[Dshield] Spamhouse now listing exploited IPs in new blocklist
Johannes B. Ullrich
jullrich at sans.org
Wed Jan 14 17:35:46 GMT 2004
> Doesn't a black list just affect servers trying to send
> If a home user's machine gets compromised and is being used to
> send spam, it gets blacklisted. Once the person fixes their machine,
> their IP is no longer going to be the source of the email, correct?
You assume that the blacklist will only include users that send mail
because they are infected. The quoted news article isn't specific
enough, but it looks like they include "infected" hosts even if they
don't send mail. So you have two issues:
(*) why do you call a host infected?
for example for DShield, we list many mail servers as port 113
scanners. This is just a normal side effect of being a mail server,
and there is nothing wrong with these mail servers. Now this paticular
issue is easy to clean up. But there are others, less clear cut cases.
(*) what about dynamic IPs?
this was menitioned before. It looks like they keep IPs in their list
for 6 months. ..
> an average home user sends mail they aren't using their own personal
> SMTP server, they're using their ISP's mail server which (hopefully)
> isn't blacklisted.
well, not everyone uses their ISPs mail server. Some users send
directly. I don't think they should, but well, they do. Also, given
false positives, a perfectly healthy ISP mail server may get on the
I think a useful blacklist has to be "fresh" and there has to be a fast
"cleanup" process. It looks like they bounce mail with appropriate
headers... maybe that will help, but it could hurt as well (where do
they bounce too? Can this be used as a traffic amplifier/obfuscater in a
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040114/efa1355d/attachment.bin
More information about the list