Blacklisting IPs from HTTP hacker?

[Marc Perkel <ma...@perkel.com>]

Just a thought on blacklists. Has anyone tried mining the IP data from 
HTTP servers that use modsecurity? I'm wondering if the same computers 
that are spamming blogs are also spamming with email? Would this be a 
new way to catch spammers?

Re: Blacklisting IPs from HTTP hacker?

[mouss <mo...@netoyen.net>]

Marc Perkel a écrit :
> Just a thought on blacklists. Has anyone tried mining the IP data from
> HTTP servers that use modsecurity? I'm wondering if the same computers
> that are spamming blogs are also spamming with email? Would this be a
> new way to catch spammers?
> 

I have checked many times to see if the IPs that do (non smtp) probes
(ssh, apache, ...) also try to send spam, but I've found that they
don't. well, at least on servers that I had access to. some possibilities:

- the machines are "specialized". This looks reasonable to me ("you"
don't want to lose a nice owned box because of spam reports...)

- the boxes that do probes somewhere spams another region. That too is a
reasonable hypothesis. to see this, people from different regions should
share a list of IPs...

- they start spamming some time later (I've only tried correlating over
periods of few days to few weeks. never more than 3 weeks).

There was a related post on spam-l some time ago (post by Phil from
Medway hosting). he provided a (not small) list of IPs on a URL...