Hi, > (2) the fact that the IP is in reverse order.
How do you then enter ranges? For example, one of the rbldnsd zone examples I've seen have entries such as: 1.168.160.0-255 That does not look to be in reverse order, as the host octet is still last. > foo.example.com:127.0.0.2:Blocked System > > in my experience, I haven't been able to get this to work unless I put a > space just before the first colon, as follows > > foo.example.com :127.0.0.2:Blocked System That was my exact problem that caused me to write this post. It was frustrating that ip4set worked fine, but dnset always failed because of that. > But sometimes you don't need that and can simply use just the domain or IP > on each line, since much of that can be accomplished with a single line > at/near the top of the file, such as this one that I use for the invaluement > URI list: > > :127.0.0.2:Blocked by ivmURI - see http://www.invaluement.com/lookup/?item=$ Yes, this is what I've settled on for now. > of course, the most difficult part is not collecting spammy IPs and > domains... that part is easy. The most difficult part is knowing when NOT to > blacklist a domain--which would be a decoy domain found in a spam, that > wasn't the actual "payload" for the spam and is instead an innocent > bystander's domain -- and/or generally keeping FPs super low. THAT is the > hard part. Yeah, absolutely. That's a large part of what's been delaying my progress with my honeypots. It's still in progress, but one thing I've been doing is checking my entries against existing whitelists, and other ways such as seeing how long they've been around, etc. > But try this and blacklist: > > .blogspot.com > > ...and trigger massive FPs... when you should have listed: > > .somehorrificspammerfromhell.blogspot.com Yes, exactly. I've just been doing specific hostnames. I appreciate that this is slightly off-topic, but it's an extension of SA. Thanks so much for your help. Your service is great, btw.
