Some very good ideas here. Thanks, Pete. Darin.
----- Original Message ----- From: "Pete McNeil" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 22, 2004 1:49 PM Subject: Re: [Declude.JunkMail] Nameserver issues and Spam fighting At 12:16 PM 4/22/2004, you wrote: >With the increase in people trying to fight spam, nameservers are getting >bombarded with lookup request. Recently I understand that AT&T has taken >steps to not allow lookups of most of the blacklists using their network. >It seems that we are seeing more and more DNS timeouts which result in more >spam getting through. Anyone else perceive this as a problem that will only >get worse? Anyone have any suggestions to make the DNS lookup process more >efficient? We are working on an add-on to Message Sniffer called IPDB which will collaborate to generate statistics on IPs from multiple research points. In addition to collaborative data, local data for IPs can be added through alternate processes. One of those will be to scan a user defined list of DNS BLs to produce a local IPDB entry based on the combined results. With this arrangement local queries will always be very quick (sub 200ms including the heuristics scan). If an IP is unknown by the local group then the first query to IPDB may be indeterminate - but subsequent queries will have good statistics available based on the local rules and those results will be pushed to the local peer group as well. IPDB can afford to be patient with it's queries - and will make fewer of them since each IPDB node collaborates with a number of trusted peers. If the system catches on then IPDB protocols may provide an alternative publication method for black lists - but that's thinking too far ahead at this point. IPDB will also rank both negative and positive going IP data so that IPs not producing spam can be scored negatively to mitigate false positives. IPDB will also be able to make an "educated guess" on network blocks based on the data available at the time of the query - so that if 50% of the IPs in a network block are 100% spam and none of the others have been heard from, a new query to that block _may_ result in a strong spam probability. This will help to mitigate any delays in pending DNS queries. Finally a "wave-front detection" mechanism that can be built into IPDB will be able to detect new sources of spam/malware by aggregating announcements of new IP sources from local peers. In theory if a new machine gets zombied by spammers or a virus then that IP source will be new to a great number of servers in a short period. Each IPDB peer detecting the new IP source will announce the hit to it's neighbors. If enough neoghbors pick up on the new source within a given threshold then they will begin weighting the source negatively - if the source is very aggressive then it _may_ be blacklisted on a number of systems in the group - and that event also will be published. The result is that a newly infected machine or new spam source can be detected and effectively shut down before any ordinary BL process or even virus protection mechanism can respond. Tools can be added to alert researchers and system admins of new threats detected by the wave-front detection mechanism so that new virii & worms might be researched more quickly - and in the case of a false positive an admin can intervene quickly (even before the end users are aware) to white the source... This event would also be propagated through the peer groups. Tools will be available to drive ACLs from the IPDB as well so that consistently bad sources might be blocked at gateway routers and/or servers. Those are some of the plans anyway... _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
