[Dshield] Spamhouse now listing exploited IPs in new blocklist

Johannes B. Ullrich jullrich at sans.org
Wed Jan 14 13:41:37 GMT 2004


> Anyone got feelings about this ?

"Blacklists" sometimes think that the bigger the blacklist, the more
effective it is. However, there is a very small number of hosts that is
causing most of the problems. As blacklists increase in size, they very
quickly diminish in value.

Vinod Yegneswaran from the Univ. of Wisconsin wrote a nice paper that
uses DShield data and shows some of this effect:
http://www.cs.wisc.edu/~pb/dshield_paper.pdf

Overall, I have been reluctant in the past to offer large block lists
based on DShield data. The false-positive issue is very hard to solve,
and we do see "attacks" against our data collection system (teaser:
There is a slide about a recent one in todays webcast ;-) ) that attempt
to inject invalid reports.

However, I think it was said here before a few times: You have to
carefully pick whatever spam filter correlates best with your business
objectives. Deleting mail is cheap/simple. Missing a 'real' e-mail can
be very expensive.

BTW: we do offer a short blocklist, http://feeds.dshield.org/block.txt
(I actually just changed a small bug in it yesterday). It is updated
several times a day, and if a listed ISP contacts me, they are
removed from it immediately (they don't even have to prove they did
anything. All I need is that they know they have a problem).


-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040114/8d97a8a3/attachment.bin


More information about the list mailing list