You can track widespread virii breakout without running manual blacklists. We're working on a streamlined (machine automated) blackhole list server at http://www.nuclearelephant.com/projects/sbl/. It is originally designed to identify spammer IPs within minutes of a new distribution based on how wide-spread the reports are across networks (rather than the total number of reports) and works rather well in preliminary testing. A tool like this could easily be adapted to track, in real-time, which hosts were infected based on the same spread principle. By using machine-automation combined with a realtime, short-term blackhole server such as the SBL project, you can zero in with accuracy the individuals infected without worrying about blackholing entire dialup lists, etc.
For tracking dynamic accounts for virii, you may consider tweaking the blacklist life from 24 hours to maybe 2-3 hours - that should be all you need to notify the host anyway. DSL lines don't change but every couple of days, and dialup users are usually on for a couple hours unless they're traveling. What I think would be a better idea though as far as notifying the end-users would be to code a little tray applet that would tell the user whenever there were several port 25 connections to different hosts. Include with a standard "You're running windows so you're going to get 0wned" suite of tools. > >If major sites like Google, MSN etc. would query rapid DSL and dialup > >blacklists, they could visually inform the visitor that their PC is > >listed (+ inform them what to do, direct them to online AV etc). > > Bad idea! Think about all those hosts listed in a RBL and the users canÂt > do anything about it? Especially dailup/dsl users with dynamic IPÂs. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
