Re: [botnets] URL formats -blacklist=censorship
Tell me how this works for a large site that has one piece of malware! badhost.com contains every wiki ever written and cause badguys.com slipped on SQL trick in and redirect then we should block everything in badhost.com. Does not work this way in an edu domain, somebody will cry academic freedom and heads will roll. blacklists have never been a solution! Censorship is just Censorship. foot. From: Dan Drinnon [EMAIL PROTECTED] To: 'Chris Lee' [EMAIL PROTECTED], botnets@whitestar.linuxbox.org Date: 08/29/08 2:03 AM Subject:Re: [botnets] URL formats Hello Everyone! First, my apologies for not doing my Lurk Time here - I only started subscribing to this list today. Unfortunately, I do not have any lists to share as I have none, but I do have some ideas... We all know there have long been RBL's for spam sources on the net and as an SMTP admin for a major ISP, they are invaluable at keeping the spam out by preventing tcp/25 connections from blacklisted IP addresses. Well, I am also a DNS admin, and in the past, I have had to block queries to certain domains (mostly dealing with child porno) by court order from various states in the U.S. I have one suggestion on format of the data which is shared. It should include the domain, the host, and the actual URL at a minimum, in CSV format. For example: Badhost.com, www.badhost.com, http://www.badhost.com/badfile.exe Then, with Rsync, this data could be shared in near- real time and handled by administrators to suite their needs. By parsing the data, A DNS administrator could create scripts and choose to set badhost.com to something like this in their named.conf: zone badhost.com { type master; file empty.zone; allow- update { none; }; }; And empty.zone would look something like this: @ 10800 IN SOA ns1.mydomain.com. root.mydomain.com. ( 1 3600 1200 604800 10800 ) @ 10800 IN NS ns1.mydomain.com. The end result is that a DNS query for any host in the list would return nothing. If the data were vast enough, and if enough administrators subscribed and used this 'blacklist', it would have a real effect against end users hitting bad URL's. I have no problems blocking bad domains, just as maintainers of spam RBL's have no problems blocking bad IP's. It is up to the ISP of the bad host to take care of the problem to become unblocked. As far as http or hxxp, it doesn't matter to me, I would only handle this information on the backend. - Original Message- From: botnets- [EMAIL PROTECTED] [mailto:botnets- [EMAIL PROTECTED] On Behalf Of Chris Lee Sent: Thursday, August 28, 2008 5:54 PM To: botnets@whitestar.linuxbox.org Subject: Re: [botnets] URL formats hxxp seems to be advantageous for a few reasons: 1. you can still cut and paste the url 2. the protocol handlers won't load it up if you accidently click on it 3. you can add a protocol handler for hxxp for whatever you want 4. easier to recognize domains and patterns (rather than rotted urls) 5. already widely accepted in spam fighting groups 6. trivial to do and undo with no exception cases I figured I'd put down my thoughts to try to help a standard to move forward. On Aug 28, 2008, at 7:07 PM, silky wrote: On Fri, Aug 29, 2008 at 3:32 AM, Chris Burton [EMAIL PROTECTED] wrote: Hi, I was wondering if it would be more helpful if we could propose a standard for posting broken URLs with some form of start/end indicator to allow easier automated processing from the listings? I was thinking that it would be nice to post them just rot13'd. Still trivially decoded (i use leetkey add- in in ff) but not picked up by indexers/etc. Advantage is that it can still be searched for common patterns. ChrisB. -- noon silky http://www.themonkeynet.com/armada/ ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] URL formats -blacklist=censorship
May I remind everybody that the purpose of this list is to share information. What you do with this information is up to you (more or less). If you use it as a blacklist: fine, I hope you know what you are doing... On Fri, Aug 29, 2008 at 10:09 AM, [EMAIL PROTECTED] wrote: Tell me how this works for a large site that has one piece of malware! badhost.com contains every wiki ever written and cause badguys.com slipped on SQL trick in and redirect then we should block everything in badhost.com. Does not work this way in an edu domain, somebody will cry academic freedom and heads will roll. blacklists have never been a solution! Censorship is just Censorship. All depends on your situation. Makes sense that blacklisting isn't a good option for .edu but in the business environment it works quite well. I have an obligation to block malicious crap from users in my environment. If you want to call that censoring knock yourself out. I call it protecting. The example you give is also an extreme which, fortunately, doesn't happen a lot. I would definitely handle that one differently. I don't have to use blacklisting for everything - just where it makes sense. Extremes have to be handled on a case by case basis. If you're only going to use a solution that works for everything then you're going to be looking for awhile cause despite endless vendor claims I've yet to see a one-stop solution ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] URL formats -blacklist=censorship
I work in an edu (for a couple more weeks at least), we'll block hacked wikis. Why? Because we understand that giving people a platform for attack just isn't good policy. We need not have the internet controlled by the bottom-feeders out of some ridiculous fear of censorship or hindering academic freedom. We still arrest people for inciting riots and making death threats, that doesn't mean we are infringing free speech either. On Fri, Aug 29, 2008 at 6:53 AM, Dave Ellingsberg [EMAIL PROTECTED] wrote: Tell me how this works for a large site that has one piece of malware! badhost.com contains every wiki ever written and cause badguys.com slipped on SQL trick in and redirect then we should block everything in badhost.com. Does not work this way in an edu domain, somebody will cry academic freedom and heads will roll. blacklists have never been a solution! Censorship is just Censorship. foot. From: Dan Drinnon [EMAIL PROTECTED] To: 'Chris Lee' [EMAIL PROTECTED], botnets@whitestar.linuxbox.org Date: 08/29/08 2:03 AM Subject:Re: [botnets] URL formats Hello Everyone! First, my apologies for not doing my Lurk Time here - I only started subscribing to this list today. Unfortunately, I do not have any lists to share as I have none, but I do have some ideas... We all know there have long been RBL's for spam sources on the net and as an SMTP admin for a major ISP, they are invaluable at keeping the spam out by preventing tcp/25 connections from blacklisted IP addresses. Well, I am also a DNS admin, and in the past, I have had to block queries to certain domains (mostly dealing with child porno) by court order from various states in the U.S. I have one suggestion on format of the data which is shared. It should include the domain, the host, and the actual URL at a minimum, in CSV format. For example: Badhost.com, www.badhost.com, http://www.badhost.com/badfile.exe Then, with Rsync, this data could be shared in near- real time and handled by administrators to suite their needs. By parsing the data, A DNS administrator could create scripts and choose to set badhost.com to something like this in their named.conf: zone badhost.com { type master; file empty.zone; allow- update { none; }; }; And empty.zone would look something like this: @ 10800 IN SOA ns1.mydomain.com. root.mydomain.com. ( 1 3600 1200 604800 10800 ) @ 10800 IN NS ns1.mydomain.com. The end result is that a DNS query for any host in the list would return nothing. If the data were vast enough, and if enough administrators subscribed and used this 'blacklist', it would have a real effect against end users hitting bad URL's. I have no problems blocking bad domains, just as maintainers of spam RBL's have no problems blocking bad IP's. It is up to the ISP of the bad host to take care of the problem to become unblocked. As far as http or hxxp, it doesn't matter to me, I would only handle this information on the backend. - Original Message- From: botnets- [EMAIL PROTECTED] [mailto:botnets- [EMAIL PROTECTED] On Behalf Of Chris Lee Sent: Thursday, August 28, 2008 5:54 PM To: botnets@whitestar.linuxbox.org Subject: Re: [botnets] URL formats hxxp seems to be advantageous for a few reasons: 1. you can still cut and paste the url 2. the protocol handlers won't load it up if you accidently click on it 3. you can add a protocol handler for hxxp for whatever you want 4. easier to recognize domains and patterns (rather than rotted urls) 5. already widely accepted in spam fighting groups 6. trivial to do and undo with no exception cases I figured I'd put down my thoughts to try to help a standard to move forward. On Aug 28, 2008, at 7:07 PM, silky wrote: On Fri, Aug 29, 2008 at 3:32 AM, Chris Burton [EMAIL PROTECTED] wrote: Hi, I was wondering if it would be more helpful if we could propose a standard for posting broken URLs with some form of start/end indicator to allow easier automated processing from the listings? I was thinking that it would be nice to post them just rot13'd. Still trivially decoded (i use leetkey add- in in ff) but not picked up by indexers/etc. Advantage is that it can still be searched for common patterns. ChrisB. -- noon silky http://www.themonkeynet.com/armada/ ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the