[SURBL-Discuss] RFC: Storm URI IPs to XS list?

Eric Montréal erv at mailpeers.net
Wed Aug 22 19:18:25 CEST 2007

Jeff Chan wrote:
> As we know, the storm malware is responsible for a large number of compromised
> computers in botnets, for DDOS, for e-card, PDF, and stock spams, etc.  A large
> number of storm e-card-advertised URI IP addresses are available from the XS
> data source but are not currently being listed on XS.  (Those IPs, of course
> are all or mostly bot-hosted web sites with malware loaders to further spread
> storm by compromising more computers and growing the botnets by infecting
> anyone who visits the sites.)
> Shall we:
> 1.  Blacklist those on XS
> 2.  Add XS into multi.surbl.org as the 128th bit
Sure, but to prevent any of the F.P. risks mentionned in the thread, 
checking them with something like :
wget -S --spider -T5 -t1  -U"Mozilla/4.0 (compatible; MSIE 6.0; Windows 
NT 5.1; SV1; .NET CLR 1.1.4322)" [ip]
(better through proxy) and comparing the result with a known positive 
would make it (near) perfect
and keep them listed just as long as they need to be...
When they vanish, scanning the /24 would certainly allow to recapture 
most of them.

Can't wait for that list ... increasing amounts of those spams hitting  ...


> In principle #1 and #2 could be separate issues, but to get maximum benefit if
> #1 is done then #2 should probably be done also.
> XS will have likely have much other data added to it in future, including
> non-storm domain names and other URI hosts.  This would only be a first step. 
> It's also worth noting that we don't intend XS to be a malware list; we're
> still focussed on unsolicited messages and that is the aspect that arguably
> makes the storm IPs appropriate for inclusion: their appearance in huge amounts
> of bot-sent unsolicited messages.  It just happens that the messages are
> primarily meant to propagate storm, but they're still unsolicited, bulk, etc.
> Also, regarding storm URI IPs, some are currently being added to SC and WS. 
> Some are probably going onto JP and PH also.  But the XS collection would
> probably be more comprehensive than the others for now.
> Comments?
> Jeff C.
> _______________________________________________
> Discuss mailing list
> Discuss at lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss

More information about the Discuss mailing list