Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reputation Lookup for IPs

Posted by ScuttleMonkey on from the you-can-never-have-too-many-statistics dept.

xzap writes "ZDNet is running an article about TrustedSource.org which is a new portal that provides reputation information for IP addresses. It can be used to configure your spam filters or when deciding whether to add an unknown host to your blacklist. Dmitri Alperovitch, a research engineer at CipherTrust said "Often companies don't realize that they have zombie machines on their network that have been sending e-mail. It may be more helpful for organizations to identify which systems on their networks are sending e-mail." Users can drill down to find more information on each domain. The portal is an initiative of CipherTrust who have previously been covered on Slashdot."

15 of 143 comments (clear)

  1. Not that impressed by timbrown · · Score: 5, Interesting

    It showed my IP blocks as having raised concern, despite the fact that they're not on any black lists and I can't why it has drawn that conclusion. Also, using the domain checker, it has no knowledge of non-TLDs meaning it will treat xxx.org.uk and yyy.org.uk as the same domain - org.uk.

    --
    Tim Brown
    1. Re:Not that impressed by TripMaster+Monkey · · Score: 4, Funny


      I haven't found an IP yet that tests at less than 'Raised Concern'. Seems that 'Raised Concern' is to TrustedSource as 'Elevated' is to the Department of Homeland Security...

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Not that impressed by Zocalo · · Score: 4, Interesting

      It seems that the system needs some data to establish a baseline and before that happens the default rating is "raised concern". My personal mailserver is in this category, while my work server which has been seen is "Inoffensive" and a healthy shade of green. There are a few other glitches to be ironed out, but all in all this looks like it will be very useful anti-spam resource once a decent amount of data has been collated.

      --
      UNIX? They're not even circumcised! Savages!
  2. Nice idea by FirienFirien · · Score: 4, Interesting

    You can bet that the spammers will look for ways to improve their standing. Being able to use a compromised computer to rank a page with positive points/karma/rating etc seems like a significant problem. If it's a negative-only system then those same compromised computers can blacklist IPs that aren't compromised, effectively reducing the 'average' past their own, leading to their own standing out as relatively whiter.

    Hopefully CipherTrust will have a look at (for example) things Google has done with pagerank, and be able to address a problem that is significantly tied in with the problem it is trying to help with.

    --
    Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
  3. Hmm... by slavemowgli · · Score: 5, Informative

    Hmm. According to that database, my current IP has two traits: one, it has never been used to send spam etc. (as far as they know); and two, it is "suspicious".

    Makes you wonder. If nothing ever came from this IP, then shouldn't it be "unsuspicious" or something like that (or at least "unknown")?

    That being said, I wouldn't really trust a company, whose prime motivation is to make money, with things like this anyway. There's already DShield, which is a community effort, so what do we need this for?

    --
    quidquid latine dictum sit altum videtur.
  4. Block them at the routers by jabuzz · · Score: 3, Insightful

    Why on earth should lots of machines be able to send email from inside a corporation? Surely some smarthosts and block port 25 at the border routers is the way to go. Then a check of the logs can give you clues as to which machines are compromised.

  5. Re:Great Idea by Chaotic+Spyder · · Score: 3, Insightful

    wow I thought my spelling was bad...



    I don't get it....if a system admin is active enough to look at this page and cross reference with his/her network. Do you think it's likely that it's the same people who actually are also active enough to carefully monitor their traffic to notice a spam bot?

    of course this page would be more useful especially for everybody else... but at first glance at the summary I started to scratch my head and wonder why exactly somebody would make this.

    --
    Losers whine about their best, Winners go home to fuck the prom queen
  6. Dynamic ip address.. by mancontr · · Score: 3, Insightful

    Doesn't most of spam zombies use dynamic ip address? Then this is useless... Even worse, you can get an ip wich have been used by a zombie and this system will think you're too.

  7. A similar email validation site by bluepuddle · · Score: 5, Informative

    A similar site already exists: http://www.senderbase.org/

  8. Appalling idea, what about TOR? by buro9 · · Score: 3, Insightful

    A list of Tor server IP's:
    http://proxy.org/tor.shtml

    Some people are bound to abuse TOR by simply being dickheads over it, comment spamming, flaming, trolling, etc.

    But the benefits of a system that protects your right to free speech totally outweighs the negative.

    If those dickheads negatively tarnish the Tor servers such that they become less valuable due to being second class citizens on the internet... then it is a really really bad idea.

    Protect firstly that which you have, then see what you need to do to stop spammers, dickheads in general, etc.

  9. Re:WHAT by drrobin_ · · Score: 4, Insightful

    Yes, we DO want to talk about reputation lookup for IPs.

    The hurricane is horrible, for sure. It is very tragic that so many people are losing so much. I would pray for them. However, slashdot is NOT the place to discuss a hurricane.

    Slashdot is technology news, not general news. If you want to submit a story about the hurricane, and it gets posted, I would gladly "get some priorities" and discuss that instead. Until then, such a discussion is flagrantly off topic.

    Just because there's a disaster doesn't mean the rest of the world stands still. Life goes on, and hopefully gets better.

    News for Nerds is news for nerds, not news for the south.

    --
    to accept the praise of personal wisdom is an affront to the very ideal i hold dear.
  10. Reputation for 207.51.38.1 by Anonymous Coward · · Score: 3, Funny

    Excellent box fast responce would deal with again! A++++++++++

  11. Some of their data is bogus by dskoll · · Score: 3, Interesting

    For example, on the "IP" page, it said that 255.255.255.255 is sending spam, and that 224.1.2.3 "raised concern".

    Of course, those are not valid unicast IP addresses.

    On the other hand, 192.168.10.12 is "inoffensive". Phew! :-)

  12. Ironport? by Sandman1971 · · Score: 3, Informative

    Wow, this is almost an exact copy of Ironport's Senderbase Reputation Score!

    --
    It's better to burn out than to fade away
  13. Re:Please, no outgoing SMTP server! by abulafia · · Score: 4, Interesting
    Most machines I use use the sendmail command, which, AFAIK, connects directly to the MX for the receiving domains. I like this behavior, because (1) it doesn't put unnecessary load on any outgoing SMTP server, (2) doesn't have a single point of failure, and (3) doesn't allow the administrator of the outgoing server to inspect/filter/modify/reject the mail I send.

    (0) Depends on how your boxes are configured. Once you have a smarthost, configing sendmail/postfix/whatever to use it is trivial.

    (1) The incremental load of an email message is trivial. If you're smarhost is overloaded... beef it up - this is like any other capacity issue.

    (2) Mail is robust. (spam is causing people to break some of the things that make is robust, but it is still pretty good.) Having a failover/backup MX host/backup smarthost is easy enough that organizations who do enough volume for it to matter should have a plan for that. Hell, my company does less than 1000 outgoing messages a day, and we do.

    (3) Possibly legitimate, probably futile. If someone wants to read your mail and you're on their network, use PGP, or you're doomed. Transparent proxies are only the easiest way to grab it. Personally, I'm a big fan of companies/orgs running their own SMTP servers, and using them. Every-box-sends, especially today, is a real issue, and the win of not configuring sendmail to use a smarthost is balanced by the fact that if you want to get through spam filters, you need to configure DNS for every machine, and monitor them to make sure they're not doing something bad. Choose your poison.

    I don't like taking this to the extreme that some seem to favor, requiring everyone to use the ISP's smarthost. That does become a real chokepoint where potential monitoring takes on a different tone, where I can't control the TLS, incoming authentication or spam filtering, and where someone else's actions can stop my mail delivery. But for companies, one (or sometimes more) outbound SMTP server(s) per site makes a lot of sense.

    Again, a personal anecdote - If we didn't do it this way, it probably would have taken me much longer to realize the Windows installation I built under VMware a while back had been zombified before I could patch it. As it happened, while it was patching, I checked my mail and my firewall was screaming about it trying to send mail (and connect to IRC, but that's not the question at hand.)

    I realize not everyone has the skill or takes the time to run a tight network, but mail isn't hard for the vast majority of sites to get right - there's almost nothing to it these days.

    --
    I forget what 8 was for.