© 2025 Peter N. M. Hansteen
How long does data on misbehaving hosts on the Internet stay relevant in an IP Address Reputation context?
My main presence on the Internet also serves, for all practical purposes, as a honeypot, and is seen as mainly that by what appears to be a small but significant number of people who run IP Reputation services (yes, link to SpamHaus because apparently Wikipedia does not have a page dedicated to the topic yet). The article Badness, Enumerated by Robots (also here) describes the data collected by the honeypot, with links to the data as well as to other relevant resources.
But there is a thing about putting something on the Internet for free so anybody at all can download it: People will not necessarily read the instructions.
Note: This piece is also available without trackers but classic formatting only here.
The honeypot service has been collecting and sharing data for years, as will be clear from the articles linked in a previous paragraph. All the lists have their consumers and get downloaded regularly.
Although there are signs that the list data is further processed into various services, including those that provide IP reputation rankings, the only people who seem to care enough to actually contact me about specific entries in the data are people who own one or more IP addresses that have for one reason or other been included in the lists.
Recently I was contacted by somebody who claimed that some of their traffic seemed to be filtered due to IP reputation, and they had tracked down the problem to the POP3 Gropers list we publish. The big one, that is.
I was a bit surprised by this, give that I had provided a fairly clear description of the lists and their expiry times in the published material. That material also clearly stated, in my view at least, that the big POP3 gropers list does not have an expiry set, and should for that reason be used with caution, if at all.
But apparently one or more operators of IP address reputation services did not actually read that far.
I am still pondering what is the correct action here, so I created a fediverse poll,
(For those without working fediverse links, the question posed is "Should I", with the options: "Stop publishing the BIG pop3gropers list", "Stop caring and let IP reputation sort them out", or "No opinion, show results", prepended with a shorter version of the description in the first part of this article) which may of course have run its course when you read this.
If the poll has run its course and you don't get to vote, you are of course welcome to contact me or comment where you find reference to this article.
I am genuinely interested in hearing informed opinions on how to deal with data collected in the context of contributing to IP address reputation context.
In addition to the poll, I added a note to the Badness, Enumerated by Robots (also here) article:
NOTE: The BIG pop3 gropers list is for history only, use the sixweeks one for IP reputation evaluations instead
As stated earlier, the big list of pop3 gropers was intended as a collection of all hosts that had ever tried and failed in guessing passwords (see Password Gropers Take the Spamtrap Bait for background). This means that the list only exists as a historical collection of sorts, and if you are intrerested in seeing when a particular host entered the data set, you can look it up in the pop3 gropers archive directory.
For any reasonably current IP Reputation purposes, you will be better served with the pop3 gropers during the last six weeks list, which conveniently is also archived for those who wish to study developments.
For what it's worth, there is an archive of the greytrapped hosts list available too, along with a separate archive of the SSH bruteforcers list, all kept around for as long as I find it at least a little useful to do so.
I hope at least some of the relevant people -- people running IP address reputation services take the time to read that little piece of text and have a think.
For my own part, I will be pondering the ethics and practicalities of blocklists much along the same lines as I wrote about in the 2013 piece Maintaining A Publicly Available Blacklist - Mechanisms And Principles (also here).
If you found this piece to be useful, informative, annoying or would for some other reason like to contact me or comment, please do.
You might also be interested in reading selected pieces via That Grumpy BSD Guy: A Short Reading List (also here).
Upcoming events:
Ottawa, Canada: BSDCan 2025 has tutorials June 11-12, 2025 and talks June 13-14. A new version of Network Management with the OpenBSD Packet Filter Toolset will go ahead there.
A little later on in 2025, the EuroBSDcon 2025 conference is still accepting submissions for papers and tutorials, so if you have an interesting BSD-related topic you want the world to know about, your submissions will be welcome at the EuroBSDcon submissions system, where the deadline is 2025-06-21, or June 21st, 2025 (full disclosure: I'm on the program committee). This year's conference is set in beautiful Zagreb, Croatia in late September.
Posts
No comments:
Post a Comment
Note: Comments are moderated. On-topic messages will be liberated from the holding queue at semi-random (hopefully short) intervals.
I invite comment on all aspects of the material I publish and I read all submitted comments. I occasionally respond in comments, but please do not assume that your comment will compel me to produce a public or immediate response.
Please note that comments consisting of only a single word or only a URL with no indication why that link is useful in the context will be immediately recycled so those poor electrons get another shot at a meaningful existence.
If your suggestions are useful enough to make me write on a specific topic, I will do my best to give credit where credit is due.