[Dshield] dshield-based RBLs?
ed.truitt at etee2k.net
Mon Jun 7 20:26:21 GMT 2004
Quoting John Hardin <johnh at aproposretail.com>:
> I'm pretty sure I've suggested this in the past, but I'm going to
> suggest it again just for discussion.
> I would like to see some DNS RBLs based on dshield scanner data. One
> possibly proactive way to block spam from the hordes of compromised
> windows boxen would be to have my MTA reject anything originating from
> an IP address that's spewing NetBIOS traffic or known vulnerability
> scanning traffic at the world...
Why would an IP address that is spewing NetBIOS traffic (I thought NetBIOS
traffic was supposed to be spewed ;-) be a spammer? Now, what might be
interesting is a BL based on DShield scanner data indicating the box is
infected with one of the worms that turns the host into a spam-zombie (open
proxy). In fact, that is something worth thinking about. Now, just need a
list of all those nasty wormy things, and which ports they use when
Johannes is right -- this seems to be a lot of work. Maybe I'll try it on a
"local" level first.
More information about the list