[79316] in North American Network Operators' Group
Re: botted hosts
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Sun Apr 3 12:33:53 2005
Date: Sun, 3 Apr 2005 22:02:25 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
Reply-To: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Petri Helenius <pete@he.iki.fi>
Cc: Nanog Mailing list <nanog@nanog.org>
In-Reply-To: <42501630.7020400@he.iki.fi>
Errors-To: owner-nanog@merit.edu
Not all bots
On Apr 3, 2005 9:43 PM, Petri Helenius <pete@he.iki.fi> wrote:
> Conclusion is that blocking 25 inbound from a handful of prefixes would
> stop >10% of spam.
Using two or three carefully chosen DNSBLs would be a superset of your
conclusion
> +--------+------------------+
> | 2.0754 | 207.182.144.0/20 |
and from later down in your list
> | 1.0963 | 207.182.136.0/21 |
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL9198 - 207.182.128.0/19
in ROKSO as a potentially hijacked netblock
> | 1.7184 | 4.0.0.0/8 |
That's old BBN netspace, now Level 3. Level 3 provides dialups to a
whole lot of providers, and .. hell, I dont need to tell you about
level 3. Anyway a good dialup list (DUHL, or maybe the DUL if you
want to license it) should help.
> | 1.3054 | 82.224.0.0/11 |
Proxad in France - dialup / broadband dynamic IP space I expect
> | 1.1116 | 221.144.0.0/12 |
Korea. Likely to be a good mix of direct spam sources and botted
hosts. Spamhaus SBL and XBL, plus a dynamic IP list just might help
> | 0.9943 | 61.78.37.0/24 |
> | 0.9586 | 218.144.0.0/12 |
> | 0.9484 | 222.96.0.0/12 |
> | 0.7394 | 222.65.0.0/16 |
> | 0.7343 | 211.200.0.0/13 |
SBL + XBL + Dynamic IPs
Then, surbl.org catches a few more for you (I can recommend
ob.surbl.org on the principle of eating our own dogfood, we use it ..)
--
Suresh Ramasubramanian (ops.lists@gmail.com)
