RubyGarden Spam

[David Ross]

| >>You *can* integrate this into wiki's. Its very easy. Okay thanks, 80%
| >>spamming solved.
| >>Most, if not ALL the ips listed in
| >>http://www.istori.com/cgi-bin/wiki?WikiBlackList *ARE* in the RBLs
| >
| >We have been. For months.
| >
| >>Thanks, have a nice day. Problem solved
| >
| >Unfortunately not.
|
| First Rubygarden Spam email
| -----------------------------------------
| The rubygarden wiki has been over-run with spam links.
|
| 220.163.37.233 is one of the offending source IP addresss.
|
| I fixed the home page, and then saw the extent of the crap. Looks like
| many personal pages have been altered.
|
| Those with user pages may want to go check their own page to assist with
| the clean up.
|
| James
|
| -----------------------------------------
|
| -------------------------------------
|
| I've got a list, but it has become obvious that maintaining a list
| manually isn't going to work. I'm tempted to require registration and
| authentication at this point as much as I hate the thought.
|
| Chad
|
|
| -------------------------------------
|
| http://rbls.org/?q=220.163.37.233
|
| You're not reading the email..
|
| Thanks for lying, its listed since June 2003
|
| No, problem is 80% solved. There are some actual unlogged IPs. Please
| educate yourself in security, you obviously aren't qualified.

Umm... why not try to educate rather then accuse. I for one would certainly
like to know that in the hell you're talking about, but you're not explaining
yourself very well.

T.

Well as you notied in the past I have a habit of writing really short
replies that make my emails sound inappropriate.

/me breaths, "Ok lets start"

An RBL is Realtime Blackhole List. These lists are held on servers which
can be accessed by anyone. All you do is send a query to the server and
it replies with a special response in the format of "127.0.0.<number
code>" One big RBL project is SORBS, located at
http://www.dnsbl.sorbs.net/. The project has a nice selection of servers
to pick from which are lists for different reasons. I use so many in my
servers because each one has different IPs and strengths. These RBLs are
not just for mail servers, they list different types of abusers. These
RBLs are be used in any type of network application for the use of
blocking who abuse the internet. The internet is a very insecure place
where anyone could abuse it very much if they have the knowledge. I'm
blessed to have been on computers for over 20 years Commodore++

Okay now to explain the reponses you get from the RBL servers
127.0.0.2 - Open Relay
127.0.0.3 - Open Proxy
127.0.0.4 - Spam Source
127.0.0.5 - Provisional Spam Source Listing block (will be removed if
spam stops)
127.0.0.6 - Formmail Spam
127.0.0.7 - Spam Supporter
127.0.0.8 - Spam Supporter (indirect)
127.0.0.9 - End User (non mail system)
127.0.0.10 - Shoot On Sight
127.0.0.11 - Non-RFC Compliant (missing postmaster or abuse)
127.0.0.12 - Does not properly handle 5xx errors
127.0.0.13 - Other Non-RFC Compliant
127.0.0.14 - Compromised System - DDoS
127.0.0.15 - Compromised System - Relay
127.0.0.16 - Compromised System - Autorooter/Scanner
127.0.0.17 - Compromised System - Worm or mass mailing virus
127.0.0.18 - Compromised System - Other virus
127.0.0.127 - Other

These reponse names differ on RBL servers, but mean the exact same. You
can get more reponse information on different servers from
http://www.aspnetmime.com/dnsbl.aspx


Heres another type of list and a "howitworks"
http://dsbl.org/howitworks

People can send in form data to specify if the target is bad. I don't
use the /unconfirmed.dsbl.org/. I use the list.dsbl.org and
/multihop.dsbl.org. The target can be tested by very trustful users,
list.dsbl.org and multihop. These are very reliable servers to check.

These are recognized as good blacklists to use
/

The IP that did in fact spam RubyGarden @ http://dsbl.org/listing?220.163.37.233

Okay, the evidence where Chad went wrong. The link above is the the IP that spammed RubyGarden, the IP is listed in the singlehop(list.) server . Chad rather didn't read the email, or he lied. Could be because I thought about it first on the mailing list. Others have used RBLs for network services elsewhere. If those specific BLs were implemented it would eliminate over 80% or more of the spam problem.

By the way, Thanks T. for asking. I keep getting ahead of myself thinking everyone has the same knoweldge. *My fault*

Thanks for being curious, and have a nice day. I might continue this email if I think of any other important information that might help more understand how to use RBL lists.

David Ross

 

[Curt Hibbs]

There's a lot of good information in your response. Thanks for taking the
time to write it up. There was quite a bit here that I didn't know.

Curt

Well as you notied in the past I have a habit of writing really short
replies that make my emails sound inappropriate.

/me breaths, "Ok lets start"

An RBL is Realtime Blackhole List. These lists are held on servers which
can be accessed by anyone. All you do is send a query to the server and
it replies with a special response in the format of "127.0.0.<number
code>" One big RBL project is SORBS, located at
http://www.dnsbl.sorbs.net/. The project has a nice selection of servers
to pick from which are lists for different reasons. I use so many in my
servers because each one has different IPs and strengths. These RBLs are
not just for mail servers, they list different types of abusers. These
RBLs are be used in any type of network application for the use of
blocking who abuse the internet. The internet is a very insecure place
where anyone could abuse it very much if they have the knowledge. I'm
blessed to have been on computers for over 20 years Commodore++

Okay now to explain the reponses you get from the RBL servers
127.0.0.2 - Open Relay
127.0.0.3 - Open Proxy
127.0.0.4 - Spam Source
127.0.0.5 - Provisional Spam Source Listing block (will be removed if
spam stops)
127.0.0.6 - Formmail Spam
127.0.0.7 - Spam Supporter
127.0.0.8 - Spam Supporter (indirect)
127.0.0.9 - End User (non mail system)
127.0.0.10 - Shoot On Sight
127.0.0.11 - Non-RFC Compliant (missing postmaster or abuse)
127.0.0.12 - Does not properly handle 5xx errors
127.0.0.13 - Other Non-RFC Compliant
127.0.0.14 - Compromised System - DDoS
127.0.0.15 - Compromised System - Relay
127.0.0.16 - Compromised System - Autorooter/Scanner
127.0.0.17 - Compromised System - Worm or mass mailing virus
127.0.0.18 - Compromised System - Other virus
127.0.0.127 - Other

These reponse names differ on RBL servers, but mean the exact same. You
can get more reponse information on different servers from
http://www.aspnetmime.com/dnsbl.aspx


Heres another type of list and a "howitworks"
http://dsbl.org/howitworks

People can send in form data to specify if the target is bad. I don't
use the /unconfirmed.dsbl.org/. I use the list.dsbl.org and
/multihop.dsbl.org. The target can be tested by very trustful users,
list.dsbl.org and multihop. These are very reliable servers to check.

These are recognized as good blacklists to use
/

The IP that did in fact spam RubyGarden @

http://dsbl.org/listing?220.163.37.233

Okay, the evidence where Chad went wrong. The link above is the the IP that
spammed RubyGarden, the IP is listed in the singlehop(list.) server . Chad
rather didn't read the email, or he lied. Could be because I thought about
it first on the mailing list. Others have used RBLs for network services
elsewhere. If those specific BLs were implemented it would eliminate over
80% or more of the spam problem.

By the way, Thanks T. for asking. I keep getting ahead of myself thinking
everyone has the same knoweldge. *My fault*

Thanks for being curious, and have a nice day. I might continue this email
if I think of any other important information that might help more
understand how to use RBL lists.

David Ross

 

[trans. (T. Onoma)]

On Monday 25 October 2004 10:56 pm, David Ross wrote:
| By the way, Thanks T. for asking. I keep getting ahead of myself thinking
| everyone has the same knoweldge. *My fault*
|
| Thanks for being curious, and have a nice day. I might continue this email
| if I think of any other important information that might help more
| understand how to use RBL lists.

Thank you, David. That's a big help.

So Chad, might there's be a bug in your RBL "implemention"? (I believe that's
what David is getting at).

T.

 

[David Ross]

On Monday 25 October 2004 10:56 pm, David Ross wrote:
| By the way, Thanks T. for asking. I keep getting ahead of myself thinking
| everyone has the same knoweldge. *My fault*
|
| Thanks for being curious, and have a nice day. I might continue this email
| if I think of any other important information that might help more
| understand how to use RBL lists.

Thank you, David. That's a big help.

So Chad, might there's be a bug in your RBL "implemention"? (I believe that's
what David is getting at).

T.

Chad doesnt have a DSBL or RBL, he has a BL he keeps manually. I think
he just didn't take the time, to read me email clearly. In the past
email for Rubygarden he said he keeps a list manually. I know exactly
what he mean't by answering the email the way he did. aka. "he had no
idea what I was talking about until I sent that decent explaination
email." His implementation is a manual blacklist, it doesn't query
servers at all.

Chad: "ok reality check. Your manual BL isn't a RBL nor a DSBL."

David Ross

 

[David Ross]

Okay, one way to bundle RBL support with another way to get rid of any
obfuscation is to use the blized software for BOPM located at
http://wiki.blitzed.org/BOPM . This software also has DNSBL support.
Someone would have to modify it if its not already implemented to hook
into the Wiki works. The scanner is easy to install, not sure how easy
it would be to integrate. Depends on the programmer. The setup files are
easy. Freenode uses this scanner.. heres a snip of thier blacklist for
an example.

<begin snip>
protocol = HTTP:00080;
protocol = HTTP:00081;
...
protocol = SOCKS4:01027;
protocol = SOCKS4:01028;
...
<end snip>

Of course this file is *much* larger, but the point is that it does work
very well at blocking people who are using exploited hosts. This would
eliminate the other partion of the people who are not on RBL, and using
hidden proxies.

This software can also check the DNSBL lists. So making this software
work with Wiki's would be a *good thing*. The implementation for a wiki
should scan first time visitors with a end session of around 20 minutes
so the IP would invalidate and it would scan again(for dyn. ip users)
not counting browsing around of course. After a idle time of 20 minutes.
It checks the RBLs listed first, then starts scanning is there is a
green from all the RBLs. If there is a green from the scan then it
commits any modifications the user had, until its scanned user
modifications are kept in the queue until otherwise. If the time passes
and the scan is incomplete the modification(s) in the queue for the
specific IP are deleted. About abusive people who try to flood the queue
with frequent modifications.. keep a limit for the people who have not
yet completed the scan check. If the modifications are equal or more
than 5 then it stops accepting modification requests. If people have
passed the RBL and proxy scan check then they may submit any amount of
modifications they choose.

This way there are no obfuscations, no limits on what people can
post(except the limits of unchecked IPs). The best available (at the
time) method of how to protect a wiki is this type of implementation.
With exception of the abusive people who just want to mess up with wiki
manually from *thier* computer.

Of course if someone actually creates a trojan to connect and fetch
instructions on how to attack, this will not work. Its the best way and
its rare for someone to use a remote trojan like trojan-rc to happen.

An extra add-in would be to construct a check for the scanner for
trojaned ports to limit any remote to remote attack.

David Ross