DAve writes: > jdow wrote: > > From: "DAve" <[EMAIL PROTECTED]> > > > >> Loren Wilton wrote: > >>> It was mentioned that several people are getting hammered by > >>> world-wide robot attacks. I see from the little spam I get that > >>> there is a new spam sending tool for robots that is running a stock > >>> spam. I suspect the traffic is a combination of distributing the new > >>> spam tool and sending out the new spam. > >>> > >>> With all this traffic from robots, lots of people here must be > >>> getting quite a lot of information in their logs about connections > >>> from robots. I wonder if there would be value in a central database > >>> that attempts to enumerater the robots? > >>> > >>> Most of them are probably on dynamic ip. But if the sending IP and > >>> attempted connect time could be logged at many sites and combined, > >>> there would be fairly conclusive evidence that a given IP had been > >>> sending spam at a particular time. Perhaps that could be submitted > >>> to at least some of the more responsible service providers, and they > >>> could do something to track it back to a customer and send them an > >>> email that their machine is infected. (Or possibly be even more > >>> proactive, I suppose.) > >>> > >>> The database might also be usable in front door spam blocking. Most > >>> people probably shouldn't be accepting direct connections from > >>> dynamic ips on someone else's network, especially if that ip has a > >>> recent history of sending spam (say in the last 6 hours or so). It > >>> might be possible to make a server that could provide yes/no answers > >>> on whether the IP has sent spam in the last minute/hour/6 hours/day > >>> or so. > >>> > >>> I'd think that such a database could be built almost automatically. > >>> For instance, if you log the IPs of connection attempts that you > >>> reject for various problems, you could just harvest those IPs once an > >>> hour or so to some central site, no human judgement calls required. > >>> If the mail is accepted and gets a high SA score, and you can still > >>> determine the sending IP, then that might be automatically harvested > >>> also. > >>> > >>> Thoughts? Does somethign like this have any value? > >>> > >>> Loren > >> > >> Something like http://dhsield.org, but limited to email instead of all > >> ports? > > > > Don't know. (Not going to click on THAT link. It looks like it might > > lead to a typo squatter potentially with malware. {^_-}) But I suspect > > the answer is yes. > > Hmmm, dsheild, dhsield, dshield, six of one half dozen of the other ;^)
Anyway, it certainly would have value -- that's one of the input methods used to populate many of the DNSBLs. --j.
