[SURBL-Discuss] RFC: Storm URI IPs to XS list?
sm at resistor.net
Sat Aug 18 17:21:48 CEST 2007
At 01:49 18-08-2007, Jeff Chan wrote:
>As we know, the storm malware is responsible for a large number of compromised
>computers in botnets, for DDOS, for e-card, PDF, and stock spams,
>etc. A large
>number of storm e-card-advertised URI IP addresses are available from the XS
>data source but are not currently being listed on XS. (Those IPs, of course
>are all or mostly bot-hosted web sites with malware loaders to further spread
>storm by compromising more computers and growing the botnets by infecting
>anyone who visits the sites.)
>1. Blacklist those on XS
>2. Add XS into multi.surbl.org as the 128th bit
>In principle #1 and #2 could be separate issues, but to get maximum benefit if
>#1 is done then #2 should probably be done also.
That will cause false positives. Some ISPs don't assign long
leases. The IP address of an infected host can be assigned to a
"good" one in a matter of hours.
More information about the Discuss