[Discussion] Features

• Previous message (by thread): [Discussion] Wireless
• Next message (by thread): [Discussion] Discussion Digest, Vol 2, Issue 6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Going back to reputation scoring,  I think domains could be scored as well..

 Say reputation is from 0-100 (with 100 being bad enough to block:)

If a domain is on the same IP address as a bad site, it gets a score of 50.
If a domain is an adjacent IP address as a bad site, it gets a score of 30.
If a domain is on the same IP netblock as a bad site, it gets a score of 20.
If a domain is fast-flux, it gets a score of 30
If a domain has been registered within 30 days, it gets a score of 10.
If a domain has been used for malspam, it gets a score of 100.
etc.

This may be computationally intensive due to the reverse-ip lookups,
so it may have to refreshed  every night or so...




>>> Adjacent IPs are given a reputation score of 30.
>>> All of the IPs in "Btrivo's" netblock are given a reputation score of 10.
>>>
>>> Two adjacent IP addresses each hosting malware each will get a score of
>>> 90 (50+30+10).
>>>
>>> If malware goes away, score decreases each day. For each day host is
>>> still up, score increases....


>
>
> On Wed, Oct 22, 2008 at 8:19 PM, Martin Holste <mcholste at gmail.com> wrote:
>>
>> I really like that idea.  It won't directly lead to blocking innocent
>> IP's, but will still give the good guys a simple and reliable predictive
>> capability.
>>
>> On Wed, Oct 22, 2008 at 7:04 PM, David Glosser <david.glosser at gmail.com>
>> wrote:
>>>
>>> Back to the idea of Spam-assassin scoring:
>>>
>>> Once a bad host is identified, then I'm wondering if IP reputation could
>>> maybe using a "halo effect" whereby other IPs by the same provider are given
>>> lower scores.
>>>
>>> Say reputation is from 0-100 (with 100 being bad)
>>>
>>> So if an IP on hosting provider "Btrivo" contains malware, that IP gets a
>>> reputation score of 50.
>>> Adjacent IPs are given a reputation score of 30.
>>> All of the IPs in "Btrivo's" netblock are given a reputation score of 10.
>>>
>>> Two adjacent IP addresses each hosting malware each will get a score of
>>> 90 (50+30+10).
>>>
>>> If malware goes away, score decreases each day. For each day host is
>>> still up, score increases....
>>>

• Previous message (by thread): [Discussion] Wireless
• Next message (by thread): [Discussion] Discussion Digest, Vol 2, Issue 6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]