From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Here we are again with another IP Blocklist series that looks like it has disappeared. Date: Wed, 16 Oct 2024 12:33:49 +0200 Message-ID: <3d816f88-bd19-4390-8713-0a82ad6ee3fa@ipfire.org> In-Reply-To: <56F28F45-2921-403C-B1FA-11D97638656D@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4004134030793400018==" List-Id: --===============4004134030793400018== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi All, On 16/10/2024 12:09, Michael Tremer wrote: > Hello Tim, > >> On 14 Oct 2024, at 21:16, Tim FitzGeorge wrote: >> >> I think that there's always going to be an issue with this type of IP bloc= klist; these lists are all for the C&C for a particular malware. As time pas= ses old malware goes out of use and hence this list becomes redundant. > I am not complaining about some change here. Change normally is good and I = agree with that we should not carry around lists that have no reason to exist= in the current day and age. The world is a fast-changing place and we should= keep up. > > The problem is rather that we always find out very late about this. There a= re no announcements, no notifications on the websites. Nothing. > > Some of the people who create those lists (not thinking about this particul= ar one, but it has happened in the past) do not feel like they have any oblig= ation to theirs users. That might be fine for most, but we cannot use those l= ists then when they keep coming and going and nobody feels responsible about = doing their best. > > This also slightly loops back with the RPZ feature that Jon is working on, = where there are not any trustworthy sources for any type of blocklist. Just s= ome hobby projects. > >> I suppose it would be possible to write a script that reads the sources fi= le and checks for changes in the list contents, and then raise a notification= of some sort if a list doesn't change for say a month. > Or we could simply add a hint on the web UI if a list has zero entries, but= I am sure that will only put pressure on us to deal with things promptly. Ex= actly the opposite of what I would be looking for. > > Best, > -Michael > >> Regards, >> Tim >> On 14/10/2024 10:20, Michael Tremer wrote: >>> Hello Adolf, >>> This is indeed =E2=80=9Cgreat=E2=80=9D news and I suppose this is just pr= oving the point that we have discussed on here before=E2=80=A6 >>> On the website there is no note or anything else that indicates any chang= e: https://feodotracker.abuse.ch/blocklist/ >>> But I can confirm that the list currently have zero entries and the times= tamp of the last update is 2024-08-23 12:01:06 UTC. >>> Unless you get a response, let=E2=80=99s remove the lists for now. It is now 7 days without any response from Spamhaus not even an acknowledgeme= nt. Spamhaus are the primary licensee for Abuse.ch stuff since 2022 and that incl= udes all communications links. I will send out a patch removing the three lists from the ipblocklists source= s file and also a patch for the update.sh file to clear them out from users t= ime since last modified and configuration files if they exist. Basically the = same as I did for the ALIENVAULT list removal earlier this year. Regards, Adolf. >>> -Michael >>>> On 8 Oct 2024, at 22:04, Adolf Belka wrote: >>>> >>>> Hi All, >>>> >>>> Here we are again with yet another three of the IP Blocklists looking li= ke they have been forgotten about and are no longer being updated. >>>> >>>> The FEODO_RECOMMENDED and FEODO_IP lists are both empty of any IP's and = have not been updated since 23rd August 2024. >>>> >>>> The FEODO_AGGRESSIVE list still has IP entries in it but they were last = updated on 23rd August 2024. >>>> >>>> All three lists say they are re-generated every 5 minutes but that has c= learly stopped for the last 6 weeks. >>>> >>>> I will contact the lists to see what their response on this is. >>>> >>>> Regards, >>>> >>>> Adolf. >>>> --===============4004134030793400018==--