Domain: abuseat.org
Stories and comments across the archive that link to abuseat.org.
Comments · 14
-
Tell you what: THESE *may* help... apk
They CAN function as decent indicators (provided this isn't some "brand new" site they haven't tested):
http://safeweb.norton.com/buzz
http://www.siteadvisor.com/
http://wepawet.iseclab.org/
http://www.mywot.com/en/commun...
http://www.virustotal.com/
http://www.mcafee.com/us/mcafe...
http://www.malwareurl.com/list...
http://cbl.abuseat.org/lookup....
http://www.threatstop.com/chec...
http://www.avgthreatlabs.com/s...* You can run sites OR IP Addresses thru them to check *ANY* sites you wish that you're unsure of... enjoy!
APK
P.S.=> In fact, I built hooks into those into this application of mine (in its "Site Checkers" menu, pictured below) that allows users of my APK Hosts File Engine 9.0++ 32/84-bit-> http://start64.com/index.php?o... to answer the SAME basic question you have - in case they wish to remove any sites blocked in the hosts file data imported, these sites give them a FAR MORE DECENT INDICATOR than mere "word-of-mouth"... apk
-
This conflicts with what I see (I do anti-spam)
I only see one publicly visible spam volume graph supporting this claim: SpamHaus CBL (look at the "Last quarter" graph).
SpamCop and SenderBase suggest the overall trend is still down, though I'm not convinced this is related to Grum -- it appears Grum just wasn't as major a player as people thought.
The other graphs I have bookmarked, from McAfee (click the "Historic Data" tab) and Symantec, are inconclusive.
-
Re:Request
-
CBL - Composite Block List
I can highly recommend the Composite Block List (CBL), cbl.abuseat.org. They seem to have an extremely good handle on trojanned zombie/bot machines. I started using the CBL when the massive pump-and-dump stock spam runs started several months ago, and it's been very effective.
As an aside, if you're being flooded with the stock spams, implement a filter to silently drop mails with a message-ID containing "6c822ecf" ... -
Re:Neuter the zombies
We already know where the zombies are. Hard working volunteers collect and publish (among other things) zombies, an ever growing list of the nodes used to carry out spam runs, DoS attacks, and other mischief.
cbl, sorbs, uceprotect, wpbl, and others all publish this info in near realtime
That's where the info is. A responsible ISP has to search the lists for their hosts and then go from there.
-
Re:GMAIL FTW!
Not really. A lot of spam these days comes from zombied/trojaned machines, which are already well covered by other blocklists, like CBL. Were spamhaus to go away, chances are spam levels would remain about the same for people not using the tools. Spammers just don't care if they're blocked or not, all things considered.
-
Detect infection and shut down service
A quick way to handle the situation you describe is to detect the infection from outside and then shut down (or limit) service to the affected hosts. Sniffing network traffic to assess infections is the most accurate way, but here's another technique. Most viruses are involved with spamming in one way or another, and as such, infected hosts are detected out on the Internet.
What you should do is routinely grab (rsync) a full listing of blacklisted hosts from CBL, DSBL and elsewhere... and then use the grepcidr program to hunt for IP addresses from your network inside those huge lists.
This can be totally scripted. If you locate infected hosts, you can then revoke or cripple service to them one way or another. Examples of crippling would be to reduce available bandwidth (tarpit on a linux router), blocking all but the most essential outbound ports at the firewall. Or you could be more brutal and just revoke their IP connectivity. -
Sympathy
I can understand the plight of being blacklisted. I work as an intern for a non-proft company (I swap every three months with another guy, who recently left, because of college. I just started again this week.) We've had our e-mail server blacklisted by the CBL twice in the last month.
From what I can tell, the current sysadmin (our IT department consists of the sysadmin and the intern) went through their automated faith-based removal. That worked for a month, but we got listed again yesterday. I've spent the last two days running all sorts of virus/*-ware tools on the servers themselves to see what, if anything, they have (nothing found.) Using tools like the Open Relay Database, I can't find any open ports. CBL supposedly only lists servers that are being used to send spam by proxy or virus/trojan. I went ahead and removed us from the list again today, and will be spending the rest of the week checking outgoing mail stats to see if anyone is sending an unusually high volume of mail, indicating that they have a virus/trojan.
It's unfortunate that we have a lot of troubles because the last-last boss, who was there for three years, was a total idiot. Unfortunatly, my counter-part wasn't exactly pro-active, either. To those who don't know this: (how could you not?)
No one gets administrative rights.
No one. -
We have this already.
It is called a blacklist. There are many blacklists out there from the free like http://cbl.abuseat.org/ to the non-free http://www.spamhaus.org/. Wonder how much time IBM wasted on figuring out how to send a 500 error message based on IP.
-
We'll see how effective this is
Sounds like a great plan to me! I don't like the idea of outright port blocking (customers are paying for IP access, right) but it's very easy to locate the suspicious hosts, which means that once the automated systems are in place they can easily add port restrictions.
We can watch to see how effective this is by seeing how many of comcast's IPs show up in real time spam blocklists. Take CBL and WPBL for instance, two of my favourite lists...
% grepcidr -c -e 68.80.0.0/13 1501
% grepcidr -c -e 68.80.0.0/13 351
Now we see if those numbers go down over time :) Easy. -
Re:Step One: Follow the money.
Congratulations, you've re-invented the CBL.
-
Re:Blocking IP addresses? Only a matter of time...
Err, exactly this is why the OPL exists, albiet originally for IRC. There is also the CBL, which lists about a million open proxies and compromised machines.
I suggest you check up on how a DNSBL works and find out about them. They publish a constantly updated list of such proxies and other things, mainly for filtering out spam but can be used to filter out anything you don't want from an open proxy using DNS protocols.
As you can appriciate, having a constantly updated list is preferable to a static list of 1000.
There's no reason why Sprint couldn't use the OPL, Sorbs, NJABL, CBL or any of the other open proxy DNSBL's out there. -
Re:dont forget ...
You can make it even simpler. Don't accept mail from likely abuse sources, from dynamic IP addresses, or from known abusers. Those three blocklists get rid of an enormous amount of my spam.
Taken along with a few select country blocklists (I use China, Taiwan, Hong Kong, Korea, Brazil, and Argentina), you can go from a flood to a trickle in no time. China is a Very Special Case -- they're completely filtered at the borders now. If they ever clean up their act, they may get to pass packets again, but I'm not holding my breath. In the meantime, they can enjoy their shrinking view of the Internet.
-
Re:Problem...
Once all/most/many of the relays that they can use without *overtly* breaking the law close up, spammers will simply turn to *overtly* breaking the law, as in creating zombie networks. And as soon as those poorly maintained computers are cleaned up, they will simply use the same virus/worm/exploit to 0wn more poorly maintained computers (These computers will coincedently tend to be crawling with malware already).
You're behind the curve. Spammers have actually already run out of machines they can use without *overtly* breaking the law, and starting about TWO YEARS ago, began exploiting security vulnerabilitys and employing professional virus-writers in Russia and the Ukraine.There have now been four or five generations of proxy-trojan backdoor worms, with features such as randomized port listening, making them next to impossible to detect until the spam begins.
Several dozen "zombie networks" already exist, along with hijacked netblocks of companies which went under during the "dot-bomb" in 2001.
In fact, there are places on the web where you can buy lists of exploited machines. As someone who investigates spam for a living, it's been nearly two years since I've seen spam through an open relay mailserver. Almost everything now comes from infected home PCs on cable or DSL lines.
Though any such move would doubtlessly be controversial, I suggest writing a "white hat" virus what would:
This "white-hat" in particular disagrees with your use of the word "controversial" and suggests you substitute "liable to land one in prison for 10 years". Recommendations of "hacking the hackers" and "spamming the spammers" are sophmorish, unprofessional, and when implemented, tend to attract the attention of law enforcement onto your ass rather like sticking a lightning rod up it.Happily, spammers still don't know how to write a proper SMTP client. Most spamware only approximates a real SMTP transaction (usually well enough to work). Without going into detail (for obvious reasons), this can be detected.
See the Composite Block List as an example of the practical application of passive detection of spammer malware.
Here's a hint for those running their own mailservers: Spamware tends to time out very quickly. Add a short delay before your MTA presents an SMTP banner (oh, 30 seconds is fine). Most spamware will start behaving as if you don't even exist. The SMTP RFCs say clients should wait for the initial banner for five minutes before timing out .
4.5.3.2 Timeouts
There are a few places which set their timeouts ridiculously short, like Yahoo, and UUNet, and if you do a lot of business with them you'll need to whitelist. Otherwise, go to town.Initial 220 Message: 5 minutes
An SMTP client process needs to distinguish between a failed TCP connection and a delay in receiving the initial 220 greeting message. Many SMTP servers accept a TCP connection but delay delivery of the 220 message until their system load permits more mail to be processed
--Og