On Thu, 25 Apr 2019 14:06:39 +0200 JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Reading the article in a minute ! However, as an information pointer I've some data ... I've an VM with asterisk at home, and every day I've to ban (I use fail2ban to do it automatically after 3 failed attempts from the same IP), average about 20 IPs attempting to use my SIP service to my provider. This turns into 100 per day in the office (average). Of course, if they succeed, they can make "free" calls that I need to pay from my pocket ... So, I report automatically those attempts (once banned), including the logs, to the abuse contacts of the IP holder. Some of them just don't care, unfortunately, as many abuse contacts, just don't work, or the mailboxes aren't being read, or they respond that you must fill in a form. Regards, Jordi
this is something very worthy of discussion, listing services has always existed for dynamic blocks, email abuse, bad neighborhood etc etc - and these lists are reflected/delivered/offered as rbl, dnsbl, wrbl, text, sql, etc etc - imho, the latest trends are weird as the generic lists are becoming too generic and specific or specialisation is the "next big thingTM" - as in not unicorny big but tech useful (mostly free) big... As an example of this, an combined email rbl (which also contains certain dynamic ranges known for not filtering egress, would be completely (or mostly) useless for filtering IP on SIP (or even brute) and a comment form rbl would be well suited for iptables on a web server... My latest new and shiny big idea is: I have an idea and a plan to dev a dynamic ip use dnsl which will return a flag on query... The idea is that any device would receive a code when query a RR The result on query would be multi digit and reflect the known data for that resource (examples: User Dynamic/Static - Abuse Reported Y/N - Port of abuse (all(dul)/21/22/25/53/80/443/etc) - Resource holder responsive Y/N - etc etc etc The further idea is to have exchangeable data streams so that the query (as well as the IPv4/6 of the query) becomes a data provider and then the reporting can be automated (or not) depending on the resource holder itself... What do you think? Kind Regards Andre