funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 95% of User Generated Content is spam or malicious

From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Mon, 15 Feb 2010 09:28:08 -0800
DROP and Country blocks are part, but only part, of the ThreatSTOP
feeds.

If you're not using Bogons, DShield, Shadowserver, and the SRI MTC,
you're missing the recon bots, new malware drive-by seeds, and the C&Cs.

We've got those, and more, including some of our own developed using
cross-correlation and user log submission.

ThreatSTOP is pretty much about aggregating the best practices blocks
such as you have listed, and constantly tracking which ones stay
current, and making them easy to use and dynamically updated across
multiple platforms.

Sounds like you're doing what I was doing when I came up with the
underlying idea, and was having to write a new script for each new type
of firewall or new list I wanted to use, and said "There has to be a
better way", looked for one, didn't find it, and so decided to build it!

Stay safe!




-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Rich Kulawiec
Sent: Monday, February 15, 2010 8:46 AM
To: funsec () linuxbox org
Subject: Re: [funsec] 95% of User Generated Content is spam or
malicious

On Sun, Feb 14, 2010 at 03:41:16PM -0800, Tomas L. Byrnes wrote:

Threatstop users running the default TS blocklists on their

firewalls

before the anti-spam systems see, typically, 15% to 25% reduction in
average SMTP traffic, and a reduction of peak SMTP traffic to 1/4 of
what it is without ThreatSTOP.


<chuckle> I'm waaaay past that.  I've cut down the number of incoming
connections by about 90% via judicious use of the DROP list, country
blocks (see ipdeny.com), spammer-allocated blocks, etc. at the
firewall.

In one installation, I've gone the other way: all SMTP connections
are blocked except those originating in North America (less those on
the DROP list or in spammer-allocated blocks).

The default-permit model for SMTP is on its way out, and it makes
progressively less sense to spend ever-increasing resources to
sustain it.  But judicious study of inbound/outbound mail traffic
is very necessary before trying something like this.  (Then again:
how could any postmaster possibly know how well they're doing unless
they measure it?  Sadly, very, very few actually do.)

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: