[SURBL-Discuss] RFC: Storm URI IPs to XS list?
erv at mailpeers.net
Wed Aug 22 19:18:25 CEST 2007
Jeff Chan wrote:
> As we know, the storm malware is responsible for a large number of compromised
> computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc. A large
> number of storm e-card-advertised URI IP addresses are available from the XS
> data source but are not currently being listed on XS. (Those IPs, of course
> are all or mostly bot-hosted web sites with malware loaders to further spread
> storm by compromising more computers and growing the botnets by infecting
> anyone who visits the sites.)
> Shall we:
> 1. Blacklist those on XS
> 2. Add XS into multi.surbl.org as the 128th bit
Sure, but to prevent any of the F.P. risks mentionned in the thread,
checking them with something like :
wget -S --spider -T5 -t1 -U"Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1; .NET CLR 1.1.4322)" [ip]
(better through proxy) and comparing the result with a known positive
would make it (near) perfect
and keep them listed just as long as they need to be...
When they vanish, scanning the /24 would certainly allow to recapture
most of them.
Can't wait for that list ... increasing amounts of those spams hitting ...
> In principle #1 and #2 could be separate issues, but to get maximum benefit if
> #1 is done then #2 should probably be done also.
> XS will have likely have much other data added to it in future, including
> non-storm domain names and other URI hosts. This would only be a first step.
> It's also worth noting that we don't intend XS to be a malware list; we're
> still focussed on unsolicited messages and that is the aspect that arguably
> makes the storm IPs appropriate for inclusion: their appearance in huge amounts
> of bot-sent unsolicited messages. It just happens that the messages are
> primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
> Also, regarding storm URI IPs, some are currently being added to SC and WS.
> Some are probably going onto JP and PH also. But the XS collection would
> probably be more comprehensive than the others for now.
> Jeff C.
> Discuss mailing list
> Discuss at lists.surbl.org
More information about the Discuss