[SURBL-Discuss] RFC: Storm URI IPs to XS list?

SM sm at resistor.net
Sat Aug 18 17:21:48 CEST 2007

Hi Jeff,
At 01:49 18-08-2007, Jeff Chan wrote:
>As we know, the storm malware is responsible for a large number of compromised
>computers in botnets, for DDOS, for e-card, PDF, and stock spams, 
>etc.  A large
>number of storm e-card-advertised URI IP addresses are available from the XS
>data source but are not currently being listed on XS.  (Those IPs, of course
>are all or mostly bot-hosted web sites with malware loaders to further spread
>storm by compromising more computers and growing the botnets by infecting
>anyone who visits the sites.)
>Shall we:
>1.  Blacklist those on XS
>2.  Add XS into multi.surbl.org as the 128th bit
>In principle #1 and #2 could be separate issues, but to get maximum benefit if
>#1 is done then #2 should probably be done also.

That will cause false positives.  Some ISPs don't assign long 
leases.  The IP address of an infected host can be assigned to a 
"good" one in a matter of hours.


More information about the Discuss mailing list