Re: List of 600,000 IP addresses of virus infected computers
Yeah - 127.0.0.1 means white listed. :) Rick Cooper wrote: My bad, I had 127.0.0.1 in the blacklist on that host instead of 127.0.0.2
RE: List of 600,000 IP addresses of virus infected computers
My bad, I had 127.0.0.1 in the blacklist on that host instead of 127.0.0.2 Sorry > -Original Message- > From: Rick Cooper [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 13, 2007 9:03 AM > To: 'Marc Perkel'; 'SpamAssassin Users List' > Subject: RE: List of 600,000 IP addresses of virus infected computers > > I have noted one FP so far, lists.sophos.com and it was > sending the latest > new viruses, I get this list a couple times per day on average > > Rick > > > -Original Message- > > From: Marc Perkel [mailto:[EMAIL PROTECTED] > > Sent: Monday, September 10, 2007 1:26 PM > > To: SpamAssassin Users List > > Subject: List of 600,000 IP addresses of virus infected computers > > > > I've developed an extremely accurate of detecting virus > > infected spam zombies. I think it's 100% accurate can > > catches them on the first try. Here is 600,000 IP addresses > > I've detected in the last 3 days. > > > > Enjoy > > > > http://iplist.junkemailfilter.com/virus.txt > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: List of 600,000 IP addresses of virus infected computers
I have noted one FP so far, lists.sophos.com and it was sending the latest new viruses, I get this list a couple times per day on average Rick > -Original Message- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Monday, September 10, 2007 1:26 PM > To: SpamAssassin Users List > Subject: List of 600,000 IP addresses of virus infected computers > > I've developed an extremely accurate of detecting virus > infected spam zombies. I think it's 100% accurate can > catches them on the first try. Here is 600,000 IP addresses > I've detected in the last 3 days. > > Enjoy > > http://iplist.junkemailfilter.com/virus.txt > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: List of 600,000 IP addresses of virus infected computers
Per Jessen wrote: Perhaps someone can turn this into a rule for SA to add some points. The mail-server that detects the missing QUIT could easily add a header which SA would then pick up on. But it might depend on what those "other factors" are. Part of the problem here is that a "QUIT" is a session oriented issue, where a single SMTP session may have multiple messages. Consider a session where the spambot generates 10 messages in one SMTP connection. If you want to track "this message didn't have an SMTP-QUIT", then your MTA can't release the message UNTIL all 10 of the messages have been submitted. That could dramatically increase the number of open files for an MTA, which could in turn lead to a denial of service vulnerability. This entirely prevents being able to do Spam filtering _during_ the SMTP session, as well (ie. have a milter which runs the message through spam assassin at the DATA phase of the SMTP session, and gives an accept/temp-fail/reject response based upon the content of the DATA). Since the rule depends upon the QUIT, but the QUIT can't happen before SA has to be finished scanning the message, that means that _every_ message will have the "lack of SMTP-QUIT" rule trigger. I can see it being part of a hosts reputation score (what percentage of connections does it generate a quit?), or part of a blacklist, but I think it would break too many receiver-sites if you tried to do it as a direct SA rule.
Re: List of 600,000 IP addresses of virus infected computers
Per Jessen wrote: Marc Perkel wrote: If you're keen to share your development, why don't you explain to us how it works? /Per Jessen, Zürich The details are a little to complex for this forum but the new trick is mostly based on the fact that spam bots general don't issue the QUIT command and when combined with other factors allows me to catch spam bots on the first try. Perhaps someone can turn this into a rule for SA to add some points. The mail-server that detects the missing QUIT could easily add a header which SA would then pick up on. But it might depend on what those "other factors" are. /Per Jessen, Zürich It might be a good rule for SA except for one problem. SA doesn't have any way to detect the lack of the QUIT. Even in Exim the message being received is done after the last period is sent. So you can't attach any kind of information about quit to the message. What I'm doing is using Exim's ACL variables in the NOTQUIT acl to feed information into my blacklist database so that my servers and anyone using my blacklists know to just rop the connection the next time. Generally I have already detected the message as possible spam by that point but when I combine it with the lack of a quit then it gets promoted to blacklist status.
Re: List of 600,000 IP addresses of virus infected computers
Marc Perkel wrote: >> If you're keen to share your development, why don't you explain to us >> how it works? >> >> /Per Jessen, Zürich >> > > The details are a little to complex for this forum but the new trick > is mostly based on the fact that spam bots general don't issue the > QUIT command and when combined with other factors allows me to catch > spam bots on the first try. Perhaps someone can turn this into a rule for SA to add some points. The mail-server that detects the missing QUIT could easily add a header which SA would then pick up on. But it might depend on what those "other factors" are. /Per Jessen, Zürich
Re: List of 600,000 IP addresses of virus infected computers
On Tuesday, September 11, 2007 12:30 PM -0700 Marc Perkel <[EMAIL PROTECTED]> wrote: The details are a little to complex for this forum but the new trick is mostly based on the fact that spam bots general don't issue the QUIT command and when combined with other factors allows me to catch spam bots on the first try. At last we get some technical details. Please post the methodology on a web page for review. For example, how do you know you don't get a QUIT command?
Re: List of 600,000 IP addresses of virus infected computers
Marc Perkel schrieb: I've added you to my blackhole list. Dear Marc i realy start to think that you don't know about netetiquette may you should have a look at http://www.atra-tr.org/netetiquette.htm especially the Paragraph * Don't send large amounts of unsolicited information to people. could be helpfull for your education Matthias
[Fwd: Re: List of 600,000 IP addresses of virus infected computers]
Original-Nachricht Betreff:Re: List of 600,000 IP addresses of virus infected computers Datum: Tue, 11 Sep 2007 12:31:20 -0700 Von:Marc Perkel <[EMAIL PROTECTED]> An: Matthias Häker <[EMAIL PROTECTED]> Referenzen: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> I've added you to my blackhole list. Matthias Häker wrote: Per Jessen schrieb: Marc Perkel wrote: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here is 600,000 IP addresses I've detected in the last 3 days. If you're keen to share your development, why don't you explain to us how it works? /Per Jessen, Zürich please not again i didnt subscribe to this list for Mar Perkels thoughts about Spam Matthias -- IT Service Häker Matthias Häker Fettstr. 3 20357 Hamburg Tel: +49 (0)40 98238807 Fax: +49 (0)40 52596583 Mob: +49 (0)176 65571482
Re: List of 600,000 IP addresses of virus infected computers
Per Jessen wrote:
Marc Perkel wrote:
I've developed an extremely accurate of detecting virus infected spam
zombies. I think it's 100% accurate can catches them on the first try.
Here is 600,000 IP addresses I've detected in the last 3 days.
If you're keen to share your development, why don't you explain to us
how it works?
/Per Jessen, Zürich
The details are a little to complex for this forum but the new trick is
mostly based on the fact that spam bots general don't issue the QUIT
command and when combined with other factors allows me to catch spam
bots on the first try.
List has grown to over 700k spam bots now. If anyone wants to take
advantage of this then just use these rules:
header __RCVD_IN_JMF
eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_JMF Sender listed in JunkEmailFilter
tflags __RCVD_IN_JMF net
header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_W net nice
score RCVD_IN_JMF_W -5
header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
tflags RCVD_IN_JMF_BL net
score RCVD_IN_JMF_BL 3.0
header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN
tflags RCVD_IN_JMF_BR net
score RCVD_IN_JMF_BR 1.0
Re: List of 600,000 IP addresses of virus infected computers
Per Jessen schrieb: Marc Perkel wrote: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here is 600,000 IP addresses I've detected in the last 3 days. If you're keen to share your development, why don't you explain to us how it works? /Per Jessen, Zürich please not again i didnt subscribe to this list for Mar Perkels thoughts about Spam Matthias
Re: List of 600,000 IP addresses of virus infected computers
Marc Perkel wrote: > I've developed an extremely accurate of detecting virus infected spam > zombies. I think it's 100% accurate can catches them on the first try. > Here is 600,000 IP addresses I've detected in the last 3 days. If you're keen to share your development, why don't you explain to us how it works? /Per Jessen, Zürich
[Fwd: Re: List of 600,000 IP addresses of virus infected computers]
Forwarded Message > From: Marc Perkel <[EMAIL PROTECTED]> > To: Adam Lanier <[EMAIL PROTECTED]> > Subject: Re: List of 600,000 IP addresses of virus infected computers > Date: Tue, 11 Sep 2007 09:04:09 -0700 > > And I've put you on my blackhole list. > > Adam Lanier wrote: > > On Tue, 2007-09-11 at 08:30 -0700, Marc Perkel wrote: > > > > > Screw you. > > > > > > > Congratulations, you have been permanently added to my kill file. And now we know the source of Marc's blackhole list.
Re: List of 600,000 IP addresses of virus infected computers
On Tue, 2007-09-11 at 08:30 -0700, Marc Perkel wrote: > Screw you. Congratulations, you have been permanently added to my kill file.
RE: List of 600,000 IP addresses of virus infected computers
I think I speak for many when I ask you that you please take your remarks off-list. I definitely don't want or need this type of garbage in my inbox. Thanks, jamie -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 11, 2007 11:30 AM To: users@spamassassin.apache.org Subject: Re: List of 600,000 IP addresses of virus infected computers Screw you.
Re: List of 600,000 IP addresses of virus infected computers
Screw you. Kai Schaetzl wrote: Marc, I'm getting tired of this. If you want to distribute blacklist data, please set up RBL and rsync and stop spamming here. Kai
RE: List of 600,000 IP addresses of virus infected computers
www.mynetwatchman.com Lists the ip addresses and date/timestamps. I'll bet most of those ip's are on that list. Also, look at dshield.org So, once more, more idiot noise and more useless self important blathering by someone who obviously has no clue as to what is happening in the world. -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: List of 600,000 IP addresses of virus infected computers
Marc, I'm getting tired of this. If you want to distribute blacklist data, please set up RBL and rsync and stop spamming here. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: List of 600,000 IP addresses of virus infected computers
Marc Perkel wrote: Duane Hill wrote: On Mon, 10 Sep 2007 at 10:26 -0700, [EMAIL PROTECTED] confabulated: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here You think it's 100% accurate? What about the systems that have been cleaned up? The data lives for 3 days. If someone is on a dynamic IP then it could also be wrong. It's a list of IP addresses that were infected at the time the virus tried to spam me. With a list like this if ISPs were to download it and send out notices to their customers they could clean up a lot of viruses. We'd need a time stamp of when it happened. All of our IP's in the list (5 or 6) belong to DSL or dialup clients. I have no idea which users they are since I don't know when your system detected them. Regards, Rick
Re: List of 600,000 IP addresses of virus infected computers
The users lists is not really an appropriate place to advertise your spam/virus filtering business. Please do not feed the trolls. Thanks Michael
Re: List of 600,000 IP addresses of virus infected computers
Duane Hill wrote: On Mon, 10 Sep 2007 at 10:26 -0700, [EMAIL PROTECTED] confabulated: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here You think it's 100% accurate? What about the systems that have been cleaned up? The data lives for 3 days. If someone is on a dynamic IP then it could also be wrong. It's a list of IP addresses that were infected at the time the virus tried to spam me. With a list like this if ISPs were to download it and send out notices to their customers they could clean up a lot of viruses.
Re: List of 600,000 IP addresses of virus infected computers
On Mon, 10 Sep 2007 at 10:26 -0700, [EMAIL PROTECTED] confabulated: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here You think it's 100% accurate? What about the systems that have been cleaned up? is 600,000 IP addresses I've detected in the last 3 days. Enjoy http://iplist.junkemailfilter.com/virus.txt -- _|_ (_| |
