[SURBL-Discuss] RFC: Storm URI IPs to XS list?

Kevin A. McGrail kmcgrail at pccc.com
Sat Aug 18 16:44:19 CEST 2007


Jeff,

Unfortunately, I don't see this as very useful.  As a person directly 
affected by the issue, I would very much like to see something done to stop 
it.  However, the chances of hitting proxies and DHCP pools for ISPs just 
seems too high.

If I used such a list, I would probably want to expire entries in something 
like 90 minutes.  I use IP-based blocking with similar rules and it's quite 
effective with very minimal FPs.   If we could add entries quickly and 
people could use the list to temporarily block traffic until expired, I 
think it would be very useful (and out of SURBL's mission).

However, then comes the point of a reverse attack where they start putting 
an IP address of an innocent 3rd party.  Then we start assisting them.

Anyway, I stand ready to help.  I just don't see this as a good idea, sorry.

Regards,
KAM

> As we know, the storm malware is responsible for a large number of 
> compromised
> computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc.  A 
> large
> number of storm e-card-advertised URI IP addresses are available from the 
> XS
> data source but are not currently being listed on XS.  (Those IPs, of 
> course
> are all or mostly bot-hosted web sites with malware loaders to further 
> spread
> storm by compromising more computers and growing the botnets by infecting
> anyone who visits the sites.)
>
> Shall we:
>
> 1.  Blacklist those on XS
> 2.  Add XS into multi.surbl.org as the 128th bit
>
> In principle #1 and #2 could be separate issues, but to get maximum 
> benefit if
> #1 is done then #2 should probably be done also.
>
> XS will have likely have much other data added to it in future, including
> non-storm domain names and other URI hosts.  This would only be a first 
> step.
> It's also worth noting that we don't intend XS to be a malware list; we're
> still focussed on unsolicited messages and that is the aspect that 
> arguably
> makes the storm IPs appropriate for inclusion: their appearance in huge 
> amounts
> of bot-sent unsolicited messages.  It just happens that the messages are
> primarily meant to propagate storm, but they're still unsolicited, bulk, 
> etc.
>
> Also, regarding storm URI IPs, some are currently being added to SC and 
> WS.
> Some are probably going onto JP and PH also.  But the XS collection would
> probably be more comprehensive than the others for now.
>
> Comments?
>
> Jeff C.



More information about the Discuss mailing list