[1/3] sources: Removal of ALIENVAULT and SPAMHAUS_EDROP from ipblocklist sources
Commit Message
- ALIENVAULT has not been updated since at least Nov 2022 but probably earlier. There is no
date for the file to be downloaded but a forum user has log messages from Nov 2022 that
indicate the file had not changed as therefore no download occurred.
- AT&T aquired AlienVault in August 2018. Somewhere between 2018 and 2022 the list stopped
getting updated. AlienVault references on the AT&T website are now for a different
product.
- Discussed in IPFire conf call of April 2024 and agreed to remove the ALIENVAULT
blocklist.
- On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP list. The eDROP
list is still available but is now empty. Trying to select the SPAMHAUS_EDROP list
gives an error message that the blocklist was found to be empty.
- This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists from the ipblocklist
sources file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/ipblocklist/sources | 12 ------------
1 file changed, 12 deletions(-)
Comments
On Fri, 19 Apr 2024 15:39:39 +0200, Adolf Belka wrote:
> - ALIENVAULT has not been updated since at least Nov 2022 but probably
> earlier. There is no
> date for the file to be downloaded but a forum user has log messages
> from Nov 2022 that indicate the file had not changed as therefore no
> download occurred.
> - AT&T aquired AlienVault in August 2018. Somewhere between 2018 and
> 2022 the list stopped
> getting updated. AlienVault references on the AT&T website are now
> for a different product.
> - Discussed in IPFire conf call of April 2024 and agreed to remove the
> ALIENVAULT
> blocklist.
> - On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP
> list. The eDROP
> list is still available but is now empty. Trying to select the
> SPAMHAUS_EDROP list gives an error message that the blocklist was
> found to be empty.
> - This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists
> from the ipblocklist
> sources file.
>
> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/ipblocklist/sources | 12 ------------
> 1 file changed, 12 deletions(-)
>
> diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources
> index be0cf0229..0835c0f9c 100644 --- a/config/ipblocklist/sources +++
> b/config/ipblocklist/sources @@ -55,12 +55,6 @@ our %sources = (
> 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis
> 'parser' => 'ip-or-net-list',
> 'rate' => '12h',
> 'category' => 'reputation' },
> - 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended
> Don't Route or Peer List",
> - 'url' =>
> 'https://www.spamhaus.org/drop/edrop.txt',
> - 'info' =>
> 'https://www.spamhaus.org/drop/',
> - 'parser' => 'ip-or-net-list',
> - 'rate' => '1h',
> - 'category' => 'reputation' },
> 'DSHIELD' => { 'name' => 'Dshield.org
> Recommended Block List',
> 'url' =>
> 'https://www.dshield.org/
block.txt',
> 'info' =>
> 'https://dshield.org/',
> @@ -106,12 +100,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name'
> => 'Emerging Threats Blocklis
> 'parser' => 'ip-or-net-list',,
> 'rate' => '1h',
> 'category' => 'application' },
> - 'ALIENVAULT' => { 'name' => 'AlienVault IP
> Reputation database',
> - 'url' =>
> 'https://reputation.alienvault.com/reputation.generic',
> - 'info' =>
> 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-
reputation',
> - 'parser' => 'ip-or-net-list',
> - 'rate' => '1h',
> - 'category' => 'reputation' },
> 'BOGON' => { 'name' => 'Bogus address list
> (Martian)',
> 'url' =>
> 'https://www.team-cymru.org/
Services/Bogons/bogon-bn-agg.txt',
It would appear that SPAMHAUS_EDROP has been merged into SPAMHAUS_DROP
list.
"; This list has been merged into https://www.spamhaus.org/drop/drop.txt
; Spamhaus EDROP List 2024/04/19 - (c) 2024 The Spamhaus Project
; https://www.spamhaus.org/drop/edrop.txt
; Last-Modified: Fri, 19 Apr 2024 13:49:21 GMT
; Expires: Sat, 20 Apr 2024 13:49:21 GMT
; EOF
I think it would be better to change the URL in the sources list from:
https://www.spamhaus.org/drop/edrop.txt
to
https://www.spamhaus.org/drop/drop.txt
Rather than just remove the list from the sources file.
Rob Brewer
> 'info' =>
> 'https://www.team-cymru.com/bogon-
reference',
Hi Rob,
On 20/04/2024 10:24, Rob Brewer wrote:
> On Fri, 19 Apr 2024 15:39:39 +0200, Adolf Belka wrote:
>
>> - ALIENVAULT has not been updated since at least Nov 2022 but probably
>> earlier. There is no
>> date for the file to be downloaded but a forum user has log messages
>> from Nov 2022 that indicate the file had not changed as therefore no
>> download occurred.
>> - AT&T aquired AlienVault in August 2018. Somewhere between 2018 and
>> 2022 the list stopped
>> getting updated. AlienVault references on the AT&T website are now
>> for a different product.
>> - Discussed in IPFire conf call of April 2024 and agreed to remove the
>> ALIENVAULT
>> blocklist.
>> - On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP
>> list. The eDROP
>> list is still available but is now empty. Trying to select the
>> SPAMHAUS_EDROP list gives an error message that the blocklist was
>> found to be empty.
>> - This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists
>> from the ipblocklist
>> sources file.
>>
>> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>> ---
>> config/ipblocklist/sources | 12 ------------
>> 1 file changed, 12 deletions(-)
>>
>> diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources
>> index be0cf0229..0835c0f9c 100644 --- a/config/ipblocklist/sources +++
>> b/config/ipblocklist/sources @@ -55,12 +55,6 @@ our %sources = (
>> 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis
>> 'parser' => 'ip-or-net-list',
>> 'rate' => '12h',
>> 'category' => 'reputation' },
>> - 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended
>> Don't Route or Peer List",
>> - 'url' =>
>> 'https://www.spamhaus.org/drop/edrop.txt',
>> - 'info' =>
>> 'https://www.spamhaus.org/drop/',
>> - 'parser' => 'ip-or-net-list',
>> - 'rate' => '1h',
>> - 'category' => 'reputation' },
>> 'DSHIELD' => { 'name' => 'Dshield.org
>> Recommended Block List',
>> 'url' =>
>> 'https://www.dshield.org/
> block.txt',
>> 'info' =>
>> 'https://dshield.org/',
>> @@ -106,12 +100,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name'
>> => 'Emerging Threats Blocklis
>> 'parser' => 'ip-or-net-list',,
>> 'rate' => '1h',
>> 'category' => 'application' },
>> - 'ALIENVAULT' => { 'name' => 'AlienVault IP
>> Reputation database',
>> - 'url' =>
>> 'https://reputation.alienvault.com/reputation.generic',
>> - 'info' =>
>> 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-
> reputation',
>> - 'parser' => 'ip-or-net-list',
>> - 'rate' => '1h',
>> - 'category' => 'reputation' },
>> 'BOGON' => { 'name' => 'Bogus address list
>> (Martian)',
>> 'url' =>
>> 'https://www.team-cymru.org/
> Services/Bogons/bogon-bn-agg.txt',
>
>
> It would appear that SPAMHAUS_EDROP has been merged into SPAMHAUS_DROP
> list.
That is correct. That is what I put in the commit message.
Spamhaus have the following page about the change.
https://www.spamhaus.org/resource-hub/network-security/spamhaus-drop-and-edrop-to-become-a-single-list/#what-are-the-spamhaus-drop-lists
> "; This list has been merged into https://www.spamhaus.org/drop/drop.txt
> ; Spamhaus EDROP List 2024/04/19 - (c) 2024 The Spamhaus Project
> ; https://www.spamhaus.org/drop/edrop.txt
> ; Last-Modified: Fri, 19 Apr 2024 13:49:21 GMT
> ; Expires: Sat, 20 Apr 2024 13:49:21 GMT
> ; EOF
>
> I think it would be better to change the URL in the sources list from:
>
> https://www.spamhaus.org/drop/edrop.txt
>
> to
>
> https://www.spamhaus.org/drop/drop.txt
>
>
> Rather than just remove the list from the sources file.
I don't really understand your suggestion here. The EDROP list has gone.
The old URL is still there but with an empty file except for the message.
The Spamhaus Drop list is now the equivalent of what used to be the
Spamhaus eDrop list.
Having two entries, one called DROP and one EDROP both pointing to the
same list seems pointless to me and potentially confusing for users as
they might think they get something different from the two and if they
select both they will get two sets of exactly the same IP's.
What I can do is to make a modification to the script I added to the
update.sh file to check if SPAMHAUS_EDROP=on is set in the settings file
and then add
SPAMHAUS_DROP=on to the settings file if it is not set, before removing
the references to SPAMHAUS_EDROP.
Regards,
Adolf.
>
> Rob Brewer
>
>
>> 'info' =>
>> 'https://www.team-cymru.com/bogon-
> reference',
>
On Sat, 20 Apr 2024 12:18:10 +0200, Adolf Belka wrote:
> I don't really understand your suggestion here. The EDROP list has gone.
> The old URL is still there but with an empty file except for the
> message.
>
> The Spamhaus Drop list is now the equivalent of what used to be the
> Spamhaus eDrop list.
>
> Having two entries, one called DROP and one EDROP both pointing to the
> same list seems pointless to me and potentially confusing for users as
> they might think they get something different from the two and if they
> select both they will get two sets of exactly the same IP's.
>
> What I can do is to make a modification to the script I added to the
> update.sh file to check if SPAMHAUS_EDROP=on is set in the settings file
> and then add SPAMHAUS_DROP=on to the settings file if it is not set,
> before removing the references to SPAMHAUS_EDROP.
>
> Regards,
>
> Adolf
You are quite right! I misunderstood your patch because I am still on CU
182 which doesn't have the SPAMHAUS_DROP updated sources list and was
thinking that this was a removal of the SPAMHAUS lists altogether.
I see from my CU 184 system that both SPAMHAUS lists are present and
therefore removal of SPAMHAUS_EDROP makes a lot of sense.
Sorry for the confusion.
Regards
Rob
@@ -55,12 +55,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis
'parser' => 'ip-or-net-list',
'rate' => '12h',
'category' => 'reputation' },
- 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended Don't Route or Peer List",
- 'url' => 'https://www.spamhaus.org/drop/edrop.txt',
- 'info' => 'https://www.spamhaus.org/drop/',
- 'parser' => 'ip-or-net-list',
- 'rate' => '1h',
- 'category' => 'reputation' },
'DSHIELD' => { 'name' => 'Dshield.org Recommended Block List',
'url' => 'https://www.dshield.org/block.txt',
'info' => 'https://dshield.org/',
@@ -106,12 +100,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis
'parser' => 'ip-or-net-list',,
'rate' => '1h',
'category' => 'application' },
- 'ALIENVAULT' => { 'name' => 'AlienVault IP Reputation database',
- 'url' => 'https://reputation.alienvault.com/reputation.generic',
- 'info' => 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputation',
- 'parser' => 'ip-or-net-list',
- 'rate' => '1h',
- 'category' => 'reputation' },
'BOGON' => { 'name' => 'Bogus address list (Martian)',
'url' => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt',
'info' => 'https://www.team-cymru.com/bogon-reference',