This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Re: update on netsecdb project
- Previous message (by thread): [anti-abuse-wg] Re: update on netsecdb project
- Next message (by thread): [anti-abuse-wg] Re: update on netsecdb project
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Frank Gadegast
phade at www.powerweb.de
Tue Apr 6 15:57:30 CEST 2010
Hi, > IMHO just having blacklists based on IP addresses is not enough: > * rapidly increasing mobile internet (which has dynamic IPs unless > one keeps a connection open indefinitely - hardly ever the case) > * tendency to reuse one bot for an ever decreasing number of spam messages > - so blacklist are and always getting to be less helpful. most blacklist do not care to block a person, they block IPs. If those IPs are dynamic, its up to the provider how to deal with that. > We did an analysis of a commen DNSBL and found that only 3% of > active bots could be found there at the timepoint when they were > active. Roughly the same number (6%) can be got when comparing with > originating IPs from incoming spam. If spam volume is sinking - and it Hm, I doubt the result, we block every bot that sends spam to our customers easily. Any dynamic IP is just sending as ONE spam and then never again until a the provider starts to do something. I doubt your results. They are probably based only on open blacklists. > definitely does at least for me - this has nothing to do with any > countermeasures but is probably just a delayed effect from the economic > crisis. Let's not delude ourselves here. > > Actually, our paper on automating botnet tracking was downloaded > quite often (we got a mail from Computers & Security / Elsevier that > it was among the top 25 downloaded paper in Q4/2009 - whatever that > means ;-) so there seems to be a lot of interest in tracking bots > with more intelligent techniques. My opinion was and still is that we > need to automate detection and tracking techniques and not necessarily You seem to be too scientific here. Its that easy to track every bot, specially for the access providers, if their own IPs get abused. > rely on old obsolete filtering techniques (although they can be > helpful in some cases). But I see the limits of RIPE to make such an > approach happen and frankly I don't see any other supranational > organization that can pull that off. > > So here's to hoping the spammers die out from the current crisis and > we can switch off all our spamfilters... I disagree here. Access provider somehow have to be force to blocked customers with infected PCs. This should be done via the community rather than countries goverments. If will only end in useless methods, if goverments get involved. I still not get how RIPE can accept criminal or even ignorant members. Criminality cant be part of the "free internet". Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de > > Best, > Alex > -- > Dr. Alexander K. Seewald > > Seewald Solutions > www.seewald.at > Tel. +43(664)1106886 > Fax. +43(1)2533033/2764 >
- Previous message (by thread): [anti-abuse-wg] Re: update on netsecdb project
- Next message (by thread): [anti-abuse-wg] Re: update on netsecdb project
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]