From dirk at haun-online.de Thu Jun 7 04:02:21 2007 From: dirk at haun-online.de (Dirk Haun) Date: Thu, 7 Jun 2007 10:02:21 +0200 Subject: [geeklog-spam] Wikispam blacklist In-Reply-To: <20070528113017.1080801151@smtp.haun-online.de> References: <20070522183705.1499132333@smtp.haun-online.de> <20070528113017.1080801151@smtp.haun-online.de> Message-ID: <20070607080221.797611677@smtp.haun-online.de> Dirk Haun wrote: >So, if you want to try this out, you can re-install the old MT-Blacklist >modules Looks like I'm the only one using this ;-) I've bundled the necessary files now and put them up on geeklog.net: If you already have some MT-Blacklist entries in your database (i.e. if you're on Geeklog 1.4.0 or older), you may want to get rid of those so that you can import the spam-merge list instead: DELETE FROM gl_spamx WHERE name = 'MTBlacklist'; From a technical point of view, this appears to be working nicely and updates show up in the RDF feed. Can't tell how effective it is, though, since I had only installed it on geeklog.info where I'm also aggressively blocking IP addresses. I've installed it on two more sites now and would like to invite others to do the same so that we can see if it helps us in any way. Also, since we're currently "leeching" from the Wiki communities, I was thinking about how we could be giving back. In a way, isn't this a light-weight version of Mike's SWOT proposal[1]? The Python script can import MT-Blacklist-style lists from any number of URLs, merge them together and provide them as one blacklist. So we could easily be starting our own list(s) and merge them. We could even use the Python script to cascade or chain them since the input and output formats are identical (I would need to roll the shell scripts that currently produce the RDF feed into the Python script, though). Thoughts? bye, Dirk [1] -- http://spam.tinyweb.net/ From dirk at haun-online.de Thu Jun 21 14:44:02 2007 From: dirk at haun-online.de (Dirk Haun) Date: Thu, 21 Jun 2007 20:44:02 +0200 Subject: [geeklog-spam] FYI: Russian Business Network - spammers and more Message-ID: <20070621184402.1773810780@smtp.haun-online.de> I've seen spam (lots of spam, actually) coming out of the IP ranges belonging to "Russian Business Network" (now only "RBusiness Network") before[1]. What I wasn't aware of, though, is that there's a connection between these guys and the recent hacks of a lot of Italian webservers that are now serving trojans via an IFrame exploit. SANS has more information: In short: You really want to block the IP ranges 81.95.144.0-81.95.147.255 and 81.95.148.0-81.95.151.255 belonging to that outfit. bye, Dirk [1] -- http://spam.tinyweb.net/