Hi All,
Here we are again with yet another three of the IP Blocklists looking like they have been forgotten about and are no longer being updated.
The FEODO_RECOMMENDED and FEODO_IP lists are both empty of any IP's and have not been updated since 23rd August 2024.
The FEODO_AGGRESSIVE list still has IP entries in it but they were last updated on 23rd August 2024.
All three lists say they are re-generated every 5 minutes but that has clearly stopped for the last 6 weeks.
I will contact the lists to see what their response on this is.
Regards,
Adolf.
Hello Adolf,
This is indeed “great” news and I suppose this is just proving the point that we have discussed on here before…
On the website there is no note or anything else that indicates any change: https://feodotracker.abuse.ch/blocklist/
But I can confirm that the list currently have zero entries and the timestamp of the last update is 2024-08-23 12:01:06 UTC.
Unless you get a response, let’s remove the lists for now.
-Michael
On 8 Oct 2024, at 22:04, Adolf Belka adolf.belka@ipfire.org wrote:
Hi All,
Here we are again with yet another three of the IP Blocklists looking like they have been forgotten about and are no longer being updated.
The FEODO_RECOMMENDED and FEODO_IP lists are both empty of any IP's and have not been updated since 23rd August 2024.
The FEODO_AGGRESSIVE list still has IP entries in it but they were last updated on 23rd August 2024.
All three lists say they are re-generated every 5 minutes but that has clearly stopped for the last 6 weeks.
I will contact the lists to see what their response on this is.
Regards,
Adolf.
I think that there's always going to be an issue with this type of IP blocklist; these lists are all for the C&C for a particular malware. As time passes old malware goes out of use and hence this list becomes redundant.
I suppose it would be possible to write a script that reads the sources file and checks for changes in the list contents, and then raise a notification of some sort if a list doesn't change for say a month.
Regards, Tim On 14/10/2024 10:20, Michael Tremer wrote:
Hello Adolf,
This is indeed “great” news and I suppose this is just proving the point that we have discussed on here before…
On the website there is no note or anything else that indicates any change: https://feodotracker.abuse.ch/blocklist/
But I can confirm that the list currently have zero entries and the timestamp of the last update is 2024-08-23 12:01:06 UTC.
Unless you get a response, let’s remove the lists for now.
-Michael
On 8 Oct 2024, at 22:04, Adolf Belka adolf.belka@ipfire.org wrote:
Hi All,
Here we are again with yet another three of the IP Blocklists looking like they have been forgotten about and are no longer being updated.
The FEODO_RECOMMENDED and FEODO_IP lists are both empty of any IP's and have not been updated since 23rd August 2024.
The FEODO_AGGRESSIVE list still has IP entries in it but they were last updated on 23rd August 2024.
All three lists say they are re-generated every 5 minutes but that has clearly stopped for the last 6 weeks.
I will contact the lists to see what their response on this is.
Regards,
Adolf.
Hello Tim,
On 14 Oct 2024, at 21:16, Tim FitzGeorge ipfr@tfitzgeorge.me.uk wrote:
I think that there's always going to be an issue with this type of IP blocklist; these lists are all for the C&C for a particular malware. As time passes old malware goes out of use and hence this list becomes redundant.
I am not complaining about some change here. Change normally is good and I agree with that we should not carry around lists that have no reason to exist in the current day and age. The world is a fast-changing place and we should keep up.
The problem is rather that we always find out very late about this. There are no announcements, no notifications on the websites. Nothing.
Some of the people who create those lists (not thinking about this particular one, but it has happened in the past) do not feel like they have any obligation to theirs users. That might be fine for most, but we cannot use those lists then when they keep coming and going and nobody feels responsible about doing their best.
This also slightly loops back with the RPZ feature that Jon is working on, where there are not any trustworthy sources for any type of blocklist. Just some hobby projects.
I suppose it would be possible to write a script that reads the sources file and checks for changes in the list contents, and then raise a notification of some sort if a list doesn't change for say a month.
Or we could simply add a hint on the web UI if a list has zero entries, but I am sure that will only put pressure on us to deal with things promptly. Exactly the opposite of what I would be looking for.
Best, -Michael
Regards, Tim On 14/10/2024 10:20, Michael Tremer wrote:
Hello Adolf, This is indeed “great” news and I suppose this is just proving the point that we have discussed on here before… On the website there is no note or anything else that indicates any change: https://feodotracker.abuse.ch/blocklist/ But I can confirm that the list currently have zero entries and the timestamp of the last update is 2024-08-23 12:01:06 UTC. Unless you get a response, let’s remove the lists for now. -Michael
On 8 Oct 2024, at 22:04, Adolf Belka adolf.belka@ipfire.org wrote:
Hi All,
Here we are again with yet another three of the IP Blocklists looking like they have been forgotten about and are no longer being updated.
The FEODO_RECOMMENDED and FEODO_IP lists are both empty of any IP's and have not been updated since 23rd August 2024.
The FEODO_AGGRESSIVE list still has IP entries in it but they were last updated on 23rd August 2024.
All three lists say they are re-generated every 5 minutes but that has clearly stopped for the last 6 weeks.
I will contact the lists to see what their response on this is.
Regards,
Adolf.
Hi All,
On 16/10/2024 12:09, Michael Tremer wrote:
Hello Tim,
On 14 Oct 2024, at 21:16, Tim FitzGeorge ipfr@tfitzgeorge.me.uk wrote:
I think that there's always going to be an issue with this type of IP blocklist; these lists are all for the C&C for a particular malware. As time passes old malware goes out of use and hence this list becomes redundant.
I am not complaining about some change here. Change normally is good and I agree with that we should not carry around lists that have no reason to exist in the current day and age. The world is a fast-changing place and we should keep up.
The problem is rather that we always find out very late about this. There are no announcements, no notifications on the websites. Nothing.
Some of the people who create those lists (not thinking about this particular one, but it has happened in the past) do not feel like they have any obligation to theirs users. That might be fine for most, but we cannot use those lists then when they keep coming and going and nobody feels responsible about doing their best.
This also slightly loops back with the RPZ feature that Jon is working on, where there are not any trustworthy sources for any type of blocklist. Just some hobby projects.
I suppose it would be possible to write a script that reads the sources file and checks for changes in the list contents, and then raise a notification of some sort if a list doesn't change for say a month.
Or we could simply add a hint on the web UI if a list has zero entries, but I am sure that will only put pressure on us to deal with things promptly. Exactly the opposite of what I would be looking for.
Best, -Michael
Regards, Tim On 14/10/2024 10:20, Michael Tremer wrote:
Hello Adolf, This is indeed “great” news and I suppose this is just proving the point that we have discussed on here before… On the website there is no note or anything else that indicates any change: https://feodotracker.abuse.ch/blocklist/ But I can confirm that the list currently have zero entries and the timestamp of the last update is 2024-08-23 12:01:06 UTC. Unless you get a response, let’s remove the lists for now.
It is now 7 days without any response from Spamhaus not even an acknowledgement.
Spamhaus are the primary licensee for Abuse.ch stuff since 2022 and that includes all communications links.
I will send out a patch removing the three lists from the ipblocklists sources file and also a patch for the update.sh file to clear them out from users time since last modified and configuration files if they exist. Basically the same as I did for the ALIENVAULT list removal earlier this year.
Regards,
Adolf.
-Michael
On 8 Oct 2024, at 22:04, Adolf Belka adolf.belka@ipfire.org wrote:
Hi All,
Here we are again with yet another three of the IP Blocklists looking like they have been forgotten about and are no longer being updated.
The FEODO_RECOMMENDED and FEODO_IP lists are both empty of any IP's and have not been updated since 23rd August 2024.
The FEODO_AGGRESSIVE list still has IP entries in it but they were last updated on 23rd August 2024.
All three lists say they are re-generated every 5 minutes but that has clearly stopped for the last 6 weeks.
I will contact the lists to see what their response on this is.
Regards,
Adolf.
-
Adolf Belka -
Michael Tremer -
Tim FitzGeorge