freebsd stable - Sep 2003 - I've had enough. I'm starting a DNS blackhole list.

Yep, I really am.  From now on, any system that relays a virus-laden email
to my system is going into a DNS blackhole list serving all of the systems I
administer.  In a fit of "had it up to here"-ness, I've written
the
following programs today:

  dnsbl:

      Adds authorized users to a PostgreSQL database.

      Allows authed users to add virus/worm/trojan categories.

      Allows authed users to add a specified host to the PostgreSQL
    database, along with the offending category that it falls into and an
    expiration time.  Also pushes updates to a BIND 9 server supporting
    dynamic updates via TSIG authentication.

      Supports a "cleanup" mechanism (run via cron) that deletes
expired
    entries from the PostgreSQL database and the BIND 9 server.

  searchreceived:

      Scans a mail on STDIN for the first Received: header that isn't a
    machine on my network or on of my relays.

  slurpworms:

      Calls "fetchmail" to grab all new messages from my
"viruses" folder,
    pipes them through "searchreceived", and dumps the results into
"dnsbl".

Really, I can't take it anymore.  I've received over 40,000 emails from
infected machines, and I'm fighting back.  Once I've verified correct
functionality, I'll start allowing zone ixfrs from anyone who wants to chip
in, and I'm setting up a web form to accept new submissions from authorized
users (see the "auther users" entries under "dnsbl").

This is ridiculous.  I'm about "this close" to setting Sendmail to
bouncing
all blackholed emails to "abuse@microsoft.com".
-- 
Kirk Strauser

"94 outdated ports on the box,
 94 outdated ports.
 Portupgrade one, an hour 'til done,
 82 outdated ports on the box."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030924/fe68b52b/attachment.bin

Seems like a lot of work with way too much room for false positives.

Why aren't you running a content filter on executable attachments so they
get bounced and you never see them?

BTW -- Shouldn't that be hunnypot.net?

On Wednesday, 24 September 2003 at 17:15:27 -0500, Kirk Strauser
wrote:
> Yep, I really am.  From now on, any system that relays a virus-laden email
> to my system is going into a DNS blackhole list serving all of the systems
I
> administer.  In a fit of "had it up to here"-ness, I've
written the
> following programs today:
>
> ...
On Wednesday, 24 September 2003 at 21:17:26 -0400, Drew Derbyshire
wrote:
>> [missing context]
>
> Seems like a lot of work with way too much room for false positives.
>
> Why aren't you running a content filter on executable attachments so
they
> get bounced and you never see them?
One reason would be that the traffic is expensive.  I'm on a 2
GB/month plan, after which I pay significantly higher charges.  I'm
currently getting 50 to 60 MB a day just of this mail crap.  Yes, it
all gets dropped (just dropping .exe attachments does it), but that
doesn't stop the traffic.

Greg
--
See complete headers for address and phone numbers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030925/b0eb9b11/attachment.bin

On Wed, Sep 24, 2003 at 05:15:27PM -0500, Kirk Strauser
wrote:
> Yep, I really am.  From now on, any system that relays a virus-laden email
> to my system is going into a DNS blackhole list serving all of the systems
I
> administer.
Sounds remarkably like the DNSBL described at http://vbl.messagelabs.com/

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030925/5dcc82f0/attachment.bin