At 10:44 PM +0200 2003/08/11, Markus Stumpf wrote:
Don't know if this qualifies for a BCP ...
We use our own DNSBL. We do also use other DNSBLs but the messages are
tagged only. This tagging is used as a decision aid:
if we get spam and the IP is listed in other DNSBLs as well, we add
it to your own DNSBL right away.
this saves some work.
How do you determine if you get a "spam" from a particular IP
address? Is this done in any automated way, or just any time a user
complains?
I have the impression DNSBLs get abused for finding open relays.
Some do. However, I suspect that it's mostly the ones that are
oriented towards open relays anyway, and for them would it really be
"abuse" in that sense?
Motivation: checking IP ranges for relay open mailserver or open
proxies is a time consuming task and you need email addresses to
receive the relayed messages at.
Strategy: Do port scans for hosts listening on port 25. Make a list of
all those IP Addresses.
Now use a tool that abuses 0wned hosts and do distributed sumbissions
of these IP's to the various DNSBLs for testing.
You mean like <http://www.ordb.org/faq/#test_no_list> or
<http://dsbl.org/programs>?
Result: After some hours/days do DNS lookups and see if the IP got
blocked. If it is blocked the IP is vulnerable, add it to your list
of vulnerable host and qickly start abusing it.
Already being done, I'm sure. I figure there are also a lot of
people out there who are querying the various black lists with
relatively random selections of IP address ranges (and using various
open caching/recursive nameservers), to fill in their list of
potential servers to abuse.
Downside: they use a blacklisted IP for spamming. However from my
personal observation most DNSBLs are used for informational purposes
and not for hard blocks, so the amount of spam they get through is
large enough and pays off the gain of having others do the dirty work
(with a white hat on).
Here's another idea. Take the list of the sort you mention
above, then front that with a DNS-based load-balancing program. When
a spammer looks up the address to spam through, they get re-directed
to one of millions of vulnerable machines, then drop that connection
after sending a small number of messages, and start the process all
over again.
--
Brad Knowles, <brad(_dot_)knowles(_at_)skynet(_dot_)be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg