[SURBL-Discuss] Re: Storm URI IPs to XS list?

Jeremy Fairbrass jfairbrass at hotmail.com
Sun Aug 19 02:43:17 CEST 2007


I think that's a really great idea - would love to see it implemented! As long as we're correctly using it as a URIBL rather than 
RBL, it should work fine.

My 2c,
Jeremy



"Jeff Chan" <jeffc at surbl.org> wrote in message news:1187426940.46c6b27c7a216 at mail.supranet.net...
>
>
> As we know, the storm malware is responsible for a large number of compromised
> computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc.  A large
> number of storm e-card-advertised URI IP addresses are available from the XS
> data source but are not currently being listed on XS.  (Those IPs, of course
> are all or mostly bot-hosted web sites with malware loaders to further spread
> storm by compromising more computers and growing the botnets by infecting
> anyone who visits the sites.)
>
> Shall we:
>
> 1.  Blacklist those on XS
> 2.  Add XS into multi.surbl.org as the 128th bit
>
> In principle #1 and #2 could be separate issues, but to get maximum benefit if
> #1 is done then #2 should probably be done also.
>
> XS will have likely have much other data added to it in future, including
> non-storm domain names and other URI hosts.  This would only be a first step.
> It's also worth noting that we don't intend XS to be a malware list; we're
> still focussed on unsolicited messages and that is the aspect that arguably
> makes the storm IPs appropriate for inclusion: their appearance in huge amounts
> of bot-sent unsolicited messages.  It just happens that the messages are
> primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
>
> Also, regarding storm URI IPs, some are currently being added to SC and WS.
> Some are probably going onto JP and PH also.  But the XS collection would
> probably be more comprehensive than the others for now.
>
> Comments?
>
> Jeff C. 





More information about the Discuss mailing list