Results 1 to 10 of 10

Thread: Blocked the spammers what next?

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    102

    Blocked the spammers what next?

    My mail server was getting used by spammers, they were using it to send out asian porn and other things such as kitchen tools. Now I configured the mail server correctly to not send out any e-mail unless the user is local and belongs to the network. I then configured the router to deny this person's ip address which is 211.194.117.177 but I have a feeling that my server maybe on a "list" somewhere as an address that will alow other spammers to send their mail. I was wondering if there was a website or anything that I could submit these addresses to warn other people that may be in the same boat. Also if anyone has any ideas on how to punish the spammers that would be cool since it's running on my personal network.
    Good Grief

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    244
    John Draper
    aka Captain Crunch!
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Too bad there isn't a way to bounce back all that spam...

    Like... say someone is using you as a relay. Well, take all the spam that they are throwing at you and throw it right back at them.... or a honeypot that will do the same thing...

    Would that be against the "hack back" laws? Wonder if it'd be enough to cause a DoS...

    What about setting up your firewall to only accept traffic that you want, and deny the rest?
    You are on linux, right? ip tables work wonders.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    Assuming

    Ya assuming that IP wasn't another "victim".
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Ya assuming that IP wasn't another "victim".
    damn... and to think... I almost had a summer programming project... fux0red again
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    OK phishphreek80

    You may be able to have a project Dude!

    Looks like the x.x.x.177 hasn't made it yet but as you all can see this group of IPs is KNOWN as probing "massivly" for open SMTP ports. Say this with an Irish Impact for effect, "I fargin HATE spammers"




    Ref: SBL7674

    211.194.117.160/27 is listed on the Spamhaus Block List (SBL)

    Mar 20 2003 - 16:8hrs GMT

    Port 25 prober
    Massive number of probes looking for open mail servers.

    Information compliments of DShield.org
    Distributed Intrusion Detection System

    IP Address: 211.194.117.162
    HostName: 211.194.117.162

    Total Records against IP: 7890
    Number of targets: 2028
    Date Range: 2003-01-12 to 2003-03-20

    Port Attacks Start End
    25 7909 2003-02-17 2003-03-20

    ----------------

    IP Address: 211.194.117.163
    HostName: 211.194.117.163 - NO rDNS

    Total Records against IP: 11428
    Number of targets: 3719
    Date Range: 2003-01-12 to 2003-03-18

    Port Attacks Start End
    25 11958 2003-02-17 2003-03-20

    ------------------------------------

    IP Address: 211.194.117.164
    HostName: 211.194.117.164

    Total Records against IP: 7085
    Number of targets: 2293
    Date Range: 2003-01-13 to 2003-03-19

    Port Attacks Start End
    25 7907 2003-02-17 2003-03-20

    ----------------------------------------

    IP Address: 211.194.117.165
    HostName: 211.194.117.165

    Total Records against IP: 4419
    Number of targets: 1889
    Date Range: 2003-01-13 to 2003-02-13
    ---------------------------------

    IP Address: 211.194.117.171
    HostName: 211.194.117.171

    Total Records against IP: 18118
    Number of targets: 6091
    Date Range: 2003-02-11 to 2003-04-06

    Port Attacks Start End
    25 18508 2003-03-09 2003-04-08
    ---------------------------------

    IP Address: 211.194.117.173
    HostName: 211.194.117.173

    Total Records against IP: 6906
    Number of targets: 3274
    Date Range: 2003-02-26 to 2003-04-02

    Port Attacks Start End
    25 6117 2003-03-09 2003-04-09
    35426 1 2003-03-23 2003-03-23
    ---------------------------------

    IP Address: 211.194.117.174
    HostName: 211.194.117.174

    Total Records against IP: 7368
    Number of targets: 2596
    Date Range: 2003-02-18 to 2003-04-08

    Port Attacks Start End
    25 7851 2003-03-09 2003-04-08

    ===========================

    Compliments of DeScan.net
    Detail of AlertID from Jan 17 to March 11, 2003 - 211.194.117.163
    http://www.descan.net/detail.html?id...5-0008A10FE17D
    ============================

    IP Address: 211.194.117.160 - 211.194.117.191
    Network Name: KORNET-LLINE-DAEJEON-ENJOYLIFE
    Connect ISP Name: KORNET
    Connect Date: 20030122
    Registration Date: 20030122

    [ Organization Information ]
    Orgnization ID: ORG267507
    Org Name: ENJOYLIFE
    State: TAEJON
    Address: 203HO 23HO 95BEONJI OJEONGDONG DAEDEOKKU
    Zip Code: 306-010

    [ Admin Contact Information]
    Name: Hyungil Jo
    Org Name: ENJOYLIFE
    State: TAEJON
    Address: 203HO 23HO 95BEONJI OJEONGDONG DAEDEOKKU
    Zip Code: 306-010
    Phone: +82-16-631-8474
    E-Mail: chungnm1@soback.kornet.net

    [ Technical Contact Information ]
    Name: Hyungil Jo
    Org Name: ENJOYLIFE
    State: TAEJON
    Address: 203HO 23HO 95BEONJI OJEONGDONG DAEDEOKKU
    Zip Code: 306-010
    Phone: +82-16-631-8474
    E-Mail: chungnm1@soback.kornet.net
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  7. #7
    Senior Member
    Join Date
    Jun 2002
    Posts
    102
    wow that's interesting RoadClosed some good info phishphreek80 I was thinking about the same thing it would be nice if the spammer had his own mail server up i would route the traffic right back to him/her but at the stack of them clogging up my network it isn't worth it because they send messages out like crazy. I guess just blocking them is the best i can do. Maybe shut the mail server down
    Good Grief

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    July

    I am sure it hasn't happened but since your mail server, or anyone else, has been used as an Open Relay, you could find yourself on a couple of black lists. It's important to know them, so you can fix an accidental black listing of your business. Also for security reasons, you can set your system to block these guys. Here are some steps to get you started and on the path to mail redemption:

    1. Look at messages returned to you and see if you have anything that says "Reject" and then followed by a url address. These are the people who decided your accidental open realay was spamming.

    2. There is an open relay database on the net to check and verify open relays. If your curious or believe someone is an open server check this. ORDB

    3. This is a black list search engine, sort of. They try and keep tabs on black lists. Check them out.

    4. Last resort: post a message in news.admin.net-abuse with your case.

    Final Note: Before anyone will remove you, make sure you are not an open relay or a proxy mail list generator etc. So make sure your mail server and web cachers are fixed and plugged.


    I'll post this in a more professional manner in the tuts if there isn't one.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #9
    You can check if you are blacklisted on any of the sites at this location:

    http://relays.osirusoft.com/cgi-bin/rbcheck.cgi

    When you first hit it, it will use your IP. You can enter an IP and have the system check that, as well. I use this to keep track of our mail servers to make sure we aren't being singled out.

    Good Luck!

  10. #10
    Here is what I would suggest you try:

    1. Start reading news.admin.net-abuse.email on Usenet. You can read and post from google via: http://groups.google.com/groups?hl=e...et-abuse.email
    You can get alot of information and help from the regulars on NANAE. Remeber, this is Usenet, not everyone is nice and you can get flamed pretty bad if you don't follow the posting rules.

    2. Check sites like spamcop, spews etc....They have lots of info about setting up block lists in mail servers.

    3. If you are in some blocklists, find out which ones by checking the lists yourself. You will find links to thoses on www.spews.org etc....
    Most of the block lists that deal with open mail relays have an option for testing the relay. You can check your progress yourself by testing you own server via these sites. Once you are no longer open and have run the test, most of the time you will get removed from the block list. You can also contact the admin of the blocklist / test site and see if they can speed up the process for you.

    4. Once you have closed your open realy and have tested it, then post on NANAE. This way, you minimize the possible flamming that could occur. If you are honest and open with the users on NANAE, they will be a great resource for you.

    5. There is also a NANAE type group called sightings. (Check google). This is a place were users / admins have posted the spam that they have recieved. There is a process that must be followed for it to be accepted in sightings but the FAQ explains it all. This groups becomes a record for others to be able to check host domains and ISP's to see if they are spam friendly.

    Hope this helps. I have been down this road before..Good luck.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •