Slashdot Mirror
Reputation Lookup for IPs
xzap writes "ZDNet is running an article about TrustedSource.org which is a new portal that provides reputation information for IP addresses. It can be used to configure your spam filters or when deciding whether to add an unknown host to your blacklist. Dmitri Alperovitch, a research engineer at CipherTrust said "Often companies don't realize that they have zombie machines on their network that have been sending e-mail. It may be more helpful for organizations to identify which systems on their networks are sending e-mail." Users can drill down to find more information on each domain. The portal is an initiative of CipherTrust who have previously been covered on Slashdot."
This is a great idea, now if they had this for politions.
...domain whoring!
whois: Reputation?
a reputation system for sites who don't try to slam you with a ginormous Flash advertisement the minute you load their site? Good Lord, and thank goodness for FlashBlock...
The World Wide Web is dying. Soon, we shall have only the Internet.
It showed my IP blocks as having raised concern, despite the fact that they're not on any black lists and I can't why it has drawn that conclusion. Also, using the domain checker, it has no knowledge of non-TLDs meaning it will treat xxx.org.uk and yyy.org.uk as the same domain - org.uk.
Tim Brown
It may be more helpful for organizations to identify which systems on their networks are sending e-mail.
If an organization wakes up to this problem, why would it not simply block port 25 outgoing except to its mailservers?
Ydco co
You can bet that the spammers will look for ways to improve their standing. Being able to use a compromised computer to rank a page with positive points/karma/rating etc seems like a significant problem. If it's a negative-only system then those same compromised computers can blacklist IPs that aren't compromised, effectively reducing the 'average' past their own, leading to their own standing out as relatively whiter.
Hopefully CipherTrust will have a look at (for example) things Google has done with pagerank, and be able to address a problem that is significantly tied in with the problem it is trying to help with.
Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
Hmm. According to that database, my current IP has two traits: one, it has never been used to send spam etc. (as far as they know); and two, it is "suspicious".
Makes you wonder. If nothing ever came from this IP, then shouldn't it be "unsuspicious" or something like that (or at least "unknown")?
That being said, I wouldn't really trust a company, whose prime motivation is to make money, with things like this anyway. There's already DShield, which is a community effort, so what do we need this for?
quidquid latine dictum sit altum videtur.
Why on earth should lots of machines be able to send email from inside a corporation? Surely some smarthosts and block port 25 at the border routers is the way to go. Then a check of the logs can give you clues as to which machines are compromised.
Next we'll have slashdotters writing a firefox extension to mine the IP database for porny IPs...
Procrastination -- because good things come to those who wait.
Doesn't most of spam zombies use dynamic ip address? Then this is useless... Even worse, you can get an ip wich have been used by a zombie and this system will think you're too.
A similar site already exists: http://www.senderbase.org/
This is no better than any of a number of other existing RBLs as far as I can see. So why does it get a front page write-up?
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
A list of Tor server IP's:
http://proxy.org/tor.shtml
Some people are bound to abuse TOR by simply being dickheads over it, comment spamming, flaming, trolling, etc.
But the benefits of a system that protects your right to free speech totally outweighs the negative.
If those dickheads negatively tarnish the Tor servers such that they become less valuable due to being second class citizens on the internet... then it is a really really bad idea.
Protect firstly that which you have, then see what you need to do to stop spammers, dickheads in general, etc.
Yes, we DO want to talk about reputation lookup for IPs.
The hurricane is horrible, for sure. It is very tragic that so many people are losing so much. I would pray for them. However, slashdot is NOT the place to discuss a hurricane.
Slashdot is technology news, not general news. If you want to submit a story about the hurricane, and it gets posted, I would gladly "get some priorities" and discuss that instead. Until then, such a discussion is flagrantly off topic.
Just because there's a disaster doesn't mean the rest of the world stands still. Life goes on, and hopefully gets better.
News for Nerds is news for nerds, not news for the south.
to accept the praise of personal wisdom is an affront to the very ideal i hold dear.
Being from a country that is considered a hotspot for spam, I naturally appreciate any effort to eradicate spam, BUT blacklists take things too far. They don't seem very effective and only serve to irritate and inconvenience people who have done nothing wrong and are using their IPs for only legitimate purposes.
This especially effects smaller ISPs and hosting providers, who get slammed despite in al ot of cases being able to prove that no spam was originating from their network and that htey have secure servers. These blacklist operators have automated systems checking the "vulnerability" of networks and adding IPs willy-nilly. This has a negligible effect on actual spammers, since they will just hop to another network when a network they are using gets blacklisted. It's almost like the gun control system in Canada, only worse since it is automated in addition to being highly inaccurate and ineffective. This new system smells too much like a hyped-up, buzzword-added blacklist for my liking.
Liberal Ontarians and French Quebecers are draining Western Canada's wealth. Stop them now! Support Western separatism.
... you should use reputation of the AS (autonomous system). An AS is a group of IP addresses that are owned (generally) by the same entity.
There may be billions of IP addresses, but not that many ASes.
I started to write a spamassassin plugin that would track the spamminess of email by AS - haven't finished yet.
Excellent box fast responce would deal with again! A++++++++++
Neat. www.slashdot.org, www.spamhaus.org and www.mcafee.com is classified as "Raised Concern"
They need to work on their rating system.
This is pretty horrible. Spamisp will trash an ip's reputation, get it blacklisted everywhere, then just reassign it. Not to mention what happens with temp abuse of service (say, run a shell server and have someone spam from it for a day before you notice and catch them)
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
``Why on earth should lots of machines be able to send email from inside a corporation? Surely some smarthosts and block port 25 at the border routers is the way to go.''
Hmm, I don't like that idea. It basically forces you to send your mail through an SMTP server on the same network. Most machines I use use the sendmail command, which, AFAIK, connects directly to the MX for the receiving domains. I like this behavior, because (1) it doesn't put unnecessary load on any outgoing SMTP server, (2) doesn't have a single point of failure, and (3) doesn't allow the administrator of the outgoing server to inspect/filter/modify/reject the mail I send.
How do other people feel about this?
BTW: I am aware that using an outgoing SMTP server is standard practice on Windows, that traffic that leaves the network can still be inspected/filtered/modified/rejected at the gateway, and that a gateway is also a single point of failure. The point is that having an outgoing SMTP server _adds_ a piece of infrastructure where these problems occur. Also, it's usually easier to do any kind of content processing on an SMTP server than on a router. So, considering all this, how do people feel about having or not having to use an outgoing SMTP server?
Please correct me if I got my facts wrong.
Spamcop.net could tell you this. Come on we know know that rr.com (roach runner) is a coakroach heaven. if only somebody could give the the navy the co-ordinates to the hr dept of rr, and then fire a missile at them then that might be deemed 'progress' Or do what we do block - *.rr.com
Send Peter Clifford Francis Macrae comdoms to 23 Bedford St, St.Neots, PE19 1AX, England
China has surpassed the US in the zombie race. According to this page: http://www.trustedsource.org/zombiemeter.php China has taken the lead. Still the US zombies are more effective since almost all spam originates from the US. You just wait until the Chineese gets the Dragon CPU up and running.
HTTP/1.1 400
I got the same "suspicious" for the same reasons (which is plain stupid) so for fun I tried the "Are you cracked?"-thingy at DShield but it's even worse as it logs failed torrent connections as "attacks" originating from my IP.
Do we need either? Are there anyone out there who actually uses this stuff for serious purposes?
this comment is provided "as is" and without any express or implied legibility or congruity [...]
For example, on the "IP" page, it said that 255.255.255.255 is sending spam, and that 224.1.2.3 "raised concern".
:-)
Of course, those are not valid unicast IP addresses.
On the other hand, 192.168.10.12 is "inoffensive". Phew!
It would seem that Cliff has a different opinion than you on this topic...
____
~ |rip/\/\aster /\/\onkey
What might be interesting, would be if google (or another search engine) used the same information as part of its ranking, so if a site that has a low reputation hosts a page with your keywords, the likelyhood is you're probably not interested.
Is there a system for removing an IP address from the list?
What happens if you are on a server with a dodgy site, but you share the IP address?
Wow, this is almost an exact copy of Ironport's Senderbase Reputation Score!
It's better to burn out than to fade away
This could be extended to usefulness in a firewall's configuration for blocked hosts. Networks or individual IP's that are known to have poor security and have scans frequently emanate from them should be on a temporary list like spam blacklists.
You are about to give someone a piece of your mind, something which you can ill afford...
255.255.255.255
First seen: 2005-07-29
Country: UNITED STATES
What is somewhat frustrating in my opinion is the nature of IP's--they are just used for certain lengths of time and then passed on when they are no longer needed. By judging an IP address on its history, how many reputable sites are blamed for the actions of those that held the IP first? Could you imagine moving into a new home, getting your phone number, and then not being able to call out because the person before you abused others using that number?
That having been said, I really don't know of a better way but it just makes me a little uneasy to think about the practice... just my $0.02.
Finance tutorials and more! Understandfinance
POLITRON: 1) The quantum of dishonesty, commonly misspelled POLITION. 2) An inhabitant of Washingtron. 3) a variant of POLYTRON, the particle that allows the creation of multiply nucleated elements. See UNOBTAINIUM.
Hic iacet Arthurus, rex quondam rexque futurus.
I found that my IP is marked as "Raised Concern".
What the heck does this mean? There is no legend that explains what this category means.
Add to the insult, I was away from this machine most of the month and it was shut down. How did they come to the conclusion that my IP is problematic? There is no way to complain these guys - no form, no email id.
I know I should not get upset with this, but with such visibility, they should be more professional. What if one of my potential clients looks up this IP and comes to a conlusion that I might be a spammer? This is irresponsible.
I'm interested in understanding that. Could someone enlighten me?
My domain and IPs are listed as "Inoffensive", but it does show an increase of mail volume in one of my IPs, and the decrease on another yesterday (I've changed my sendmail outgoing IP; it was using the wrong eth0 aliases).
I know I'm not sending emails to 'spam trap' addresses (we do not send unsolicited mail), my linux server is not an open relay nor a zombie, and I block outgoing smtp coming from the intranet (so there couldn't be a windows zombie inside).
So how did it 'notice' the shift of my email traffic from one ip to the other, in just one day, specially with the low volume of emails we send (there were about 200 outgoing emails from our server yesterday)? Creepy.
Having a look at the list of domain keys very nicely points out that all the dodgy looking names have got their domain keys well in order to continue the barrage of crap email, but at least you know it is from them...
It also shows a nice, test key when inspecting the spf records for such high quality domains...
http://www.trustedsource.org/dkim.php
37 - what does it stand for really...
Often companies don't realize that they have zombie machines on their network that have been sending e-mail.
Well, you could sign up with some sort of reputation service. Or you could just start with those machines which are spewing port 25 all day, every day. Those are either zombies or people with a LOT of friends.
So?
Life goes on. The world does not stop just because New Orleans is under water. In fact we've known for decades this would happen, WHEN New Orleans got hit. It's kinda like the Tornatos that went through Downtown Fort Worth or Oklahoma City, it happens. Clean up your mess and move on to the next project.
heh. good job there. i guess i'm almost as good at ignoring previous stories as the editors. :)
posting AC so i don't lose offtopic karma.
--drrobin_
Not nearly as bad as I'd have thought.
Any net vigilanties out there want to "infect" these machines with patches?
ISP Active Hosts Yesterday
yahoo.com 4110
comcast.net 4017
hotmail.com 1567
aol.com 358
rr.com 5256
http://www.trustedsource.org/
"raised concern" is a perfectly reasonable rating.
Established email servers are not usually used to sent UCE, a result of RBL's is that most are now secure.
Most UCE is sent from zombies and these are typically unknown as email servers.
Therefore the default status of an email server that is unknown to TrustedSource can reasonable be expected to be "raised concern".
0.0.0.0
Current reputation: Spam First seen: 2005-08-03
This is the last straw; the "IANA" postmaster is getting a letter from me. I've been having a problem with another one of their IPs as well (127.0.0.1).
I recently tested appliances from CipherTrust and IronPort that use TrustedSource and SenderBase respectively. The CipherTrust unit yielded an unacceptably high number of false positives (0.8%), partially due to bad data from TrustedSource. The IronPort unit performed much better, but I have concerns about the Bonded Sender program (and if you are using SenderBase, it seems that you have no choice but to honor Bonded Senders). Since implementing Exim/SpamAssassin/ClamAV, I've noticed that 10-20% of our incoming email coming from Bonded Senders is identified as spam, and nobody is complaining about false positives. YMMV.
Nope the ISP should police its own network proffessionally.
If they fail to do so the responsible customers should move to a more responsible ISP.
I agree, and while there are probably many legitimate mail servers still unknown to TrustedSource, a "raised concern" for this reason alone should not be enough to reject mail from that source. Maybe if a number of other tests simultaneously flash yellow warning lights, the fact that the IP address has no history of past mail may be enough to trigger a rejection.
My problem with the TrustedSource site, however, is that they don't seem to provide any documentation explaining how their ratings are calculated, or how they are supposed to be used. My mail server certainly won't access their website to look up the IP address of each incoming message. Do they provide their ratings also via DNS, or is that a service limited to paying customers only? If they want to sell that service, they should either show or explain what I will get by paying, not merely provide free interactive lookups that will be boring after two minutes.
I like the concept of reputation-based mail processing, but it's just a generalization of blacklists, which have been around for nearly a decade. Anything new here? I'm afraid they just lost my attention, and I regard myself as patient.
I just looked up one of my IP addresses. Thanks to "TrustedSource" I have gained the following insight:
1. My daily average message volume is represented by a single shaded envelope icon (out of a possible 10). I can't find anything that translates this to an actual number of emails sent.
2. Yesterday my average volume was up 1,400%! Sounds serious. What does this mean? Well, I can't tell. Again it shows a single shaded envelope icon, with no hint of what this actually means.
3. Even more worrisome, the little graph in the corner shows that all of my email has "Raised Concern". Again, it does not explain what this means.
So, I see that my email volume increased 1,400% yesterday and that my email has "Raised Concern". Either there is a serious problem occurring on my mail server (taken over by a spambot?), or else these figures are bogus. Without further information, which does not seem to be available, I am leaning towards the second option.
look it up before you accept it.
Senderbase has been providing this information for quite some time. Senderbase gives numerical scores for e-mail volume and makes it easy to see when an address or domain is on spam blacklists.
Folks with an IronPort e-mail security appliance are granted access to the actual reputation scores as opposed to just a volume score. The reputation scores control the flow of e-mail through IronPort security appliances. IPs with a negative score are either known spammers or have insufficient repuation history. IPs with a positive score have a good sending history.
The whole concept of reputation scores is to determine whether you will accept an e-mail message or SMTP connection. Basing that judgment merely on sending volume would block Comcast, Yahoo, and AOL gateways (I'm referring to the ISP's e-mail systems, not their customer DSL and dial-up connections). Dynamic reputation scores are most useful in restricting the flow of e-mail from the bad guys while letting trustworthy e-mail flow through quickly. Folks with an IronPort e-mail security appliance also get actual reputation scores as opposed to just a sending volume rating. IPs with a negative score are either known spammers or have insufficient repuation. IPs with a positive score have a good sending history.
signature pending slashdot approval
TrustedSource ? Concerns raised: What is their definition of concern, raising, and how does an IP get to be labelled "Raised Concern"?
http://stephan.sugarmotor.org
The smart host goes in your DMZ.
Your regular mail server goes in your secure network.
You block all outgoing smtp connections from your secure network, except those going from your regular mail server to your smart host.
Any machine sending email from your secure network is configured to use your regular mail server as a smart host. This will prevent all but the most intelligent of viruses from spamming from your machines.
It also allows you to have different levels of filters on your boxes. Anything that's internal to internal can have very minimal filtering (if any) applied to it. Anything coming in from the outside can be subject to a LOT of scanning.
Sure it can get worse; it may eventually be impossible for you to do anything at all, regardless of your willingness to jump through hoops, as long as you share subnet with those kiddies (or whatever issue people have with your IP address). If I were in your situation, I'd be grateful to be provided with any service at all, even in a manner inconvenient to me.
If you live in a rough neighbourhood, where kids throw stones at passing cars, chances are that the icecream salesman will never stop outside your house. Nobody is blaming you for the vandalism, but having you as a customer simply doesn't outweigh the costs and risks associated with visiting your street in the first place. If you want to do business at home, either teach your neighbours to play nice, or move to a better neighbourhood. You probably won't like buying icecream via mail order.
This analogy fails only when you consider the realities of moving; it's far easier to switch ISP than to switch residential quarters. So why cling on to a tainted IP address? The more people are willing to switch ISP because of poor network abuse ratings, the more eager providers will be to keep those kiddies at bay without relying on third parties to identify them (I stopped reporting abuse several years ago, because I couldn't find a single ISP willing to pay me for doing so).
(a) It wasn't "an attack"
(b) It wasn't the worst hurricane in history, or even the history of the U.S.
(c) This is a tech news site
Also, let me twist this around on you, Mr. Concerned. "What the hell is wrong with you? 1000 people died in a stampede in Iraq today, and you want to talk about a hurricane that killed a few hundred people? GET SOME PRIORITIES!"
Ironically, the word ironically is often used incorrectly.
They need to work on their rating system.
You must be new here.
On a funny note (as apposed to my serious comment), the "confirm you're not a script" image in this post was "disagree."
In general I think any blacklisting method is not useful because the possession of those IP addresses is either questionable for 0wn3rship reasons or for the fact that people change IP addresses all the time. Blacklisting seems to hurt legitimate mail servers more than it serves to punish illegimate ones.
BTW since I started using SA and ClamAV I've never looked back.
http://www.bondedsender.com/
And send unlimited messages without fear of being blocked for only $10k a year! (Remember from past Slashdot stories that spammers make millions and can easily afford this).
They have a special pricing for "Bulk" senders. "Legitimate commercial senders can apply today."
http://www.bondedsender.com/fees.html
If people spoof other people's IP addresses, the people that those IP addresses belong to would get a bad reputation. The same thing goes for spoofing email addresses. And I'm not just talking about spam. DoS attacks generally come from spoofed IP addresses. And there is apparently no way to prove repudiation in these cases.
It is my understanding that many IPs are owned in blocks, and are distributed to MACs by protocols like DHCP in a random or dynamic sort of way. With this in mind, it seems that denying communications to IPs based on some sort of history is analogous to discriminating against any group of people, eg. a country, based on the history of any individual within that group. Thoughts?
If companies have mail zombies on their networks spam is the least of their problems, they should be more worried about the possibility that someone on the outside has complete control over internal machines... (trade secrets, contracts, customer lists...)
Get your torrents...
This is just another example of how Ciphertrust is failing/flailing in the anti-spam market. They are using inferior technology on an unstable platform. Scary stuff. This is just a blatant attempt to copy Ironport's Senderbase.org, which isn't that great either. Who wants to trust a company that's been selling "spam cannons" for the last 3+ years? They only recently changed their business model to focus on inbound messaging, up until now their A series appliance was a spammer's dream. It sends out a million messages per hour, and has tons of features to hide what your doing. Some examples are spreading different mail traffic to different IP Addresses to disguise that it's all coming from one source. Why would any legitimate sender need that?
*sigh*...
It's the clueless ones.
So they gain the reputation they deserve, a poor one.
The "simple economic forces" that you wish for
Strawman tilting at windmills.
consumers typically do not make ideal decisions,
Which is why a reputation based system is so much better. It simple enough for any moron^Wconsumer to understand.
and therefore cannot police themselves
The responsible netizens that do police themselves get a reputation they deserve, a good one.