Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

    Hmm... Actually that would be pretty simple to implement, just run
    quick tests a few times a day to see if a server returns the true IP
    of one item from each blocklist and populate the servers page with
    that info.  We would need some well-defined categories to work
    within, but that shouldn't be difficult.
    
    One other thing I thought of, which was actually the original intent
    of the blacklist... People can clearly see abuse on their own
    servers and many people have written scripts over the years to try
    and block that abuse.  One thing we noticed was that it was common
    for the same bot to be hitting multiple opennic servers with the
    same queries.  Of course we can't block someone's IP from a spoofed
    packet, but we CAN block specific queries that are common... And
    wouldn't it be great if server administrators could share that data
    between themselves?  For example, right now in my logs, despite not
    answering these queries because my server uses whitelisting, I am
    getting a constant stream of requests (multiple lookups from unique
    IPs every second) for tehnomix.bit, botex.bit, and kaspersky.bit. 
    Considering what we've been hearing about the .bit domains, I would
    quickly assume that each of these domains are being used by bots for
    illicit content because if I compare this to typical user queries I
    can see an obvious difference.  Also the fact that not a single one
    of these lookups are actually coming from a known user IP in the
    whitelist table.  It's easy enough to write a script looking for
    lookups of a single domain by a large number of IPs over a short
    period of time, and that sort of information could automatically
    popular our own blacklist category.  In fact I could even keep track
    of how many different opennic admins report the same domain name,
    and someone could set up their own filtering to only block a domain
    after a certain number of people have reported it.
    
    Taking that one step further, I can also assign multiple categories
    to a given domain.  For example, we could see if a domain was
    reported by both opennic members AND spamhaus.  This would give us a
    nice set of cross-reference data and add to the possibilities for
    custom filters to suit each individual.
    
    OK, gotta do a few code updates now...

On 08/05/2017 02:40 AM, Amunak wrote:

I think you are spot on, Jeff. And good work on the tools.

I think that for transparency it should be enough to provide a page listing (or at least publicly allowing look up) of blocked domains. And/or perhaps even a page that would allow you to compare unfiltered and filtered results.

We could even add a special, "known in advance" blocked domains (like <category>.example.free and such), automatically test all servers for what they return for those domains and display the status of what server blocks which category of domains without the need of anyone managing this information manually. The results of this test should be displayed on the server list page.

Amunak

Dne 04.08.2017 v 23:33 Jeff Taylor napsal(a):

> Another
>         update on the filter code, I'm essentially done.  It works the
>         same as other API pages in that you need to specify your
>         username and authentication code in the URL.  I'm building up
>         some test entries now, feel free to submit bogus data since this
>         is currently not being used by anyone. 
>         
>         To submit an entry:
>         https://api.opennicproject.org/ip/blacklist/?user=<user>&auth=<auth>&cat=<category>&<domain>
>         Here <domain> must be a valid domain with an IP address. 
>         Note that <category> will be a simple code.  At the moment
>         I have SBL and ADULT entries.  Return values will confirm the
>         domain names accepted with + (added) or # (updated) in front of
>         them. 
>         
>         To delete an entry, add a hyphen (-) before the domain name.  So
>         something like -grep.geek would work.  Return value will be the
>         domain name with a hyphen in front of it. 
>         
>         To retrieve named.conf file entries, go to
>         https://api.opennicproject.org/acl/filter/?user=<user>&auth=<auth>&cat=<category>+<category>&path=<path/to/db.file>&ext=<0|1|false|true>
>         Categories should match known values.  You can include multiple
>         categories by separating them with a plus (+) mark. 
>         <path> is where you put the zone file that returns
>         127.0.0.1 (I called it db.blacklisted in my earlier email). 
>         <ext> determines if an extension is included on the file
>         names.  The extension would match the category, and the default
>         is to include these. 
>         
>         As an example, if I used this criteria:
>         &cat=sbl+adult&path=rbl 
>         I would get these results: 
>         
>         zone "grep.geek" {type master; file
>         "rbl/db.opennic_filter.adult";}; 
>         zone "letit2.bit" {type master; file
>         "rbl/db.opennic_filter.sbl";}; 
>         zone "tehnomix.bit" {type master; file
>         "rbl/db.opennic_filter.sbl";}; 
>         
>         Note that in this case the path is relative to my BIND9 zone
>         files, and you can see the category type echoed in the file
>         extension. This would allow you to have different results for
>         the different categories. 
>         
>         So the tool is essentially working now.  Whether or not it gets
>         used remains to be seen but at least the capability is there. 
>         
>         
>         
> --------
> You are a member of the OpenNIC Discuss list. 
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>       
      
      
      
      

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org