[geeks] .hk, .cn, .info considered harmful

Mike Meredith very at zonky.org
Thu Jun 5 13:55:16 CDT 2008


On Thu, 5 Jun 2008 14:05:37 -0400, Rich Kulawiec wrote:
> I've been gradually arriving at the viewpoint that systemic blocking
> of what I'll call (for lack of a better term) "bad actors" is
> necessary. For most purposes, spammers and phishers and spyware
> authors and botnet operators and so on *are the same people*, so once
> they're identified, there's no point in allowing any further traffic
> to or from them -- thus I'm shifting more and more measures from
> application protocol servers to the firewall.

In the case of mail and even to some extent malware distribution, most
'distribution servers' are in fact infected consumer machines that are
only owned by the spammers/phishers/etc because they've been stolen
(despite being resident in the 'victims'' home). I'd personally like to
null route all traffic going between my client machines and the 'bad
actors', but permit traffic to web servers (at least).

On the web servers redirect all requests from 'bad actors' to a page
saying "No web for you ... you are or have been infected". If enough
web server operators started doing that, it might get the message
across.

> Of course, that leaves the small problem of identification, but that
> is left as an exercise for the reader. ;-)

It would be nice to use application level inspection to 'feed' bad
addresses to the firewall to block. Detect 'bad actors' from the proxy
cache logs/web server logs/mail server logs, extract the IP address
(with a DNS lookup if necessary), populate a MySQL table with date, and
regularly pull addresses from the MySQL table (no older than x days) to
put into the firewall.

Hmm ... I smell an interesting script or two.


-- 
Mike Meredith (http://zonky.org/)
 By the way, you DON'T want to see what a meat layer buffer overrun
 looks like.... (mjr on fw-wiz)



More information about the geeks mailing list