On 08/07/2014 07:28 PM, Philip Prindeville wrote:
On Aug 7, 2014, at 11:14 AM, Axb <axb.li...@gmail.com> wrote:
On 08/07/2014 07:06 PM, Philip Prindeville wrote:
On Aug 7, 2014, at 11:00 AM, Axb <axb.li...@gmail.com> wrote:
On 08/07/2014 06:55 PM, Philip Prindeville wrote:
On Aug 6, 2014, at 11:20 PM, Axb <axb.li...@gmail.com>
wrote:
On 08/07/2014 07:01 AM, Philip Prindeville wrote:
On Aug 6, 2014, at 1:23 PM, Paul Stead
<paul.st...@zeninternet.co.uk> wrote:
On 06/08/14 20:00, John Hardin wrote:
Can some fresh samples be posted to pastebin?
http://pastebin.com/yHiT2s3t
http://pastebin.com/DpxpJhtA
http://pastebin.com/DYx1ap31
:)
Uh… the hostname in all of these URL’s always resolves to
98.124.199.1.
I just use:
uri_block_cidr L_BLOCK_CIDR 98.124.199.1 body
L_BLOCK_CIDR eval:check_uri_local_bl()
describe L_BLOCK_CIDR Block URI's pointing to
bad CIDR's score L_BLOCK_CIDR 7.5
and this nails it. See:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060
Suggesting to list any IP in the 98.124.192.0/18 net with a score of 7
is not very wise advice.
I’m listing a /32. Where do you get a /18 prefix?
listing *anything* in that /18 will hit a zillion of legit
sites... including your /32
For a man and his dog setup it may be ok, but I wouldn't advise
ppl to do this without a *warning*
What is your basis for saying this? This example filters a
SINGLE (/32) IP.
that single IP has way more thank 10k domains hosted on it (my
passive DNS query is limited to 10k) and there's a huge number of
legitimate ones.
Okay, I thought you were saying that the posted configuration would
block the entire CIDR range. It won’t.
So they have a lot of VirtualHost definitions: a couple of comments
on that.
(1) putting that many domains on a single host is just begging for
that host to have a catastrophic failure (as opposed to putting that
many domains on a local (re)director which servers as a proxy, a la
mod_proxy_html mode…)
(2) it further means that if the host is compromised, then all the
domains on that host are compromised.
(3) if that IP is being blocked for whatever reason, then that will
motivate the other users on that same host to either pressure eNom to
flush that bad actor ASAP, or they will move to another host…
possibly with another provider.
This is a reckless practice, and eNom will likely suffer consequences
when their users start to catch on to all of the ill effects of it,
some of which I listed above.
No one wants their business reputation being sullied by association
with phishers, spammers, and hacked websites…
you theories are all nicely idealistic, the real world is not so
friendly... Follow domain activity on DailyChanges and after many nights
of playing Sherlock you'll get the feeling of what's going on between
the real world, snowshoers, domainers and cheap registrars.
