[SURBL-Discuss] RFC: Storm URI IPs to XS list?

Jeff Chan jeffc at surbl.org
Sat Aug 18 10:49:00 CEST 2007



As we know, the storm malware is responsible for a large number of compromised
computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc.  A large
number of storm e-card-advertised URI IP addresses are available from the XS
data source but are not currently being listed on XS.  (Those IPs, of course
are all or mostly bot-hosted web sites with malware loaders to further spread
storm by compromising more computers and growing the botnets by infecting
anyone who visits the sites.)

Shall we:

1.  Blacklist those on XS
2.  Add XS into multi.surbl.org as the 128th bit

In principle #1 and #2 could be separate issues, but to get maximum benefit if
#1 is done then #2 should probably be done also.

XS will have likely have much other data added to it in future, including
non-storm domain names and other URI hosts.  This would only be a first step. 
It's also worth noting that we don't intend XS to be a malware list; we're
still focussed on unsolicited messages and that is the aspect that arguably
makes the storm IPs appropriate for inclusion: their appearance in huge amounts
of bot-sent unsolicited messages.  It just happens that the messages are
primarily meant to propagate storm, but they're still unsolicited, bulk, etc.

Also, regarding storm URI IPs, some are currently being added to SC and WS. 
Some are probably going onto JP and PH also.  But the XS collection would
probably be more comprehensive than the others for now.

Comments?

Jeff C.


More information about the Discuss mailing list