Maintaining a Publicly Available Blacklist - Mechanisms and Principles 89
badger.foo writes "When you publicly assert that somebody sent spam, you need to ensure that your data is accurate. Your process needs to be simple and verifiable, and to compensate for any errors, you want your process to be transparent to the public with clear points of contact and line of responsibility. Here are some pointers from the operator of the bsdly.net greytrap-based blacklist."
Re:Greylist instead (Score:4, Informative)
and all mails you get will be delayed by an hour or more, pretty unacceptable when you get an urgent complaint that something is down.
In a correctly configured greylist, only the first e-mail ever received from a particular IP address will be delayed. Once you know an IP addresss follows the RFC and retries, then you know that even if they do send you spam, delaying it won't change that. In order to allow for the actual machine behind an IP address changing, instead of a permanent whitelist, you pick a timeout that is long enough but not too long. I use 40 days, which allows a once-monthly mailing list to not be delayed (since the timeout is reset each time you receive an e-mail from an IP). You also pre-load the database with whitelists for Google, Amazon, Yahoo, etc.
I also set just a 4 minute delay, which means that the one e-mail is rarely even delayed by 10 minutes. I could probably get by with as short as one minute, since that would still handle the spambots that try all MX records but never try again.
Last, since I already have a database, it makes it really easy to build my own "IP address reputation" based on the incoming e-mail, which allows me to do things like temporarily blacklist an IP that has sent a lot of spam recently, etc.
Agreed, 110% (unfortunately)... apk (Score:0, Informative)
The reason I state this, is because I've been building up a successful blacklist (albeit NOT vs. "spam" or phishers only, but more vs. online threats in maliciously scripted sites &/or servers known to serve up malware etc.):
Yes, thus - I'd have to say, based on 15++ yrs. of experience doing it (based on reputable & reliable sites listed below) that yes, MOST of it comes from those nations (& that's why I said "unfortunately" in my subject-line - since I know their people are NOT "all bad", just that they have a lot of what you state going on).
I base this not only on "opinion" but HARD DATA too!
From a list I apply in custom hosts files of over 1,967,147 such bogus sites/servers that grows by almost 200 - 2,000 such sites each day, approximately (that *might* strike some of you as "fantastic", but it's real)... I get my data from the following sites:
http://hosts-file.net/?s=Download [hosts-file.net]
http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com]
http://www.malware.com.br/cgi/submit?action=list_hosts_win_0000 [malware.com.br]
http://winhelp2002.mvps.org/hosts.htm [mvps.org]
https://spyeyetracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
http://safeweb.norton.com/noscript/ [norton.com]
http://mirror1.malwaredomains.com/files/ [malwaredomains.com]
http://hostsfile.org/hosts.html [hostsfile.org]
http://www.malwareurl.com/ [malwareurl.com]
http://sysctl.org/cameleon/hosts [sysctl.org]
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext [yoyo.org]
http://www.safer-networking.org/dl/ [safer-networking.org]
http://amada.abuse.ch/palevotracker.php [abuse.ch]
AND, then I import, consolidate, sort, & deduplicate that data using this application I wrote to do so:
---
APK Hosts File Engine 5.0++ 32/64-bit:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]
---
Why? Simple - it works, & on the SIMPLEST PRINCIPLE OF ALL: What you can't touch, can't hurt you... & I never was the type of person to just "sit around & take it" - I do something about it, IF possible. The above IS my possible, and it is possible & works (in combination with all I put into this security guide I authored from 1997-2007, here -> http://www.google.com/search?hl=en&output=search&sclient=psy-ab&q=%22How+to+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=PjNrUcDVGpSz4AOJuIHQDQ [google.com] that works on the BEST THING WE HAVE GOING: "Layered-Security"/"Defense-in-Depth"... & yes, it works! )
APK
P.S.=> Any questions?
... apk