Loading ...
Sorry, an error occurred while loading the content.

Block maps from dshield ip's

Expand Messages
  • Thomas Domingo Dahlmann
    Hi I ve tried brewing a script together that picks up the ip addresses from Dshield and put them into a mapfile. I would like some feedback (if anyone cares
    Message 1 of 13 , Jul 28, 2006
    • 0 Attachment
      Hi

      I've tried brewing a script together that picks up the ip addresses from
      Dshield and put them into a mapfile.
      I would like some feedback (if anyone cares ;ø) ) on the script and on the
      idea of using the Dshield list as a blackhole list for mail.

      http://wiki.lnxgeek.org/doku.php/howtos:dshield_postfix_map_script

      Thx.

      /Domingo
      Registered Linux user number 411788
      http://wiki.lnxgeek.org
    • David Cary Hart
      On Sat, 29 Jul 2006 01:36:25 +0200 (CEST), Thomas Domingo Dahlmann ... I actually discussed this on the DShield list last week with the idea of creating a
      Message 2 of 13 , Jul 29, 2006
      • 0 Attachment
        On Sat, 29 Jul 2006 01:36:25 +0200 (CEST), "Thomas Domingo Dahlmann"
        <domingo@...> opined:
        > Hi
        >
        > I've tried brewing a script together that picks up the ip addresses
        > from Dshield and put them into a mapfile.
        > I would like some feedback (if anyone cares ;ø) ) on the script and
        > on the idea of using the Dshield list as a blackhole list for mail.
        >
        > http://wiki.lnxgeek.org/doku.php/howtos:dshield_postfix_map_script
        >
        I actually discussed this on the DShield list last week with the idea
        of creating a DShield zone for the BL. Johannes said that he would
        provide the feed. I need to finalize some administrative issues.

        --
        Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
        Don't Subsidize Criminals: http://boulderpledge.org
      • Greg Hackney
        ... Feedback: DShield is intended for firewall blocks, such as iptables. It s listed sites and reporting mechanisms appear to be geared for port scans, hacker
        Message 3 of 13 , Jul 29, 2006
        • 0 Attachment
          Thomas Domingo Dahlmann wrote:

          >Hi
          >
          >I've tried brewing a script together that picks up the ip addresses from
          >Dshield and put them into a mapfile.
          >I would like some feedback
          >

          Feedback: DShield is intended for firewall blocks, such as iptables.
          It's listed sites and reporting mechanisms appear to be geared for
          port scans, hacker login attempts, etc.

          Ref: http://feeds.dshield.org/block.txt.asc

          IMHO it doesn't seem like much value would be added as an SMTP
          access block (especially if you're already using DShield in iptables).
          --
          Greg
        • Greg Hackney
          ... Correction: http://feeds.dshield.org/block.txt
          Message 4 of 13 , Jul 29, 2006
          • 0 Attachment
          • David Cary Hart
            On Sat, 29 Jul 2006 10:19:25 -0500, Greg Hackney ... There is a direct correlation. Furthermore, many people cannot - and should not - use
            Message 5 of 13 , Jul 29, 2006
            • 0 Attachment
              On Sat, 29 Jul 2006 10:19:25 -0500, Greg Hackney <hackney@...>
              opined:
              > Thomas Domingo Dahlmann wrote:
              >
              > >Hi
              > >
              > >I've tried brewing a script together that picks up the ip
              > >addresses from Dshield and put them into a mapfile.
              > >I would like some feedback
              > >
              >
              > Feedback: DShield is intended for firewall blocks, such as
              > iptables. It's listed sites and reporting mechanisms appear to be
              > geared for port scans, hacker login attempts, etc.
              >
              There is a direct correlation. Furthermore, many people cannot - and
              should not - use IPTables to filter email.

              If a machine is making port scans or engaged in other abusive
              activity, it is either infected or doing so intentionally. Either
              way, you probably do not want their email. These days, many - if not
              most - security issues relate to relaying spam.

              --
              Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
              Don't Subsidize Criminals: http://boulderpledge.org
            • Greg Hackney
              ... Thank you. That s my point exactly. DShield s content is not for email blocking. If it were, there would be a lot more sites than the mere 20 networks that
              Message 6 of 13 , Jul 29, 2006
              • 0 Attachment
                David Cary Hart wrote:

                >should not - use IPTables to filter email.
                >
                >
                Thank you. That's my point exactly.

                DShield's content is not for email blocking. If it were,
                there would be a lot more sites than the mere 20
                networks that are currently listed.

                Yes of course the data could also be used for Postfix blocking.
                My point is that it's probably not going to do much blocking,
                especially if already using DShield data in firewalling.

                I'm skeptical that people who possess the knowledge to
                configure Postfix, munge shell scripts, extract DShield data,
                and auto-build access maps, wouldn't also be capable of typing
                a repetitive-style fill-in-the-blank command such as:

                /sbin/iptables -I RH-Firewall-1-INPUT -s 218.10.43.255/24 -j LOCALBLOCK

                --
                Greg
              • Greg Hackney
                ... Hi Thomas. If you are in the mode to do scripting, an interesting one would be to periodically merge the data from these 2 URL s:
                Message 7 of 13 , Jul 29, 2006
                • 0 Attachment
                  Thomas Domingo Dahlmann wrote:

                  >I've tried brewing a script together that picks up the ip addresses from
                  >Dshield and put them into a mapfile.
                  >
                  >
                  Hi Thomas. If you are in the mode to do scripting, an interesting
                  one would be to periodically merge the data from these 2 URL's:

                  http://spamvertised.abusebutler.com/spamvertised.php?rep=last24
                  http://www.spamcop.net/w3m?action=inprogress&type=www

                  and install it in a body_checks regexp file, something like:

                  if /http:/
                  /good_domain.com/ OK
                  /medzname.com/ REJECT
                  /medstair.com/ REJECT
                  /ccmedz.com/ REJECT
                  /medsource2006.org/ REJECT
                  /medveds.com/ REJECT
                  endif

                  (I recall that Wietse suggested using this if/endif format a while back).

                  I've been doing it for about a year, and it does make a lot of new blocks
                  that other methods miss. (But alas I don't have decent scripts due to
                  my Perl ignorance).

                  --
                  Greg
                • David Cary Hart
                  On Sat, 29 Jul 2006 11:33:23 -0500, Greg Hackney ... Just to be clear, this would be comprised of the many thousands of DShield client
                  Message 8 of 13 , Jul 29, 2006
                  • 0 Attachment
                    On Sat, 29 Jul 2006 11:33:23 -0500, Greg Hackney <hackney@...>
                    opined:
                    > David Cary Hart wrote:
                    >
                    > >should not - use IPTables to filter email.
                    > >
                    > >
                    > Thank you. That's my point exactly.
                    >
                    > DShield's content is not for email blocking. If it were,
                    > there would be a lot more sites than the mere 20
                    > networks that are currently listed.
                    >
                    Just to be clear, this would be comprised of the many thousands of
                    DShield client reports and limited to /32s. This would be port
                    restricted to eliminate the IWF factor, require two separate sources
                    and have a volume threshold. Presumably, I would employ
                    auto-expiration.

                    Of course many of these are coming from dynamic and other sources
                    that are already listed.
                    --
                    Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
                    Don't Subsidize Criminals: http://boulderpledge.org
                  • Thomas Domingo Dahlmann
                    ... Well I had to much time last night I guess ;ø) ... You re right that the data should be used like that. I just thought that maybe the email admins not
                    Message 9 of 13 , Jul 29, 2006
                    • 0 Attachment
                      On Sat, July 29, 2006 18:33, Greg Hackney wrote:
                      > David Cary Hart wrote:
                      >
                      >
                      >> should not - use IPTables to filter email.
                      >>
                      >>
                      > Thank you. That's my point exactly.
                      >
                      >
                      > DShield's content is not for email blocking. If it were,
                      > there would be a lot more sites than the mere 20 networks that are
                      > currently listed.
                      >
                      > Yes of course the data could also be used for Postfix blocking.
                      > My point is that it's probably not going to do much blocking,
                      > especially if already using DShield data in firewalling.
                      >
                      > I'm skeptical that people who possess the knowledge to
                      > configure Postfix, munge shell scripts, extract DShield data, and
                      > auto-build access maps, wouldn't also be capable of typing a
                      > repetitive-style fill-in-the-blank command such as:

                      Well I had to much time last night I guess ;ø)

                      >
                      > /sbin/iptables -I RH-Firewall-1-INPUT -s 218.10.43.255/24 -j
                      > LOCALBLOCK

                      You're right that the data should be used like that. I just thought that
                      maybe the email admins not always has control over the firewall and this
                      would give some more to check against (those IP's are serious bad guys). I
                      also thought that this list could help sum up the defense, combined with
                      other resources of course (you never can get to many of them).

                      /Domingo
                      Registered Linux user number 411788
                      http://wiki.lnxgeek.org
                      >
                      >
                      > --
                      > Greg
                      >
                      >
                      >
                      >
                      >
                      >
                      >
                      >
                      >
                      >
                      >
                      >
                      >
                      > !DSPAM:44cb902477358074279129!
                      >
                      >
                      >
                    • Greg Hackney
                      ... Is this that list? http://feeds.dshield.org/top10-2.txt It s not a bad idea. I had thought of it too a couple of weeks ago when I installed DShield. And I
                      Message 10 of 13 , Jul 29, 2006
                      • 0 Attachment
                        David Cary Hart wrote:

                        >Just to be clear, this would be comprised of the many thousands of
                        >DShield client reports and limited to /32s.
                        >
                        >
                        Is this that list? http://feeds.dshield.org/top10-2.txt

                        It's not a bad idea. I had thought of it too a couple of weeks
                        ago when I installed DShield. And I also implemented it in my
                        Postfix CIDR table.

                        But I implemented it in both iptables and Postfix for a special reason:
                        On my system, various ISP-fetchmail email is injected into Postfix
                        using the XCLIENT feature, which emulates a direct SMTP connection from
                        the X-Originating-IP.

                        I'd suggest your running your DShield idea a while and then
                        doing a study on the results. If you position the check after
                        all the traditional RBL checks such as Spamhaus, I predict
                        a negligible percentage blocked by DShield.

                        But please do post the results in either case.

                        --
                        Greg
                      • Thomas Domingo Dahlmann
                        /Domingo Registered Linux user number 411788 http://wiki.lnxgeek.org ... No it s http://feeds.dshield.org/block.txt What are those ip addresses you mention?
                        Message 11 of 13 , Jul 30, 2006
                        • 0 Attachment
                          /Domingo
                          Registered Linux user number 411788
                          http://wiki.lnxgeek.org

                          On Sat, July 29, 2006 22:35, Greg Hackney wrote:
                          > David Cary Hart wrote:
                          >
                          >
                          >> Just to be clear, this would be comprised of the many thousands of
                          >> DShield client reports and limited to /32s.
                          >>
                          >>
                          >>
                          > Is this that list? http://feeds.dshield.org/top10-2.txt

                          No it's http://feeds.dshield.org/block.txt

                          What are those ip addresses you mention?
                          >
                          >
                          > It's not a bad idea. I had thought of it too a couple of weeks
                          > ago when I installed DShield. And I also implemented it in my Postfix CIDR
                          > table.
                          >
                          > But I implemented it in both iptables and Postfix for a special reason:
                          > On my system, various ISP-fetchmail email is injected into Postfix
                          > using the XCLIENT feature, which emulates a direct SMTP connection from the
                          > X-Originating-IP.
                          >
                          >
                          > I'd suggest your running your DShield idea a while and then
                          > doing a study on the results. If you position the check after all the
                          > traditional RBL checks such as Spamhaus, I predict a negligible percentage
                          > blocked by DShield.
                          >
                          > But please do post the results in either case.
                          >
                          >
                          > --
                          > Greg
                          >
                          >
                          >
                          >
                          >
                          >
                          >
                          >
                          >
                          >
                          > !DSPAM:44cbc6a4225053394946328!
                          >
                          >
                          >
                        • Thomas Domingo Dahlmann
                          ... Wouldn t it create a serious penalty in throughput, having a large body_check?? /Domingo
                          Message 12 of 13 , Jul 30, 2006
                          • 0 Attachment
                            On Sat, July 29, 2006 19:39, Greg Hackney wrote:
                            > Thomas Domingo Dahlmann wrote:
                            >
                            >
                            >> I've tried brewing a script together that picks up the ip addresses
                            >> from Dshield and put them into a mapfile.
                            >>
                            >>
                            >>
                            > Hi Thomas. If you are in the mode to do scripting, an interesting
                            > one would be to periodically merge the data from these 2 URL's:
                            >
                            > http://spamvertised.abusebutler.com/spamvertised.php?rep=last24
                            > http://www.spamcop.net/w3m?action=inprogress&type=www

                            Wouldn't it create a serious penalty in throughput, having a large
                            body_check??

                            /Domingo

                            >
                            >
                            > and install it in a body_checks regexp file, something like:
                            >
                            > if /http:/ /good_domain.com/ OK
                            > /medzname.com/ REJECT
                            > /medstair.com/ REJECT
                            > /ccmedz.com/ REJECT
                            > /medsource2006.org/ REJECT
                            > /medveds.com/ REJECT
                            > endif
                            >
                            > (I recall that Wietse suggested using this if/endif format a while back).
                            >
                            >
                            > I've been doing it for about a year, and it does make a lot of new blocks
                            > that other methods miss. (But alas I don't have decent scripts due to my
                            > Perl ignorance).
                            >
                            >
                            > --
                            > Greg
                            >
                            >
                            >
                            >
                            >
                            >
                            > !DSPAM:44cb9e69195101562027968!
                            >
                            >
                            >
                          • Thomas Domingo Dahlmann
                            ... Munging time over. Here you go: http://wiki.lnxgeek.org/doku.php/indexes:howtos /Domingo Registered Linux user number 411788 http://wiki.lnxgeek.org
                            Message 13 of 13 , Aug 1, 2006
                            • 0 Attachment
                              On Sat, July 29, 2006 19:39, Greg Hackney wrote:
                              > Thomas Domingo Dahlmann wrote:
                              >
                              >
                              >> I've tried brewing a script together that picks up the ip addresses
                              >> from Dshield and put them into a mapfile.
                              >>
                              >>
                              >>
                              > Hi Thomas. If you are in the mode to do scripting, an interesting
                              > one would be to periodically merge the data from these 2 URL's:
                              >
                              > http://spamvertised.abusebutler.com/spamvertised.php?rep=last24
                              > http://www.spamcop.net/w3m?action=inprogress&type=www
                              >
                              >
                              > and install it in a body_checks regexp file, something like:
                              >
                              > if /http:/ /good_domain.com/ OK
                              > /medzname.com/ REJECT
                              > /medstair.com/ REJECT
                              > /ccmedz.com/ REJECT
                              > /medsource2006.org/ REJECT
                              > /medveds.com/ REJECT
                              > endif
                              >
                              > (I recall that Wietse suggested using this if/endif format a while back).
                              >
                              >
                              > I've been doing it for about a year, and it does make a lot of new blocks
                              > that other methods miss. (But alas I don't have decent scripts due to my
                              > Perl ignorance).

                              Munging time over. Here you go:

                              http://wiki.lnxgeek.org/doku.php/indexes:howtos


                              /Domingo
                              Registered Linux user number 411788
                              http://wiki.lnxgeek.org



                              >
                              >
                              > --
                              > Greg
                              >
                              >
                              >
                              >
                              >
                              >
                              > !DSPAM:44cb9e69195101562027968!
                              >
                              >
                              >
                            Your message has been successfully submitted and would be delivered to recipients shortly.