Message Board

http:BL Use/Development

Older Posts ]   [ Newer Posts ]
 netfilter / iptables / linux / gateway / appliance
Author: M.Marrotte   (6 Sep 07 8:20am)
Has anyone considered implementing http:BL at the Linux kernel level, e.g. using netfilter iptables and packet filtering? I think this could be an interesting project and be expanded into full-blown http:BL gateways and a new breed of anti-spam (comment & harvester) appliances...

Any thoughts?
 
 Re: netfilter / iptables / linux / gateway / appliance
Author: M.Prince   (22 Sep 07 2:22pm)
Not that I really understand what it would entail, but my initial reaction is: That'd be pretty cool!
 
 Re: netfilter / iptables / linux / gateway / appliance - scary!
Author: B.Spade   (24 Sep 07 6:51pm)
So an IP address should be filtered out because the user's computer was once in the past infected with a virus that drafted it into the 'global internet of anonymous proxy servers'? Even though the system has been cleaned/disinfected recently? Even though the infected computer might have belonged to some other user of the ISP and the computer you are banning at the moment is not the one earned the bad mark in the first place?

Seems a little harsh to me. I've found that http:BL provides valuable information which, when combined with other information I collect about the message being posted, produces a 'spammer score' upon which I base my decisions. There are too many false-positives and false negatives from http:BL to use it as the only deciding factor.
 
 Re: netfilter / iptables / linux / gateway / appliance
Author: M.Prince   (25 Sep 07 7:08pm)
That's why we provide information in the responses like the Threat Score and the time since the last activity. I'd recommend that you make decisions weighted based on what those scores are. If the Threat is low or the length of time since last hit is long then I'd let them through, maybe just turning off some features of your site (e.g., hiding email addresses). As the Threat Score goes up, or the length of time since last hit goes down, I'd crank up the consequences. First I'd CAPTCHA a visitor to make them prove their human before being let on. Then, at some level, I'd outright ban them.

If you see false positives where the Threat Score is very high and the length of time since last hit is low, please let us know.

Matthew.
 
 Re: netfilter / iptables / linux / gateway / appliance
Author: B.Spade   (27 Sep 07 3:21am)
OK, one example of a false positive, the threat score isn't terribly high, but high enough for my spamkiller to ask for a second opinion.
The IP address is 196.29.120.255
The http:BL return is 127.12.41.3
Country of origin (from whois -h whois.afrinic.net 196.29.120.70) - Ghana

another:
IP address=41.204.224.25
http:BL score=127.3.49.3 (at the time of posting, Aug 9, 2007)
http:BL score=127.5.47.3(on Aug 11,2007)
Country of origin (from whois -h whois.afrinic.net 41.204.224.25) - Nigeria

My forum is for discussing Spanish soap operas (telenovelas) in languages other than Spanish, there are a few of these telenovelas being aired in Africa now, and it appears that the people who post from there are not very experienced with computers. My guess is that they are all dial-up users, some of them have been infected with viruses that have drafted them into the 'global network of anonymous proxy servers', and as they swap around the addresses as they dial in, the reputation score gets shared.

On the other hand, real spam might score like these:
IP address=209.47.94.52
httpBL score=127.1.78.5
Country of origin (from http://ws.arin.net/cgi-bin/whois.pl) USA

Also, so far this month, we have received 3926 comment spam messages where http:BL helped to catch the spam, and 1978 comment spam messages where http:BL didn't help at all. But then one major class of spam we get comes from IP addresses that have only contributed spam, and another major class of spam comes from IP addresses we have never seen before. And most of the http:BL false negatives are in this second class.
 
 Re: netfilter / iptables / linux / gateway / appliance
Author: M.Marrotte   (4 Oct 07 8:17pm)
Dear M. Prince:

We could probaby build these anti-spam appliances for under a grand and sell them for 3K to 5K. It would probably take about 3 months of full-time effort to get a solid working prototype, but I'm pretty optimistic that it can be done a would be a highly sought after appliance.

Please let me know if you'd be interested in partnering or funding such a project.

Thanks,

Mike M.

marrotte@gmail.com
 
 Re: netfilter / iptables / linux / gateway / appliance
Author: B.Curtis4   (10 Jun 14 2:11pm)
I know this is outdated, but if anyone's interested, I just wrote a bash script that runs in a daily cron and checks any IP that accessed your machine on the previous day via apache or postfix, checks against httpbl and against myip.ms, and blocks using iptables based off thresholds. Happy to distribute. Certainly didn't take 3 months.. Just a few hours.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email