On 12/13/11 7:44 AM, Kevin A. McGrail wrote: > Blocking seems to be the only thing that really achieves the goal
> they want beyond conversion to paying customers which is not SA's issue.
I agree with Kevin.
A while back, I published an 'example' blocking list,
'blocked.secnap.net' (wildcard entry for ipv4 :-). Guess what? it was
added to a couple of perl dnsbl modules and used by people who never
looked at what it was!
Two things happened: #1, lots of (hundreds of thousands of queries per day) from one or two
unnamed large ISP's #2, calls from 'internet lawyers' demanding that we remove them from the
list. (we emailed them the bind zone and told them to identify their ip
address and we would gladly remove it).
Also, emailing or calling 'abusers' doesn't work.
Kevin and I both run two of three sa-update mirror servers, and we have
seen several 'ill configured' servers that try to pull the same
sa-update every 5 mins forever.
I had our night shift guys track down and send the admins a friendly
note, mentioning that they aren't getting the updates anyway, so why not
No response, no change in activity (note: this might be due to one of
the distro's not being able to store and check pgp keys if they are in
the /tmp directory, a proposed SA bugzilla starts to address this, but
these queries are for older versions of SA)
And/or full /tmp filesystems, etc. We never did figure it out, but if
anyone wants a list of the top 10 ip's, they can email me offlist.
Now, I disagree TOTALLY on setting the 'abuser's dns queries to return
FP on DNSWL_HIGH, this serves no purpose. Blocking the ip address by
firewall will save bandwidth and cpu cycles. returning FP on HIGH won't
ever get google's attention, will it? and you still get the bandwidth
and cpu cycles from the largest abusers. > Regards,
Michael Scheidell, CTO
d: 561-948-2259 >*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/