From owner-freebsd-stable@FreeBSD.ORG Wed Sep 24 15:15:39 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FC1516A4BF for ; Wed, 24 Sep 2003 15:15:39 -0700 (PDT) Received: from kanga.honeypot.net (kanga.honeypot.net [208.162.254.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CCFB4402A for ; Wed, 24 Sep 2003 15:15:36 -0700 (PDT) (envelope-from kirk@strauser.com) Received: from pooh.strauser.com (pooh.honeypot.net [10.0.5.128]) by kanga.honeypot.net (8.12.9/8.12.9) with ESMTP id h8OMFWGf060705 for ; Wed, 24 Sep 2003 17:15:33 -0500 (CDT) (envelope-from kirk@strauser.com) To: freebsd-stable@freebsd.org From: Kirk Strauser Date: Wed, 24 Sep 2003 17:15:27 -0500 Message-ID: <8765jhg7eo.fsf@strauser.com> Lines: 45 X-Mailer: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Subject: I've had enough. I'm starting a DNS blackhole list. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 22:15:39 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable Yep, I really am. From now on, any system that relays a virus-laden email to my system is going into a DNS blackhole list serving all of the systems I administer. In a fit of "had it up to here"-ness, I've written the following programs today: dnsbl: Adds authorized users to a PostgreSQL database. Allows authed users to add virus/worm/trojan categories. Allows authed users to add a specified host to the PostgreSQL database, along with the offending category that it falls into and an expiration time. Also pushes updates to a BIND 9 server supporting dynamic updates via TSIG authentication. Supports a "cleanup" mechanism (run via cron) that deletes expired entries from the PostgreSQL database and the BIND 9 server. searchreceived: Scans a mail on STDIN for the first Received: header that isn't a machine on my network or on of my relays. slurpworms: Calls "fetchmail" to grab all new messages from my "viruses" folder, pipes them through "searchreceived", and dumps the results into "dnsbl". Really, I can't take it anymore. I've received over 40,000 emails from infected machines, and I'm fighting back. Once I've verified correct functionality, I'll start allowing zone ixfrs from anyone who wants to chip in, and I'm setting up a web form to accept new submissions from authorized users (see the "auther users" entries under "dnsbl"). This is ridiculous. I'm about "this close" to setting Sendmail to bouncing all blackholed emails to "abuse@microsoft.com". =2D-=20 Kirk Strauser "94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box." --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/cheE5sRg+Y0CpvERApvoAKCClMsARS7EmEH8HcSLikKopYLpYgCcDIrU M+C3wocypdp+2xQwN4X4k8E= =V23l -----END PGP SIGNATURE----- --=-=-=--