On Aug 7, 2014, at 11:14 AM, Axb <axb.li...@gmail.com> wrote: > On 08/07/2014 07:06 PM, Philip Prindeville wrote: >> >> On Aug 7, 2014, at 11:00 AM, Axb <axb.li...@gmail.com> wrote: >> >>> On 08/07/2014 06:55 PM, Philip Prindeville wrote: >>>> >>>> On Aug 6, 2014, at 11:20 PM, Axb <axb.li...@gmail.com> wrote: >>>> >>>>> On 08/07/2014 07:01 AM, Philip Prindeville wrote: >>>>>> >>>>>> On Aug 6, 2014, at 1:23 PM, Paul Stead <paul.st...@zeninternet.co.uk> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> On 06/08/14 20:00, John Hardin wrote: >>>>>>>> Can some fresh samples be posted to pastebin? >>>>>>>> >>>>>>> http://pastebin.com/yHiT2s3t >>>>>>> http://pastebin.com/DpxpJhtA >>>>>>> http://pastebin.com/DYx1ap31 >>>>>>> >>>>>>> :) >>>>>> >>>>>> >>>>>> Uh… the hostname in all of these URL’s always resolves to 98.124.199.1. >>>>>> >>>>>> I just use: >>>>>> >>>>>> uri_block_cidr L_BLOCK_CIDR 98.124.199.1 >>>>>> body L_BLOCK_CIDR eval:check_uri_local_bl() >>>>>> describe L_BLOCK_CIDR Block URI's pointing to bad CIDR's >>>>>> score L_BLOCK_CIDR 7.5 >>>>>> >>>>>> and this nails it. See: >>>>>> >>>>>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060 >>>>> >>>>> Suggesting to list any IP in the 98.124.192.0/18 net with a score of 7 is >>>>> not very wise advice. >>>> >>>> >>>> I’m listing a /32. Where do you get a /18 prefix? >>> >>> listing *anything* in that /18 will hit a zillion of legit sites... >>> including your /32 >>> >>> For a man and his dog setup it may be ok, but I wouldn't advise ppl to do >>> this without a *warning* >> >> >> What is your basis for saying this? This example filters a SINGLE (/32) IP. > > that single IP has way more thank 10k domains hosted on it (my passive DNS > query is limited to 10k) and there's a huge number of legitimate ones.
Okay, I thought you were saying that the posted configuration would block the entire CIDR range. It won’t. So they have a lot of VirtualHost definitions: a couple of comments on that. (1) putting that many domains on a single host is just begging for that host to have a catastrophic failure (as opposed to putting that many domains on a local (re)director which servers as a proxy, a la mod_proxy_html mode…) (2) it further means that if the host is compromised, then all the domains on that host are compromised. (3) if that IP is being blocked for whatever reason, then that will motivate the other users on that same host to either pressure eNom to flush that bad actor ASAP, or they will move to another host… possibly with another provider. This is a reckless practice, and eNom will likely suffer consequences when their users start to catch on to all of the ill effects of it, some of which I listed above. No one wants their business reputation being sullied by association with phishers, spammers, and hacked websites… -Philip > >> Please don’t propagate misinformation. > > I can assure that it is not misinformation... do your research.. > > >
