It was mentioned that several people are getting hammered by world-wide
robot attacks. I see from the little spam I get that there is a new spam
sending tool for robots that is running a stock spam. I suspect the traffic
is a combination of distributing the new spam tool and sending out the new
spam.
With all this traffic from robots, lots of people here must be getting quite
a lot of information in their logs about connections from robots. I wonder
if there would be value in a central database that attempts to enumerater
the robots?
Most of them are probably on dynamic ip. But if the sending IP and
attempted connect time could be logged at many sites and combined, there
would be fairly conclusive evidence that a given IP had been sending spam at
a particular time. Perhaps that could be submitted to at least some of the
more responsible service providers, and they could do something to track it
back to a customer and send them an email that their machine is infected.
(Or possibly be even more proactive, I suppose.)
The database might also be usable in front door spam blocking. Most people
probably shouldn't be accepting direct connections from dynamic ips on
someone else's network, especially if that ip has a recent history of
sending spam (say in the last 6 hours or so). It might be possible to make
a server that could provide yes/no answers on whether the IP has sent spam
in the last minute/hour/6 hours/day or so.
I'd think that such a database could be built almost automatically. For
instance, if you log the IPs of connection attempts that you reject for
various problems, you could just harvest those IPs once an hour or so to
some central site, no human judgement calls required. If the mail is
accepted and gets a high SA score, and you can still determine the sending
IP, then that might be automatically harvested also.
Thoughts? Does somethign like this have any value?
Loren
