Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] letit2 [.] bit blacklist

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] letit2 [.] bit blacklist


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] letit2 [.] bit blacklist
  • Date: Sat, 5 Aug 2017 20:36:33 -0600
  • Authentication-results: mx2.computerrehab.us; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx2.computerrehab.us E46F62D707

Hmm... Actually that would be pretty simple to implement, just run quick tests a few times a day to see if a server returns the true IP of one item from each blocklist and populate the servers page with that info.  We would need some well-defined categories to work within, but that shouldn't be difficult.

One other thing I thought of, which was actually the original intent of the blacklist... People can clearly see abuse on their own servers and many people have written scripts over the years to try and block that abuse.  One thing we noticed was that it was common for the same bot to be hitting multiple opennic servers with the same queries.  Of course we can't block someone's IP from a spoofed packet, but we CAN block specific queries that are common... And wouldn't it be great if server administrators could share that data between themselves?  For example, right now in my logs, despite not answering these queries because my server uses whitelisting, I am getting a constant stream of requests (multiple lookups from unique IPs every second) for tehnomix.bit, botex.bit, and kaspersky.bit.  Considering what we've been hearing about the .bit domains, I would quickly assume that each of these domains are being used by bots for illicit content because if I compare this to typical user queries I can see an obvious difference.  Also the fact that not a single one of these lookups are actually coming from a known user IP in the whitelist table.  It's easy enough to write a script looking for lookups of a single domain by a large number of IPs over a short period of time, and that sort of information could automatically popular our own blacklist category.  In fact I could even keep track of how many different opennic admins report the same domain name, and someone could set up their own filtering to only block a domain after a certain number of people have reported it.

Taking that one step further, I can also assign multiple categories to a given domain.  For example, we could see if a domain was reported by both opennic members AND spamhaus.  This would give us a nice set of cross-reference data and add to the possibilities for custom filters to suit each individual.

OK, gotta do a few code updates now...


On 08/05/2017 02:40 AM, Amunak wrote:

I think you are spot on, Jeff. And good work on the tools.

I think that for transparency it should be enough to provide a page listing (or at least publicly allowing look up) of blocked domains. And/or perhaps even a page that would allow you to compare unfiltered and filtered results.

We could even add a special, "known in advance" blocked domains (like <category>.example.free and such), automatically test all servers for what they return for those domains and display the status of what server blocks which category of domains without the need of anyone managing this information manually. The results of this test should be displayed on the server list page.

Amunak


Dne 04.08.2017 v 23:33 Jeff Taylor napsal(a):
Another update on the filter code, I'm essentially done.  It works the same as other API pages in that you need to specify your username and authentication code in the URL.  I'm building up some test entries now, feel free to submit bogus data since this is currently not being used by anyone.

To submit an entry: https://api.opennicproject.org/ip/blacklist/?user=<user>&auth=<auth>&cat=<category>&<domain>
Here <domain> must be a valid domain with an IP address.  Note that <category> will be a simple code.  At the moment I have SBL and ADULT entries.  Return values will confirm the domain names accepted with + (added) or # (updated) in front of them.

To delete an entry, add a hyphen (-) before the domain name.  So something like -grep.geek would work.  Return value will be the domain name with a hyphen in front of it.

To retrieve named.conf file entries, go to https://api.opennicproject.org/acl/filter/?user=<user>&auth=<auth>&cat=<category>+<category>&path=<path/to/db.file>&ext=<0|1|false|true>
Categories should match known values.  You can include multiple categories by separating them with a plus (+) mark.  <path> is where you put the zone file that returns 127.0.0.1 (I called it db.blacklisted in my earlier email).  <ext> determines if an extension is included on the file names.  The extension would match the category, and the default is to include these.

As an example, if I used this criteria: &cat=sbl+adult&path=rbl
I would get these results:

zone "grep.geek" {type master; file "rbl/db.opennic_filter.adult";};
zone "letit2.bit" {type master; file "rbl/db.opennic_filter.sbl";};
zone "tehnomix.bit" {type master; file "rbl/db.opennic_filter.sbl";};

Note that in this case the path is relative to my BIND9 zone files, and you can see the category type echoed in the file extension. This would allow you to have different results for the different categories.

So the tool is essentially working now.  Whether or not it gets used remains to be seen but at least the capability is there.


--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page