[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] 7. Best Practices - DNSBLs - Article

To: Brad Knowles <brad.knowles@skynet.be>
Subject: Re: [Asrg] 7. Best Practices - DNSBLs - Article
From: Markus Stumpf <maex-lists-spam-ietf-asrg@Space.Net>
Date: Tue, 12 Aug 2003 17:53:27 +0200
Cc: asrg@ietf.org
In-reply-to: <a0600120bbb5dc4b8f237@[10.0.1.2]>; from brad.knowles@skynet.be on Tue, Aug 12, 2003 at 12:32:08AM +0200
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: SpaceNet AG, Muenchen, Germany
References: <6.0.0.12.0.20030811151412.026f21e0@solidmatrix.com> <20030811224408.B28444@Space.Net> <a0600120bbb5dc4b8f237@[10.0.1.2]>
Sender: asrg-admin@ietf.org
User-agent: Mutt/1.2.5.1i

On Tue, Aug 12, 2003 at 12:32:08AM +0200, Brad Knowles wrote:
> 	How do you determine if you get a "spam" from a particular IP 
> address?  Is this done in any automated way, or just any time a user 
> complains?

It's mainly done on spam email we receive ourselves. It's done
semiautomatic from logfiles catching addresses like
    hostmasteraaun@space.net
    hostmasterakwh@space.net
    hostmasteranki@space.net
    hostmasterbfmn@space.net
    [ ... ]

> >  Strategy: Do port scans for hosts listening on port 25. Make a list of
> >     all those IP Addresses.
> >     Now use a tool that abuses 0wned hosts and do distributed sumbissions
> >     of these IP's to the various DNSBLs for testing.
> 
> 	You mean like <http://www.ordb.org/faq/#test_no_list> or 
> <http://dsbl.org/programs>?

Not exactly. I think most DNSBLs check submissions and if there are
some 100 submissions for the same subnet from the same IP they might
block it. So use a proxy on 0wned hosts and distribute the submissions
over a wider range of hosts.

> 	Here's another idea.  Take the list of the sort you mention 
> above, then front that with a DNS-based load-balancing program.  When 
> a spammer looks up the address to spam through, they get re-directed 
> to one of millions of vulnerable machines, then drop that connection 
> after sending a small number of messages, and start the process all 
> over again.

I have the impression if they start to abuse a host they stick to it
as long as possible, because after they start to abuse the host chances are
high that the server might get fixed and they have to go for a new one.

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- RE: [Asrg] 7. Best Practices - DNSBLs - Article
  - From: Yakov Shafranovich
- Re: [Asrg] 7. Best Practices - DNSBLs - Article
  - From: Markus Stumpf
- Re: [Asrg] 7. Best Practices - DNSBLs - Article
  - From: Brad Knowles

Prev by Date: RE: [Asrg] 7. Best Practices - DNSBLs - Article
Next by Date: RE: [Asrg] 7. Best Practices - DNSBLs - Article
Previous by thread: Re: [Asrg] 7. Best Practices - DNSBLs - Article
Next by thread: RE: [Asrg] 7. Best Practices - DNSBLs - Article
Index(es):
- Date
- Thread