[Dshield] dshield-based RBLs?

ed.truitt@etee2k.net ed.truitt at etee2k.net
Mon Jun 7 20:26:21 GMT 2004


Quoting John Hardin <johnh at aproposretail.com>:

> Johannes:
> 
> I'm pretty sure I've suggested this in the past, but I'm going to
> suggest it again just for discussion.
> 
> I would like to see some DNS RBLs based on dshield scanner data. One
> possibly proactive way to block spam from the hordes of compromised
> windows boxen would be to have my MTA reject anything originating from
> an IP address that's spewing NetBIOS traffic or known vulnerability
> scanning traffic at the world...
> 
> Comments?

Why would an IP address that is spewing NetBIOS traffic (I thought NetBIOS
traffic was supposed to be spewed ;-) be a spammer?  Now, what might be
interesting is a BL based on DShield scanner data indicating the box is
infected with one of the worms that turns the host into a spam-zombie (open
proxy).  In fact, that is something worth thinking about.  Now, just need a
list of all those nasty wormy things, and which ports they use when
scanning...

Johannes is right -- this seems to be a lot of work.  Maybe I'll try it on a
"local" level first.

Regards,
-EdT.





More information about the list mailing list