessing a web interface for configuring a device.
Regards, -sm
Hi!
And then they point a domain to their server. Like bleh.myip.com or www.thisisme.com or alike. Never seen my friends telling me, hey visit my website, its http://123.123.123.123
I've see that in use. For example, you may be accessing a web interface for configuring a device.
Most likely in your manual, not inside a e-mail. Can we close this thread? Its silly.
Thanks, Raymond.
I've see that in use. For example, you may be accessing a web interface for configuring a device.
Most likely in your manual, not inside a e-mail. Can we close this thread? Its silly.
It's silly to attack people trying to help.The point of this thread is to brain storm issues with a new list.
IMO, he makes a good point. I've seen and used http://10.10.10.1 and http://192.168.1.1/, etc. We can probably just whitelist the 10.X and 192.168.X.
Regards KAM
Kevin A. McGrail schrieb:
I've see that in use. For example, you may be accessing a web interface for configuring a device.
Most likely in your manual, not inside a e-mail. Can we close this thread? Its silly.
It's silly to attack people trying to help.The point of this thread is to brain storm issues with a new list.
IMO, he makes a good point. I've seen and used http://10.10.10.1 and http://192.168.1.1/, etc. We can probably just whitelist the 10.X and 192.168.X.
Regards KAM _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Those (private) IP ranges are propably whistelisted anyway. I've never seen a device use public IP addresses.
Kevin, I second you on the other point you made.
Dirk
Quoting "Kevin A. McGrail" kmcgrail@pccc.com:
IMO, he makes a good point. I've seen and used http://10.10.10.1 and http://192.168.1.1/, etc. We can probably just whitelist the 10.X and 192.168.X.
Those would probably never get blacklisted since they're useless on the Internet
Jeff C.
Quoting "Kevin A. McGrail" kmcgrail@pccc.com:
IMO, he makes a good point. I've seen and used http://10.10.10.1 and http://192.168.1.1/, etc. We can probably just whitelist the 10.X and 192.168.X.
On 20.08.07 01:50, Jeff Chan wrote:
Those would probably never get blacklisted since they're useless on the Internet
however they can get into mails (that can get to the net) so someone might (want to) list them...
Hi!
IMO, he makes a good point. I've seen and used http://10.10.10.1 and http://192.168.1.1/, etc. We can probably just whitelist the 10.X and 192.168.X.
Those would probably never get blacklisted since they're useless on the Internet
however they can get into mails (that can get to the net) so someone might (want to) list them...
As for the domain names we check, same for the ips we also check. Either i am very bad in explaining myself or people are just not reading. We fetch the URL's, before feeding in, so if there is a pricate adress, we cannot list it. At least, not the tooling we are using here.
If we would list anything thats put inside a mail we would end up with massive FPs.
We can talk about this for weeks, but its happening now, btw, we are allready listing, no FP reports yet. So lets close the talks till we see that changing.
Thanks, Raymond.
As for the domain names we check, same for the ips we also check. Either i am very bad in explaining myself or people are just not reading. We fetch the URL's, before feeding in, so if there is a pricate adress, we cannot list it. At least, not the tooling we are using here.
I think that is clear now but I was admittedly a bit blinded by your stupid statement.
Regards, KAM
Hi!
Most likely in your manual, not inside a e-mail. Can we close this thread? Its silly.
It's silly to attack people trying to help.The point of this thread is to brain storm issues with a new list.
IMO, he makes a good point. I've seen and used http://10.10.10.1 and http://192.168.1.1/, etc. We can probably just whitelist the 10.X and 192.168.X.
I think you completely miss the point. How on earth can i fetch a webpage on that machine? My ISP doesnt route private space. Yours? We fetch the webpages before adding, would be rather difficult to fetch those for me, unless they are on my local lan ;)
Bye, Raymond.
Hi!
That will cause false positives. Some ISPs don't assign long leases. The IP address of an infected host can be assigned to a "good" one in a matter of hours.
Am I missing something ? I thought we were talking about IP's as URL's ? How many false positives are there likely to be when hardly anyone on dynamic IP's are going to be running a web server and hand out their IP as a URL ? And if there WERE any false positives does anyone really care ? If they want to run a reliable web server then get a proper one. My opinion.
No i dont think you are missing something. And btw, this exact same thing applies to RBL lists as Spamcop and so ... nothing new here, not worth the fuzz. Unless someone can point out with some examples we are gonna make a hudge mistake i say lets move forward. In fact, they are allready getting added.
Bye, Raymond.
Hi!
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
That will cause false positives. Some ISPs don't assign long leases. The IP address of an infected host can be assigned to a "good" one in a matter of hours.
Its a URI-BL not a RBL!
If the listing moves to another IP thats ok, we will expire the entry anyway. And how likely is it, asked this before, that the 'other' new user starts out sending mails with http://<ip> >
Highly unlikely.
Hey, on the other hand, you dont need to use the list ;P
Bye, Raymond.
I think that's a really great idea - would love to see it implemented! As long as we're correctly using it as a URIBL rather than RBL, it should work fine.
My 2c, Jeremy
"Jeff Chan" jeffc@surbl.org wrote in message news:1187426940.46c6b27c7a216@mail.supranet.net...
As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including non-storm domain names and other URI hosts. This would only be a first step. It's also worth noting that we don't intend XS to be a malware list; we're still focussed on unsolicited messages and that is the aspect that arguably makes the storm IPs appropriate for inclusion: their appearance in huge amounts of bot-sent unsolicited messages. It just happens that the messages are primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS. Some are probably going onto JP and PH also. But the XS collection would probably be more comprehensive than the others for now.
Comments?
Jeff C.
Jeff Chan wrote:
As we know, the storm malware is responsible for a large number of compromised computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large number of storm e-card-advertised URI IP addresses are available from the XS data source but are not currently being listed on XS. (Those IPs, of course are all or mostly bot-hosted web sites with malware loaders to further spread storm by compromising more computers and growing the botnets by infecting anyone who visits the sites.)
Shall we:
- Blacklist those on XS
- Add XS into multi.surbl.org as the 128th bit
Sure, but to prevent any of the F.P. risks mentionned in the thread, checking them with something like : wget -S --spider -T5 -t1 -U"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" [ip] (better through proxy) and comparing the result with a known positive would make it (near) perfect and keep them listed just as long as they need to be... When they vanish, scanning the /24 would certainly allow to recapture most of them.
Can't wait for that list ... increasing amounts of those spams hitting ...
Eric.
In principle #1 and #2 could be separate issues, but to get maximum benefit if #1 is done then #2 should probably be done also.
XS will have likely have much other data added to it in future, including non-storm domain names and other URI hosts. This would only be a first step. It's also worth noting that we don't intend XS to be a malware list; we're still focussed on unsolicited messages and that is the aspect that arguably makes the storm IPs appropriate for inclusion: their appearance in huge amounts of bot-sent unsolicited messages. It just happens that the messages are primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
Also, regarding storm URI IPs, some are currently being added to SC and WS. Some are probably going onto JP and PH also. But the XS collection would probably be more comprehensive than the others for now.
Comments?
Jeff C. _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
-
Dirk Bonengel -
Eric Montréal -
Jeff Chan -
Jeremy Fairbrass -
Joseph Brennan -
Kevin A. McGrail -
Matus UHLAR - fantomas -
Phil (Medway Hosting) -
Raymond Dijkxhoorn -
SM