Reputation Lookup for IPs 143
xzap writes "ZDNet is running an article about TrustedSource.org which is a new portal that provides reputation information for IP addresses. It can be used to configure your spam filters or when deciding whether to add an unknown host to your blacklist. Dmitri Alperovitch, a research engineer at CipherTrust said "Often companies don't realize that they have zombie machines on their network that have been sending e-mail. It may be more helpful for organizations to identify which systems on their networks are sending e-mail." Users can drill down to find more information on each domain. The portal is an initiative of CipherTrust who have previously been covered on Slashdot."
Great Idea (Score:2, Funny)
Re:Great Idea (Score:3, Insightful)
I don't get it....if a system admin is active enough to look at this page and cross reference with his/her network. Do you think it's likely that it's the same people who actually are also active enough to carefully monitor their traffic to notice a spam bot?
of course this page would be more useful especially for everybody else... but at first glance at the summary I started to scratch my head and wonder why exactly somebody would make this.
Re:Great Idea (Score:3, Interesting)
Add to that admins who lease IP addresses for servers. You really don't need the IP address on your new dedicated server to have been recently held by a spam group.
__
Funny video clips for adults [laughdaily.com]
So ... (Score:2)
look it up before you accept it.
Appalling idea, what about TOR? (Score:4, Insightful)
http://proxy.org/tor.shtml [proxy.org]
Some people are bound to abuse TOR by simply being dickheads over it, comment spamming, flaming, trolling, etc.
But the benefits of a system that protects your right to free speech totally outweighs the negative.
If those dickheads negatively tarnish the Tor servers such that they become less valuable due to being second class citizens on the internet... then it is a really really bad idea.
Protect firstly that which you have, then see what you need to do to stop spammers, dickheads in general, etc.
Re:Appalling idea, what about TOR? (Score:1)
Re:Great Idea (Score:1, Funny)
Politrons (Score:2)
Re:Great Idea (Score:3, Informative)
My university is blocking me from checking my email on the engineering network. Why? Because in february someone living in this dorm tried to log in as root. Now, after a new semester has started, *I'm* getting blocked, becuase I now have that IP. Why do people never clean out these lists?
Re:Great Idea (Score:2)
Re:Great Idea (Score:2)
It's interesting to me that license plate numbers are publically visible but publishing this data in any way would probably be illegal.
Re:Great Idea (Score:2)
Welcome to the brave new world of... (Score:1, Funny)
Yeah, but do they have... (Score:3, Interesting)
Not that impressed (Score:5, Interesting)
Re:Not that impressed (Score:1)
Re:Not that impressed (Score:5, Funny)
I haven't found an IP yet that tests at less than 'Raised Concern'. Seems that 'Raised Concern' is to TrustedSource as 'Elevated' is to the Department of Homeland Security...
Re:Not that impressed (Score:2)
Re:Not that impressed (Score:2)
Re:Not that impressed (Score:2, Funny)
Re:Not that impressed (Score:2)
Re:Not that impressed (Score:3, Informative)
Re:Not that impressed (Score:1)
Re:Not that impressed (Score:1)
Re:Not that impressed (Score:5, Interesting)
Re:Not that impressed (Score:2)
Silly. One of the many reasons alot of people are going to URIBLs.
In summary- Just another RBL that no one can use because they block to much legitimate traffic.
"raised concern" (Score:2)
"raised concern" is a perfectly reasonable rating.
Established email servers are not usually used to sent UCE, a result of RBL's is that most are now secure.
Most UCE is sent from zombies and these are typically unknown as email servers.
Therefore the default status of an email server that is unknown to TrustedSource can reasonable be expected to be "raised concern".
What are they selling? (Score:2)
I agree, and while there are probably many legitimate mail servers still unknown to TrustedSource, a "raised concern" for this reason alone should not be enough to reject mail from that source. Maybe if a number of other tests simultaneously flash yellow warning lights, the fact that the IP address has no history of past mail may be enough to trigger a rejection.
My problem with the TrustedSource site, however, is that they don't seem to provide any documentation explaining how their ratings are calculated,
Re:Not that impressed (Score:2)
Reasonable discrimination (Score:2)
Sure it can get worse; it may eventually be impossible for you to do anything at all, regardless of your willingness to jump through hoops, as long as you share subnet with those kiddies (or whatever issue people have with your IP address). If I were in your situation, I'd be gratefu
Re:Reasonable discrimination (Score:2)
Well, it is slightly complicated by the fact that there is a duopoly on broadband in my area, so technically I cannot switch ISPs without moving as well (the other ISP just can't offer a package that I'm interested in). That of course is really just another downfall of my already poor situation and speaks nothing to your arguement: your point is very well made. I'm basically SOL. I can attempt to contact my ISP, but there is a very low chance that they will actually do anything about it. (Somewhat simila
Re:Reasonable discrimination (Score:2)
I appreciate that we agree on where to place the blame here. That said, I don't see why even a broadband provider lock-in would be too difficult to circumvent. Couldn't you get a Unix account with some other ISP, and route your traffic through a proxy on their network? After all, this is what spammers do to work around various blacklists, except that they steal such services instead of paying for them.
I don't know whether there are proxy configurations suitable for this task already, but I see no reason wh
huh? (Score:2)
It may be more helpful for organizations to identify which systems on their networks are sending e-mail.
If an organization wakes up to this problem, why would it not simply block port 25 outgoing except to its mailservers?
Nice idea (Score:5, Interesting)
Hopefully CipherTrust will have a look at (for example) things Google has done with pagerank, and be able to address a problem that is significantly tied in with the problem it is trying to help with.
Re:Nice idea (Score:1)
Hmm... (Score:5, Informative)
Makes you wonder. If nothing ever came from this IP, then shouldn't it be "unsuspicious" or something like that (or at least "unknown")?
That being said, I wouldn't really trust a company, whose prime motivation is to make money, with things like this anyway. There's already DShield [dshield.org], which is a community effort, so what do we need this for?
Re:Hmm... (Score:1)
Simple: any IP address that looks itself up is suspicious. YOU COULD BE A TERRORIST! Sorry, wrong meme. YOU COULD BE A SPAMMER checking his IP before spamming!
BS (Business Solutions) (Score:2)
Do we need either? Are there anyone out there who actually uses this stuff for serious purposes?
Re:Hmm... (Score:2)
I have to disagree. If an address has never sent mail before, it is slightly suspicious for it to start sending mail. It'll either turn out to be a spam zombie (resulting in a decreasing reputation), or it'll turn out to be a new, legitimate mail server (resulting in an increasing reputation).
I think the way the current spam situation is, a previously unseen IP addr
Re:Hmm... (Score:1)
Block them at the routers (Score:4, Insightful)
Please, no outgoing SMTP server! (Score:3, Interesting)
Hmm, I don't like that idea. It basically forces you to send your mail through an SMTP server on the same network. Most machines I use use the sendmail command, which, AFAIK, connects directly to the MX for the receiving domains. I like this behavior, because (1) it doesn't put unnecessary load on any outgoing SMTP server, (2) doesn't have
Re:Please, no outgoing SMTP server! (Score:5, Interesting)
(0) Depends on how your boxes are configured. Once you have a smarthost, configing sendmail/postfix/whatever to use it is trivial.
(1) The incremental load of an email message is trivial. If you're smarhost is overloaded... beef it up - this is like any other capacity issue.
(2) Mail is robust. (spam is causing people to break some of the things that make is robust, but it is still pretty good.) Having a failover/backup MX host/backup smarthost is easy enough that organizations who do enough volume for it to matter should have a plan for that. Hell, my company does less than 1000 outgoing messages a day, and we do.
(3) Possibly legitimate, probably futile. If someone wants to read your mail and you're on their network, use PGP, or you're doomed. Transparent proxies are only the easiest way to grab it. Personally, I'm a big fan of companies/orgs running their own SMTP servers, and using them. Every-box-sends, especially today, is a real issue, and the win of not configuring sendmail to use a smarthost is balanced by the fact that if you want to get through spam filters, you need to configure DNS for every machine, and monitor them to make sure they're not doing something bad. Choose your poison.
I don't like taking this to the extreme that some seem to favor, requiring everyone to use the ISP's smarthost. That does become a real chokepoint where potential monitoring takes on a different tone, where I can't control the TLS, incoming authentication or spam filtering, and where someone else's actions can stop my mail delivery. But for companies, one (or sometimes more) outbound SMTP server(s) per site makes a lot of sense.
Again, a personal anecdote - If we didn't do it this way, it probably would have taken me much longer to realize the Windows installation I built under VMware a while back had been zombified before I could patch it. As it happened, while it was patching, I checked my mail and my firewall was screaming about it trying to send mail (and connect to IRC, but that's not the question at hand.)
I realize not everyone has the skill or takes the time to run a tight network, but mail isn't hard for the vast majority of sites to get right - there's almost nothing to it these days.
I'd say to use a smart host. (Score:2)
Your regular mail server goes in your secure network.
You block all outgoing smtp connections from your secure network, except those going from your regular mail server to your smart host.
Any machine sending email from your secure network is configured to use your regular mail server as a smart host. This will prevent all but the most intelligent of viruses from spamming from your machines.
It also allows you to have different levels of filters on your boxes. Anything that's in
Re:Please, no outgoing SMTP server! (Score:2)
I rather do.
I have all my servers sendmail (or rather Postfix) installations to relay through the server we use as a mail server (also using Postfix). It greatly simplifies administration - each server has a very simple Postfix
Re:Block them at the routers (Score:2)
Most large corporations use Exchange, Groupwise, or Notes Servers. The network admins most likley don't even think of bothering to block port 25 because they don't use SMTP.
Out of sight. Out of mind.
The big slashdot question...pr0n? (Score:1)
Dynamic ip address.. (Score:3, Insightful)
Re:Dynamic ip address.. (Score:3, Insightful)
The way I understand it, that's exactly why this is a good system. When spam is received from an IP, it isn't outright blocked, just it's reputation is worsened. When good mail is received, the reputation is improved. If a network has many spam zombies on it which keep changing IPs, all these IPs will get a bad reputation, resulting in the network as a whole having a bad reputation. A network with few or no spam zombies on it will have a good reputatio
Re:Dynamic ip address.. (Score:1)
Simple economic forces. (Score:2)
Nope the ISP should police its own network proffessionally.
If they fail to do so the responsible customers should move to a more responsible ISP.
Re:Simple economic forces. (Score:2)
Exactly (Score:2)
So they gain the reputation they deserve, a poor one.
The "simple economic forces" that you wish for
Strawman tilting at windmills.
consumers typically do not make ideal decisions,
Which is why a reputation based system is so much better. It simple enough for any moron^Wconsumer to understand.
and therefore cannot police themselves
The responsible netizens that do police themselves get a reputation they deserve, a good one.
Re:Dynamic ip address.. (Score:1)
Some ISPs even charge you EXTRA to get a static address.
This isn't even a troll, the idiots that thought this up should be repeatedly kicked in the groin.
A similar email validation site (Score:5, Informative)
BFD (Score:1, Offtopic)
Well... (Score:2, Insightful)
Being from a country that is considered a hotspot for spam, I naturally appreciate any effort to eradicate spam, BUT blacklists take things too far. They don't seem very effective and only serve to irritate and inconvenience people who have done nothing wrong and are using their IPs for only legitimate purposes.
This especially effects smaller ISPs and hosting providers, who get slammed despite in al ot of cases being able to prove that no spam was originating from their network and that htey have secure s
Re:Well... (Score:2)
Re:Well... (Score:1)
There are tons of things wrong with it, unfortunately. The main things wrong with it being the budget problem (something to the tune of $2-billion dollars over budget), the fact that it doesn't look like it will ever stop draining resources, and the fact that the Royal Canadian Mounted Police have admitted that it is still impossible to track where weapons used for crimes came from (that is, whether they were smuggled in from the US or whether they wer
Don't use IP addresses... (Score:2, Insightful)
There may be billions of IP addresses, but not that many ASes.
I started to write a spamassassin plugin that would track the spamminess of email by AS - haven't finished yet.
Re:Don't use IP addresses... (Score:2)
IPv4 # is 32 bits.
IPV6 # is 128 bits.
There is an AS# based DNSBL available.
Reputation for 207.51.38.1 (Score:3, Funny)
Reassignment? (Score:2)
All we need now - less dummies at rr.com (Score:1)
Fun facts (Score:3, Interesting)
Some of their data is bogus (Score:4, Interesting)
Of course, those are not valid unicast IP addresses.
On the other hand, 192.168.10.12 is "inoffensive". Phew!
Re:Some of their data is bogus (Score:2)
(low) Blue/Purple/Red......... Orange
Not sure why exactly you'd want 3 color changes for the low end of the scale, but only 1 long drawn out color change for the high end.
Re:Some of their data is bogus (Score:1)
Re:Some of their data is bogus (Score:2)
That would be because spammers ARE spoofing those IP addresses to send mail
Uh.... I don't think so. None of the examples I gave (255.255.255.255, 224.1.2.3 or 192.168.10.12) is a public unicast IP address.
Now if you can document a case of a spammer successfully completing an SMTP session from one of those addresses, I'd be mighty impressed.
Will Google use this information? (Score:1)
Is there a system for removing an IP address from the list?
What happens if you are on a server with a dodgy site, but you share the IP address?
Ironport? (Score:4, Informative)
Re:Ironport? (Score:1)
IronMail.. IronPort.. funny. Sounds like CipherTrust needs some original ideas. I'm surprised they didn't call this new service "SenderSource".
(that domain will be registered by 4PM, watch)
Re:Ironport? (Score:2)
That was exactly my point. Ciphertrust is not doing anything new or original. I'ts just a ripoff of Senderbase.
Re:Ironport? (Score:1)
Proof -
Ciphertrust earliest press release Sept 2001 - mentions IronMail - http://www.ciphertrust.com/company/press_and_event s/article.php?id=0000137 [ciphertrust.com]
Ironport earliest press release in June 2002 that mentions IronPort
http://www.ironport.com/pdf/ironport_2002-06-25b.p df [ironport.com]
Re:Ironport? (Score:3, Insightful)
Ironport is a fine company that makes a GREAT product.
Senderbase is *not* pay to play (prove to me otherwise), and it's widely used by their C-series appliances.
And it characterizes a lot more than just quantity of mail; there are other factors that go into an SBRS (Senderbase Reputation Score) as well.
Here's proof (Score:1)
And send unlimited messages without fear of being blocked for only $10k a year! (Remember from past Slashdot stories that spammers make millions and can easily afford this).
They have a special pricing for "Bulk" senders. "Legitimate commercial senders can apply today."
http://www.bondedsender.com/fees.html [bondedsender.com]
Other uses. (Score:1)
I found an IP which was rated as SPAM .. (Score:1)
255.255.255.255
First seen: 2005-07-29
Country: UNITED STATES
The nature of IP's (Score:2)
That having been said, I really don't know of a bett
How do they collect that data? (Score:1)
My domain and IPs are listed as "Inoffensive", but it does show an increase of mail volume in one of my IPs, and the decrease on another yesterday (I've changed my sendmail outgoing IP; it was using the wrong eth0 aliases).
I know I'm not sending emails to 'spam trap' addresses (we do not send unsolicited mail), my linux server is not an open relay nor a zombie, and I block outgoing smtp coming from the intranet (so there couldn't be a windows
Re:How do they collect that data? (Score:2)
Somebody on that linux-driven network got zombied.
Re:How do they collect that data? (Score:1)
>Somebody on that linux-driven network got zombied.
Not all spam comes from zombies. If the ISP is spam-tolerant, you may just have their subscribers sending spam.
Also, just because of the name of the ISP, I suppose it doesn't mean all their subscribers run linux, so you could have zombies there too.
Finally, I did not imply linux cannot be zombied, but if my smtp server is a zombie, it's a very lazy one, or I'm also rooted, because tethereal showed about 200 outgoing smtp connections yesterd
At least the page confirms domain keys are ~useful (Score:2)
It also shows a nice, test key when inspecting the spf records for such high quality domains...
http://www.trustedsource.org/dkim.php [trustedsource.org]
How can you not know? (Score:2)
Well, you could sign up with some sort of reputation service. Or you could just start with those machines which are spewing port 25 all day, every day. Those are either zombies or people with a LOT of friends.
Interesting stats on trusted source site (Score:2)
Any net vigilanties out there want to "infect" these machines with patches?
ISP Active Hosts Yesterday
yahoo.com 4110
comcast.net 4017
hotmail.com 1567
aol.com 358
rr.com 5256
http://www.trustedsource.org/
hahah (Score:1)
Current reputation: Spam First seen: 2005-08-03
This is the last straw; the "IANA" postmaster is getting a letter from me. I've been having a problem with another one of their IPs as well (127.0.0.1).
tried it. don't like it. (Score:2)
Re:tried it. don't like it. (Score:2)
In general I think any blacklisting method is not useful because the possession of those IP addresses is either questionable for 0wn3rship reasons or for t
Could be helpful - but isn't (Score:1)
1. My daily average message volume is represented by a single shaded envelope icon (out of a possible 10). I can't find anything that translates this to an actual number of emails sent.
2. Yesterday my average volume was up 1,400%! Sounds serious. What does this mean? Well, I can't tell. Again it shows a single shaded envelope icon, with no hint of what this actually means.
3. Even more worrisome, t
Re:Could be helpful - but isn't (Score:2)
more info at senderbase (Score:2)
Senderbase [senderbase.org] has been providing this information for quite some time. Senderbase gives numerical scores for e-mail volume and makes it easy to see when an address or domain is on spam blacklists.
Folks with an IronPort e-mail security appliance are granted access to the actual reputation sco
Raised Concern (Score:2)
Re:Raised Concern (Score:1)
Take 200.155.79.253 (my usual home (dynamic) IP address).
First Seen: Never
Daily avg: nil
Yesterday: nil
Not on any blacklist
Current reputation: Raised Concern ??
I'd agree with "Suspicious", for being in a dynamic broadband range, but "Raised Concern"?
What about IP spoofing and reputation? (Score:2)
discrimination (Score:2)
Zombies (Score:1)
Re:WHAT (Score:4, Insightful)
The hurricane is horrible, for sure. It is very tragic that so many people are losing so much. I would pray for them. However, slashdot is NOT the place to discuss a hurricane.
Slashdot is technology news, not general news. If you want to submit a story about the hurricane, and it gets posted, I would gladly "get some priorities" and discuss that instead. Until then, such a discussion is flagrantly off topic.
Just because there's a disaster doesn't mean the rest of the world stands still. Life goes on, and hopefully gets better.
News for Nerds is news for nerds, not news for the south.
Re:WHAT (Score:1)
It would seem that Cliff [mailto] has a different opinion [slashdot.org] than you on this topic...
Re:WHAT (Score:2)
(b) It wasn't the worst hurricane in history, or even the history of the U.S.
(c) This is a tech news site
Also, let me twist this around on you, Mr. Concerned. "What the hell is wrong with you? 1000 people died in a stampede in Iraq today, and you want to talk about a hurricane that killed a few hundred people? GET SOME PRIORITIES!"
Re:whois (Score:2)