|
|
| Author |
Message |
Cobi
Lurker
Joined: 30 Dec 2003
Posts: 121
Location: IRC
|
 Posted: Feb 08, 2005 3:51pm Post subject: BOPM DNSBL's |
 |
|
Ok, here are a few useful dnsbls for BOPM:
Blitzed's DNSBL
| Code: |
blacklist {
name = "opm.blitzed.org";
type = "A record bitmask";
ban_unknown = yes;
reply {
1 = "WinGate";
2 = "Socks";
4 = "HTTP";
8 = "Router";
16 = "HTTP POST";
};
kline = "GZLINE *@%i 1d :Sorry, %n, Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
};
|
Not Just Another Black List's DNSBL:
| Code: |
blacklist {
name = "dnsbl.njabl.org";
type = "A record reply";
reply {
9 = "Open proxy";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List.. www.njabl.org/cgi-bin/lookup.cgi?query=%i";
};
|
Bit Defender's Virus BL:
| Code: |
blacklist {
name = "virbl.dnsbl.bit.nl";
type = "A record reply";
ban_unknown = yes;
reply {
2 = "Virus";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Virus List.. http://virbl.bit.nl/list.php";
};
|
Abusive Hosts Black List's Abusive IRC Hosts Black List:
| Code: |
blacklist {
name = "ircbl.ahbl.org";
type = "A record reply";
ban_unknown = yes;
reply {
2 = "Abusive";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our DDoS/Drone/Spammer/Abuse List.. http://www.ahbl.org/tools/lookup.php?ip=%i";
};
|
Sectoor's TOR Black List:
| Code: |
blacklist {
name = "tor.dnsbl.sectoor.de";
type = "A record reply";
reply {
1 = "Tor exit server";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our TOR Server List.. http://www.sectoor.de/tor.php?ip=%i";
};
|
Abusive Hosts Black List's TOR Black List:
| Code: |
blacklist {
name = "tor.ahbl.org";
type = "A record reply";
reply {
2 = "Tor exit server";
};
ban_unknown = no;
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our TOR Server List.. http://www.ahbl.org/tools/lookup.php?ip=%i";
};
|
no-more-funn's Open Proxy DNSBL:
| Code: |
blacklist {
name = "no-more-funn.moensted.dk";
type = "A record reply";
ban_unknown = no;
reply {
10 = "Open Proxy";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List.. http://moensted.dk/spam/no-more-funn?addr=%i";
};
|
SORBS' DNSBL:
| Code: |
blacklist {
name = "dnsbl.sorbs.net";
type = "A record reply";
ban_unknown = no;
reply {
2 = "Open HTTP Proxy";
3 = "Open Socks Proxy";
4 = "Other Open Proxy";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our Open Proxy List as a %t.. http://dnsbl.sorbs.net/cgi-bin/db?IP=%i";
};
|
If you know any others... Please post them here  |
|
| Back to top |
|
 |
EqualSlashed_Brian
Lurker
Joined: 29 Aug 2004
Posts: 222
Location: IRC
|
| Posted: Feb 09, 2005 4:17am Post subject: |
|
|
I have tested many DNSBLs with BOPM. I do not recommend using them, other than the TOR DNSBL and the Blizted DNSBL. The reason for this is because they are not really made for IRC, and they have lots of false positives. My IRC network has European users and South American users and when I tested out Sorbs and AHBL there dynamic IP was in the database.
Just sharing some knowledge so someone else doesn't make the same mistake. Please realize that most DNSBLs are for blocking mail from SMTP SERVERS. |
|
| Back to top |
|
|
Cobi
Lurker
Joined: 30 Dec 2003
Posts: 121
Location: IRC
|
| Posted: Feb 09, 2005 12:02pm Post subject: |
|
|
make sure you only use the correct sections in the other dnsbl's (like the "Open Proxy" sections..
like in the NJABL you only test for the return of 127.0.0.9 (Open Proxy)
in the no-more-funn dnsbl you only test for the return of 127.0.0.10 (Open Proxy)
in SORBS you only test for 127.0.0.2 127.0.0.3 and 127.0.0.4 (Open HTTP Proxy, Open Socks Proxy, and Other Open Proxy, respectivly) |
|
| Back to top |
|
|
EqualSlashed_Brian
Lurker
Joined: 29 Aug 2004
Posts: 222
Location: IRC
|
| Posted: Feb 10, 2005 9:21am Post subject: |
|
|
| I know how a DNSBL works, and I configured it properly. Those DNSBLs are a bad choice because they are not maintained for IRC. They are maintained for blocking spam e-mail. |
|
| Back to top |
|
|
Robert-E-Lee
Idler
Joined: 22 Nov 2004
Posts: 288
Location: in a room with your mum, teaching her how to do certain things....
|
| Posted: Feb 10, 2005 5:29pm Post subject: |
|
|
opm.blitzed.org and the njabl one are hardly bad choices, as those are the two main ones that bopm suggests you use....the others are PERSONAL choice.
something that's maintained for spam email can equally be an indicator of suitability for use as a dnsbl for something else, as it's indicative of an insecure machine which could easily be turned into a proxy...geddit brian? |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 334
Location: A box!
|
| Posted: Feb 27, 2005 12:11pm Post subject: |
|
|
NodeRebellion DroneBL (beta):
| Code: |
blacklist {
name = "dronebl.noderebellion.net";
type = "A record reply";
ban_unknown = no;
reply {
3 = "IRC spam drone (litmus/sdbot)";
4 = "Tor anonymous proxy";
5 = "IRC DDoS drone (wisdom/agobot/phatbot/rxbot)";
10 = "Open proxy";
14 = "Unknown worm/bot (found in DDoS attack by dronebl user)";
17 = "Unknown worm/bot (found scanning NodeRebellion's IP network)";
19 = "Open proxy (proxychain)";
};
kline = "KLINE *@%i :Your IP (%i), is listed as a %t in the DroneBL, see http://www.noderebellion.net/tools/lookup/?ip=%i";
};
|
|
|
| Back to top |
|
|
Cobi
Lurker
Joined: 30 Dec 2003
Posts: 121
Location: IRC
|
| Posted: Mar 08, 2005 5:30pm Post subject: |
|
|
Spam Black List
| Code: | blacklist {
name = "spbl.bl.winbots.org";
type = "A record reply";
ban_unknown = yes;
reply {
1 = "Test";
2 = "UnderNet Spam";
3 = "QuakeNet Spam";
4 = "Winbots Spam";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our %t List.. Email cobi@winbots.org to get this resolved.";
}; |
|
|
| Back to top |
|
|
cythrawll
none
Joined: 24 Apr 2005
Posts: 2
|
| Posted: May 08, 2005 11:45am Post subject: |
|
|
| cobi, im getting a server error on the last one you posted |
|
| Back to top |
|
|
Name141
Guest
|
| Posted: Sep 30, 2005 1:12pm Post subject: list.dsbl.org |
|
|
| anyone know how to add list.dsbl.org ? |
|
| Back to top |
|
|
Mr_Smoke
Guest
|
| Posted: Dec 14, 2005 12:03pm Post subject: |
|
|
blacklist {
name = "list.dsbl.org";
type = "A record reply";
reply {
2 = "Open Proxy";
};
ban_unknown = no;
kline = "KLINE *@%h 86400 :Open proxy found on your host, please visit dsbl.org/listing?%i";
}; |
|
| Back to top |
|
|
Ashen
Idler
Joined: 05 Jan 2004
Posts: 285
|
| Posted: Mar 27, 2006 5:59pm Post subject: |
|
|
Something like this has kept almost all bad users off our network for awhile now.
I've been waiting for OPSB to add STABLE support for multiple DNSBLs for a long time.... but then I figured really, the solution was to replace OPSB with BOPM, at least until OPSB can catch up.
| Code: |
blacklist {
name = "xbl.spamhaus.org";
type = "A record reply";
reply {
4 = "CBL";
5 = "NJABL";
6 = "BOPM";
};
ban_unknown = no;
kline = "KLINE 60 *@%h :You are in the XBL.spamhaus.org DNSBL. http://www.spamhaus.org/query/bl?ip=%i";
};
blacklist {
name = "dnsbl.sorbs.net";
type = "A record reply";
reply {
2 = "open proxy - HTTP";
3 = "open proxy - SOCKS";
4 = "open proxy - MISC";
5 = "open proxy - SMTP";
7 = "insecure server";
9 = "zombie netblock";
};
ban_unknown = no;
kline = "KLINE 60 *@%h : You are in the SORBS.net DNSBL. Please visit http://www.sorbs.net/lookup.shtml?%i";
};
blacklist {
name = "dnsbl.ahbl.org";
type = "A record reply";
reply {
2 = "open relay - mail";
3 = "open proxy";
6 = "insecure website";
14 = "Compromised System - ddos drone/bot infected";
15 = "Compromised System - relay";
16 = "Compromised System - autorooter/scanner";
17 = "Compromised System - worm or mass mailing virus";
18 = "Compromised System - misc virus";
19 = "open proxy";
};
ban_unknown = no;
kline = "KLINE 60 *@%h : You are in the AHBL.org DNSBL. Please visit http://www.ahbl.org/tools/lookup.php?ip=%i";
};
blacklist {
name = "ircbl.ahbl.org";
type = "A record reply";
reply {
2 = "abusive host";
};
ban_unknown = no;
kline = "KLINE 60 *@%h : Your IP is in the ircbl.ahbl.org DNSBL";
};
blacklist {
name = "tor.ahbl.org";
type = "A record reply";
reply {
2 = "tor node";
};
ban_unknown = no;
kline = "KLINE 60 *@%h : Your IP is in the tor.ahbl.org DNSBL";
};
blacklist {
name = "tor.sectoor.de";
type = "A record reply";
reply {
1 = "tor exit server";
};
ban_unknown = no;
kline = "KLINE 60 *@%h : You are in the tor.sectoor.de DNSBL. Please visit http://www.sectoor.de/tor.php?ip=%i";
};
|
|
|
| Back to top |
|
|
DeadNotBuried
none
Joined: 01 Mar 2004
Posts: 43
|
| Posted: Mar 27, 2006 10:25pm Post subject: |
|
|
black lists have been taken out of v3 opsb, and blsb now handles them, along with multiple lists, added at run time via private message to the pseudo client, svn version seems to have the bugs fixed
still some more things to add to it though. |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: Mar 28, 2006 4:24am Post subject: |
|
|
Do not use the open proxy sections of spamhaus or sorbs!
There are many reasons for this:
For once i agree with brian - these lists are designed for blocking EMAIL transport. They are not maintained at a high enough rate for use on irc - e.g. if one of your users is listed in spamhaus, chances are they will NEVER be able to delist themselves, no matter how legitimate their claim, and they will be waiting weeks to be delisted IF they are successful.
ONLY USE BLACKLISTS WHICH (A) ALLOW AUTOMATED DELISTING OF OPEN PROXIES AND (B) CLAIM TO DELIST WITHIN A SHORT PERIOD OF TIME LIKE 24 HOURS.
If you do NOT follow this advice, you will be flooded with complaints from irate users "im listed on spamhaus and they wont remove me" (NOTE: Spamhaus lists *entire isp netblocks* just because they found *one* proxy, to punish the users of the isp!!!) |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 334
Location: A box!
|
| Posted: Mar 28, 2006 8:26am Post subject: |
|
|
| In other news, I've been convinced to reopen DroneBL. I'll have details on that someday soon. |
|
| Back to top |
|
|
Cobi
Lurker
Joined: 30 Dec 2003
Posts: 121
Location: IRC
|
| Posted: Mar 28, 2006 11:29pm Post subject: |
|
|
| Cobi wrote: | Spam Black List
| Code: | blacklist {
name = "spbl.bl.winbots.org";
type = "A record reply";
ban_unknown = yes;
reply {
1 = "Test";
2 = "UnderNet Spam";
3 = "QuakeNet Spam";
4 = "Winbots Spam";
};
kline = "GZLINE *@%i 1d :%n, Your IP, %i, is in our %t List.. Email cobi@winbots.org to get this resolved.";
}; |
|
This DNSBL is no longer active ... |
|
| Back to top |
|
|
|
Register
Log in
