On 16-08-30 12:43 PM, Michael Wise via mailop wrote:
We could use one to call out the location of colo servers that should never be
connecting on port 443, for instance.
Um, I can think of a reason why that might not be perfect.. For instance
cloud services which monitor your email box for you..
But we get what you mean, having just helped a client that was
undergoing a 'dictionary attack' from one.. (Was actually trying
POP/IMAP/POPSSL/IMAPSSL) Shoutout to VolumeDrive. <sic>
And of course, most people already have a 'local' way of blacklisting
them, methods similar to fail2ban etc..
However, it is funny you mention this.. launching a new DNSBL data
collection method just for these types of 'hack' sources..
But not sure if DNSBL is the way to use this data.. And the moment we
do, of course they just move back to BOTs on DYNA.. and of course you
can't block access to 443 from the dynamic IP Address space, because
that is where the legitimate users of 443 are..
Which is why we are pushing for changes to the protocols themselves..
Pushing for demanding better public listing of the operators of colo
servers (rwhois/SWIP) ..
But, sometimes.. (and back to Michelle and the early days of SORBS)
sometimes, aggressive DNSBL listings do force REAL change among
operators, to actually do something about their business models of
allowing that type of activity on their networks..
But given the recent spike's in activity of 'cloud' providers ..
(eg, you might like to block anything from www-data@ that comes from
cloudapp.net, especially if it was generated from a PHP Script)
Return-Path: <www-d...@mail.live.com>
Received: from weifuh-ff12.cloudapp.net (HELO mail.live.com) (40.74.120.249)
Received: by mail.live.com (Postfix, from userid 33)
Subject: Nota Fiscal EletrĂ´nica Nacional de serie/nĂºmero [2/709460] - [
935453087 ]
X-PHP-Originating-Script: 0:d3jcfdmypm7hett.php
.. you can expect that another round of controversy surrounding
reputation providers is coming nigh.. there is more and more talk around
making the providers responsible for activity on their networks.. in
that vein, DNSBL's are the least of their worries.
The Digital Ocean's and Amazon's might have started this new opportunity
for spammers and hackers (eg anonymous clouds) but now everyone is
building one.. $1 VPS's.. anonymous clouds..
Not surprising everyone is building a DNSBL ;)
PS, while we might thank Microsoft for making the information on AZURE
space available, maybe Microsoft could do a couple of things..
* Make the information available in a DNSBL format
* SWIP the space as being used for AZURE
NetRange: 40.74.0.0 - 40.125.127.255
CIDR: 40.125.0.0/17, 40.74.0.0/15, 40.76.0.0/14,
40.124.0.0/16, 40.120.0.0/14, 40.112.0.0/13, 40.80.0.0/12, 40.96.0.0/12
Even better..
* Block traffic to Port 25 et al on Egress from the space (they can use
Port 587 Submissions and relays)
Oh, yeah.. but you mentioned they were attacking Port 443 ;)
Umm... we could do that from a script on Azure I assume as well.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and
intended solely for the use of the individual or entity to which they
are addressed.
Please note that any views or opinions presented in this email are
solely those of the author and are not intended to represent those of
the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
