Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

For what its worth, my servers already generate a bunch of files daily based on the quantity of queries made to the servers each day.  Of course a business IP  could generate 1000x the traffic as a home IP, so that data is probably not a reliable source for blacklisting on.

This data can be found in the various folders at http://opennic.oss/filters/.  The number specifies the minimum number of queries (daily) before an IP gets put on each list, and there are lists for averages based on certain numbers of days.

On the other hand, I still receive a HUGE amount of dns query traffic directed at my old T2 IP address, which was taken out of service three or four years ago, and has not answered any queries since then.  These IPs I can only assume must be bots using extremely old data.  So I generate a bind9 ACL file on a daily basis and post this file in the same folder (http://opennic.oss/filters/acl.blacklist).  The comments in the file give the number of queries received by that IP yesterday.  I do trust the data in this file for legitimate blacklisting, but of course if I were to blacklist them myself, then I couldn't generate the daily files.

Any of the lists containing the hit count will be sorted by number of hits.  All other lists are sorted by IP address.  These lists are IPv4-only.  Let me know if they are of any use to anyone.

On 01/10/2013 12:00 PM, Jamyn Shanley wrote:

I actually think there would be some benefit to running an ossec client on the T2 nodes that reports abusive behavior to a controller, so we could block abusive traffic preemptively on the other nodes. That way if they abuse node 1, node 2 already has a dynamic filter in place when they switch nodes after they're ratelimited.

It would not be too hard to parse spammer IPs from the reliable RBLs and share them across the network, but I don't know if there's any interest/demand.

On Thu, Jan 10, 2013 at 11:46 AM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:

I've been using sbl-xbl.spamhaus.org and zombie.dnsbl.sorbs.net for the last couple years with good success, although checking my logs just now it appears the sorbs list has not actually had any hits recently...

I've been wondering if there's a way to correlate the abusive traffic we see on the T2 servers with spammers, but I've never taken the time to really do any digging.

On 01/10/2013 08:23 AM, Jamyn Shanley wrote:

Yep, this sounds like the same business model the old SORBS list had.

http://en.wikipedia.org/wiki/Spam_and_Open_Relay_Blocking_System

They would block entire ranges they considered dynamic (they'd get that wrong half the time), and then only de-list you if you gave them a non-negotiable minimum "donation". SORBS was eventually bought out, and they may be legitimate now - but back then they were the most illogical and childish list administrators out there. 

I'll agree, Spamhaus is pretty good. They have automated delisting processes and their listing criteria is clear and consistent. I've been really happy with their Zen list.

On Thu, Jan 10, 2013 at 4:17 AM, Simon <simon AT hacknix.net> wrote:

On 01/10/13 03:16, Julian DeMarchi wrote:

> This is the first RBL I have seen list a /24 for lack of PTRs. Not for
> sending spam, but just PTRs alone. How do you explain this to your
> customer?

This sounds like they're just after some fast cash by blacklisting loads
of ranges and then charging for them to be de-listed. The only RBL I
have ever felt happy using is Spamhaus.

Simon

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org