This is interesting, using twitter as a blacklist distribution mechanism. While I would be weary of using this for any kind of automated blocking purposes due to the possibility of spoofed addresses, it is an interesting approach for sure. I wonder if its worthwhile putting together a similar twitter watchlist for fraudulent international numbers (IRSF destinations). I know i can produce a pretty significant list of IRSF destinations that others may find useful and i am sure the reverse is also true. On 01/09/2013 11:08 AM, J. Oquendo wrote:
So I rebuilt/redesigned/re-deployed a script to add bad hosts to a blacklist. Script is monitoring my SBCs, hosted PBXs, etc., aggregated, sorted, then reported. Tried to remove duplicate addresses. Also, because I deal with forensics and malware, I did a similar script for bad sites that are serving out malware.
For VoIP attacks, one can make a script to check for VoIP based attackers and block them on the fly. E.g,:
links -dump twitter.com/efensive|awk '/VoIP/'
To make say an automated ipfilter rule:
links -dump twitter.com/efensive |\ awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\ sh
Same goes for any other style rule (ASA, PIX, ScreenOS on the command line) You get the point. Enjoy. (Cross posted to Voice Ops)