From mboxrd@z Thu Jan 1 00:00:00 1970 From: /dev/rob0 Subject: Re: Firewall feature recommendation Date: Fri, 24 Jun 2005 09:53:06 -0500 Message-ID: <200506240953.06487.rob0@gmx.co.uk> References: <200506240932.08470.rob0@gmx.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Friday 24 June 2005 09:37, Jan Engelhardt wrote: > >Most if not all of the listed domains were personally researched by > > me. That's the weakness of this, though: it's impossible to keep > > ahead of the spammers and other ratware peddlers in this arms race. > > Just look into the named and/or squid logs and see what users (or > programs acting on their behalf) request. Yes, that would be the methodology, but it should be done in a controlled environment. Some, and now perhaps most, of our squid traffic is legitimate. What is needed is a network "clean room". A fresh Windows install with monitored outbound access. Using Outhouse Distress, activate a known virus email, watch what it does. Using Internet Exploder, visit a known malicious IIS site, and see the results. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header