-
June 25th, 2003, 09:25 PM
#1
Blocked the spammers what next?
My mail server was getting used by spammers, they were using it to send out asian porn and other things such as kitchen tools. Now I configured the mail server correctly to not send out any e-mail unless the user is local and belongs to the network. I then configured the router to deny this person's ip address which is 211.194.117.177 but I have a feeling that my server maybe on a "list" somewhere as an address that will alow other spammers to send their mail. I was wondering if there was a website or anything that I could submit these addresses to warn other people that may be in the same boat. Also if anyone has any ideas on how to punish the spammers that would be cool since it's running on my personal network.
-
June 25th, 2003, 09:39 PM
#2
John Draper
aka Captain Crunch!
i m gone,thx everyone for so much fun and good info.
cheers and good bye
-
June 25th, 2003, 10:16 PM
#3
Too bad there isn't a way to bounce back all that spam...
Like... say someone is using you as a relay. Well, take all the spam that they are throwing at you and throw it right back at them.... or a honeypot that will do the same thing...
Would that be against the "hack back" laws? Wonder if it'd be enough to cause a DoS...
What about setting up your firewall to only accept traffic that you want, and deny the rest?
You are on linux, right? ip tables work wonders.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
June 25th, 2003, 10:49 PM
#4
Assuming
Ya assuming that IP wasn't another "victim".
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
June 25th, 2003, 11:12 PM
#5
Ya assuming that IP wasn't another "victim".
damn... and to think... I almost had a summer programming project... fux0red again
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
June 25th, 2003, 11:22 PM
#6
OK phishphreek80
You may be able to have a project Dude!
Looks like the x.x.x.177 hasn't made it yet but as you all can see this group of IPs is KNOWN as probing "massivly" for open SMTP ports. Say this with an Irish Impact for effect, "I fargin HATE spammers"
Ref: SBL7674
211.194.117.160/27 is listed on the Spamhaus Block List (SBL)
Mar 20 2003 - 16:8hrs GMT
Port 25 prober
Massive number of probes looking for open mail servers.
Information compliments of DShield.org
Distributed Intrusion Detection System
IP Address: 211.194.117.162
HostName: 211.194.117.162
Total Records against IP: 7890
Number of targets: 2028
Date Range: 2003-01-12 to 2003-03-20
Port Attacks Start End
25 7909 2003-02-17 2003-03-20
----------------
IP Address: 211.194.117.163
HostName: 211.194.117.163 - NO rDNS
Total Records against IP: 11428
Number of targets: 3719
Date Range: 2003-01-12 to 2003-03-18
Port Attacks Start End
25 11958 2003-02-17 2003-03-20
------------------------------------
IP Address: 211.194.117.164
HostName: 211.194.117.164
Total Records against IP: 7085
Number of targets: 2293
Date Range: 2003-01-13 to 2003-03-19
Port Attacks Start End
25 7907 2003-02-17 2003-03-20
----------------------------------------
IP Address: 211.194.117.165
HostName: 211.194.117.165
Total Records against IP: 4419
Number of targets: 1889
Date Range: 2003-01-13 to 2003-02-13
---------------------------------
IP Address: 211.194.117.171
HostName: 211.194.117.171
Total Records against IP: 18118
Number of targets: 6091
Date Range: 2003-02-11 to 2003-04-06
Port Attacks Start End
25 18508 2003-03-09 2003-04-08
---------------------------------
IP Address: 211.194.117.173
HostName: 211.194.117.173
Total Records against IP: 6906
Number of targets: 3274
Date Range: 2003-02-26 to 2003-04-02
Port Attacks Start End
25 6117 2003-03-09 2003-04-09
35426 1 2003-03-23 2003-03-23
---------------------------------
IP Address: 211.194.117.174
HostName: 211.194.117.174
Total Records against IP: 7368
Number of targets: 2596
Date Range: 2003-02-18 to 2003-04-08
Port Attacks Start End
25 7851 2003-03-09 2003-04-08
===========================
Compliments of DeScan.net
Detail of AlertID from Jan 17 to March 11, 2003 - 211.194.117.163
http://www.descan.net/detail.html?id...5-0008A10FE17D
============================
IP Address: 211.194.117.160 - 211.194.117.191
Network Name: KORNET-LLINE-DAEJEON-ENJOYLIFE
Connect ISP Name: KORNET
Connect Date: 20030122
Registration Date: 20030122
[ Organization Information ]
Orgnization ID: ORG267507
Org Name: ENJOYLIFE
State: TAEJON
Address: 203HO 23HO 95BEONJI OJEONGDONG DAEDEOKKU
Zip Code: 306-010
[ Admin Contact Information]
Name: Hyungil Jo
Org Name: ENJOYLIFE
State: TAEJON
Address: 203HO 23HO 95BEONJI OJEONGDONG DAEDEOKKU
Zip Code: 306-010
Phone: +82-16-631-8474
E-Mail: chungnm1@soback.kornet.net
[ Technical Contact Information ]
Name: Hyungil Jo
Org Name: ENJOYLIFE
State: TAEJON
Address: 203HO 23HO 95BEONJI OJEONGDONG DAEDEOKKU
Zip Code: 306-010
Phone: +82-16-631-8474
E-Mail: chungnm1@soback.kornet.net
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
June 26th, 2003, 01:11 AM
#7
wow that's interesting RoadClosed some good info phishphreek80 I was thinking about the same thing it would be nice if the spammer had his own mail server up i would route the traffic right back to him/her but at the stack of them clogging up my network it isn't worth it because they send messages out like crazy. I guess just blocking them is the best i can do. Maybe shut the mail server down
-
June 26th, 2003, 07:36 PM
#8
July
I am sure it hasn't happened but since your mail server, or anyone else, has been used as an Open Relay, you could find yourself on a couple of black lists. It's important to know them, so you can fix an accidental black listing of your business. Also for security reasons, you can set your system to block these guys. Here are some steps to get you started and on the path to mail redemption:
1. Look at messages returned to you and see if you have anything that says "Reject" and then followed by a url address. These are the people who decided your accidental open realay was spamming.
2. There is an open relay database on the net to check and verify open relays. If your curious or believe someone is an open server check this. ORDB
3. This is a black list search engine, sort of. They try and keep tabs on black lists. Check them out.
4. Last resort: post a message in news.admin.net-abuse with your case.
Final Note: Before anyone will remove you, make sure you are not an open relay or a proxy mail list generator etc. So make sure your mail server and web cachers are fixed and plugged.
I'll post this in a more professional manner in the tuts if there isn't one.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
June 27th, 2003, 01:04 AM
#9
You can check if you are blacklisted on any of the sites at this location:
http://relays.osirusoft.com/cgi-bin/rbcheck.cgi
When you first hit it, it will use your IP. You can enter an IP and have the system check that, as well. I use this to keep track of our mail servers to make sure we aren't being singled out.
Good Luck!
-
June 27th, 2003, 04:13 PM
#10
Member
Here is what I would suggest you try:
1. Start reading news.admin.net-abuse.email on Usenet. You can read and post from google via: http://groups.google.com/groups?hl=e...et-abuse.email
You can get alot of information and help from the regulars on NANAE. Remeber, this is Usenet, not everyone is nice and you can get flamed pretty bad if you don't follow the posting rules.
2. Check sites like spamcop, spews etc....They have lots of info about setting up block lists in mail servers.
3. If you are in some blocklists, find out which ones by checking the lists yourself. You will find links to thoses on www.spews.org etc....
Most of the block lists that deal with open mail relays have an option for testing the relay. You can check your progress yourself by testing you own server via these sites. Once you are no longer open and have run the test, most of the time you will get removed from the block list. You can also contact the admin of the blocklist / test site and see if they can speed up the process for you.
4. Once you have closed your open realy and have tested it, then post on NANAE. This way, you minimize the possible flamming that could occur. If you are honest and open with the users on NANAE, they will be a great resource for you.
5. There is also a NANAE type group called sightings. (Check google). This is a place were users / admins have posted the spam that they have recieved. There is a process that must be followed for it to be accepted in sightings but the FAQ explains it all. This groups becomes a record for others to be able to check host domains and ISP's to see if they are spam friendly.
Hope this helps. I have been down this road before..Good luck.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|