[Dshield] Spamhouse now listing exploited IPs in new blocklist

Johannes B. Ullrich jullrich at sans.org
Wed Jan 14 17:35:46 GMT 2004


> Doesn't a black list just affect servers trying to send
> mail? 

correct.

> If a home user's machine gets compromised and is being used to
> send spam, it gets blacklisted. Once the person fixes their machine,
> their IP is no longer going to be the source of the email, correct? 

You assume that the blacklist will only include users that send mail
because they are infected. The quoted news article isn't specific
enough, but it looks like they include "infected" hosts even if they
don't send mail. So you have two issues:

(*) why do you call a host infected? 
   for example for DShield, we list many mail servers as port 113
scanners. This is just a normal side effect of being a mail server,
and there is nothing wrong with these mail servers. Now this paticular
issue is easy to clean up. But there are others, less clear cut cases.

(*) what about dynamic IPs?
   this was menitioned before. It looks like they keep IPs in their list
for 6 months. ..


> When
> an average home user sends mail they aren't using their own personal
> SMTP server, they're using their ISP's mail server which (hopefully)
> isn't blacklisted.

well, not everyone uses their ISPs mail server. Some users send
directly. I don't think they should, but well, they do. Also, given
false positives, a perfectly healthy ISP mail server may get on the
list.

I think a useful blacklist has to be "fresh" and there has to be a fast
"cleanup" process. It looks like they bounce mail with appropriate
headers... maybe that will help, but it could hurt as well (where do
they bounce too? Can this be used as a traffic amplifier/obfuscater in a
DOS attack).




-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040114/efa1355d/attachment.bin


More information about the list mailing list