DROP and Country blocks are part, but only part, of the ThreatSTOP feeds. If you're not using Bogons, DShield, Shadowserver, and the SRI MTC, you're missing the recon bots, new malware drive-by seeds, and the C&Cs.
We've got those, and more, including some of our own developed using cross-correlation and user log submission. ThreatSTOP is pretty much about aggregating the best practices blocks such as you have listed, and constantly tracking which ones stay current, and making them easy to use and dynamically updated across multiple platforms. Sounds like you're doing what I was doing when I came up with the underlying idea, and was having to write a new script for each new type of firewall or new list I wanted to use, and said "There has to be a better way", looked for one, didn't find it, and so decided to build it! Stay safe! > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Rich Kulawiec > Sent: Monday, February 15, 2010 8:46 AM > To: [email protected] > Subject: Re: [funsec] 95% of User Generated Content is spam or > malicious > > On Sun, Feb 14, 2010 at 03:41:16PM -0800, Tomas L. Byrnes wrote: > > Threatstop users running the default TS blocklists on their firewalls > > before the anti-spam systems see, typically, 15% to 25% reduction in > > average SMTP traffic, and a reduction of peak SMTP traffic to 1/4 of > > what it is without ThreatSTOP. > > <chuckle> I'm waaaay past that. I've cut down the number of incoming > connections by about 90% via judicious use of the DROP list, country > blocks (see ipdeny.com), spammer-allocated blocks, etc. at the > firewall. > > In one installation, I've gone the other way: all SMTP connections > are blocked except those originating in North America (less those on > the DROP list or in spammer-allocated blocks). > > The default-permit model for SMTP is on its way out, and it makes > progressively less sense to spend ever-increasing resources to > sustain it. But judicious study of inbound/outbound mail traffic > is very necessary before trying something like this. (Then again: > how could any postmaster possibly know how well they're doing unless > they measure it? Sadly, very, very few actually do.) > > ---Rsk > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
