Hi there,
On Thu, 11 Mar 2021, Paul Smith via clamav-users wrote:
On 10/03/2021 22:29, Joel Esler (jesler) via clamav-users wrote:
... in the past 24 hours has created 22.17M file downloads
/all by themselves/ from a single IP. (The main.cvd btw)
... internal release cycle or something ... or something
... NAT will innocently cause strange results.
The (for want of a better word) history of the Internet is littered
with parallels to the Tacoma Narrows Bridge incident, or as those of
us in the engineering professions often say [****].
Large networks can seem to take on a life and character all of their
own, but in the end it's all susceptible to reason. Every IP address
should have a working abuse reporting address which can be found by a
'whois' query. For example for clamav.net:
$ whois `dig +short clamav.net` | grep -i abuse
OrgAbuseHandle: TALOS-ARIN
OrgAbuseName: Talos Operations
OrgAbusePhone: +1-727-540-3152
OrgAbuseEmail: talos....@cisco.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/TALOS-ARIN
$
It _should_ be trivial to report the abuse to the address given by the
whois query and that should get the abuse stopped fairly promptly. If
it doesn't, then it's not a working abuse reporting address. Large
sections of the Internet address space either don't have working abuse
addresses, or their operators are in league with criminals and make a
token response which is ineffective, or they're just plain incompetent
and do nothing that's effective. To me that all means 'not working'.
If an IP doesn't have a working abuse reporting address, in my view
prima facie there's a case that it should be permanently firewalled.
Joel, have you tried reporting to abuse addresses at least for some of
the worst offenders? Do you have a large body of low-grade offenders
which make you feel you don't want to go to the office in the morning?
Like many system administrators I also have that tee-shirt.
Less than 5% of the mail that my mail systems see is genuine. More
than 95% is in some way abusive. It's almost overwhelming, and it's
impractical to deal with it all manually, so over the last few years
I've developed an automatic abuse reporting system (of which clamd is
an integral part) which not only sends reports to the abuse addresses
from 'whois', but also uses other ways to find them, and, depending on
the kind of abuse, can report to ClamAV, Sanesecurity, Securiteinfo,
and for example abuse clearing houses run by various government and
law enforcement agencies for what that's worth. Of course it blocks
the abusive messages too - that's almost a side-effect. I tend to use
TEMPFAIL rather than REJECT and/or firewall - it's configurable - so
exceedingly spammy providers like Gm@il and M1cro$oft use up more of
their resources but the option simply to firewall the IP is available.
Unfortunately, automatic systems have sometimes had a reputation for
making the problem worse, not better [****]. It's important to avoid
that, which I think I've managed. Very little of what I see is what
you would call malware, and even less is automatically identified as
such, so only about 1% of reports go to the ClamaAV signature team at
present but at least it gives automatic feedback. Perhaps the guys at
Sanesecurity and Securiteinfo can chip in with an opinion? You get a
sizeable fraction of the reports and any feedback that you can give me
will be very valuable. It seems not easy to get. It's been a lot of
work, and there's a lot left to do, but it's been worth it to be able
to return serve thousands of times every day with little extra effort.
Joel, I'm sure it wouldn't be hard to adapt the ideas to other systems
if you'd be interested in exploring that.
[***] Roughly translated, "I never thought of that".
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
