i agree with what jim wrote about the ip blocks. what's also interesting
is if you do a bunch of digs you discover (or at least i found) that the
name servers are at registrar-services.com, which is an alias for
namecheap.com - a huge registrar. of course, i've found others, and i
guess registrars don't vet registrants and don't care that someone is
registering 10 or 100 or 1000 domains to use for spamming. too bad....
the net was a much nicer place before all this and the constant attacks
on my customers' websites started happening!
as to .me, apple uses me.com. .me is the tld for montenegro (part of the
former yugoslavia).
david camm
advanced web systems
keller, tx
On 10/14/2013 4:20 PM, Glenn Meadows wrote:
> I usually a bunch come through, and with T-bird, a ctrl-u will display
> all the headers. When I get a "chunk" of spam, I just capture all the
> IP addresses, and you'll notice them walking up and around a whole
> block of IP addresses. I just get super bold, and load the whole
> block into my block list on our Watchguard firewall. That usually
> shuts them totally out for a month or two.
>
> It's interesting that they're coming out of the .me domain, which is
> Apple, if I recall correctly.
>
> --
> Glenn Meadows
> Mayfield Mastering
> 2825 Erica Place
> Nashville, TN 37204
> 615-383-3708
>
> On 10/14/2013 3:56 PM, JDL wrote:
>> Since I am blocking on the originating IP address, I do not really
>> care about domains. Other public RBL's block much of the spam that
>> comes in. My goal was to try to block the snowshoe spammers (those
>> that send a few e-mails from an IP and then move to another one).
>> What I am seeing is spammers that have usually a /29 to /24 IP block
>> and rotate sending spam from IPs within those blocks. SurgeMail's
>> content filters catch most, but not, of the incoming spam. If I can
>> find where they are coming from, I can block them.
>>
>> It seems to have cut down the about of missed spam, however, it can
>> be time consuming.
>>
>> Jim
>>
>> On Oct 14, 2013, at 4:48 PM, David Camm HIDDEN@advwebsys.com> wrote:
>>
>>> jim -
>>>
>>> the man page at the url below is a bit less than helpful, but i'm
>>> sure after downloading the tarball, i'd be able to figure it out.
>>>
>>> one thing that strikes me about a large amount of the spam we're
>>> receiving lately is that the spammers are using dozens if not
>>> hundreds of domains (especially .me and .us) which means keeping up
>>> with them and adding those ip addresses manually could wind up being
>>> an all-consuming task. and since the domains (and ips) change very
>>> frequently i'm wondering if this is worth it - at least for me.
>>>
>>> david camm
>>> advanced web systems
>>> keller, tx
>>>
>>>
>>> On 10/14/2013 3:03 PM, JDL wrote:
>>>> Sorry. The correct config for rbldnsd is as follows.
>>>>
>>>> RBLDNSD="- -4 -b x.x.x.x -r /var/lib/rbldns \
>>>> block.xxxxxxxxx:ip4set:block \
>>>> rbl.xxxxxxxx:ip4set:spam \
>>>> rbl.xxxxxxxx:ip4set:watch \
>>>> "
>>>>
>>>> Jim
>>>>
>>>>
>>>> On Oct 14, 2013, at 3:39 PM, JDL HIDDEN@agineNet.net> wrote:
>>>>
>>>>> David,
>>>>>
>>>>> I simply installed the rbldnsd
>>>>> (http://www.corpit.ru/mjt/rbldnsd.html) package on a CentOS linux
>>>>> server and started adding addresses/blocks. My
>>>>> /etc/sysconfig/rbldnsd configuration file is as follows.
>>>>>
>>>>> BLDNSD="- -4 -b x.x.x.x/5353 -r /var/lib/rbldns \
>>>>> block.xxxxxxxxx:ip4set:block \
>>>>> rbl.xxxxxxxx:ip4set:spam \
>>>>> rbl.xxxxxxxx:ip4set:watch \
>>>>> "
>>>>>
>>>>>
>>>>> I also added the following to the SurgeMail configuration.
>>>>>
>>>>> ---------- surgemail.ini ----------
>>>>>
>>>>> g_orbs_list name="block.xxxxxxxx" action="deny" stamp=""
>>>>> g_orbs_list name="rbl.xxxxxxxx" action="stamp"
>>>>> stamp="127.0.0.2=ImagineNet_Spam~127.0.0.10=ImagineNet_Watch"
>>>>>
>>>>> ---------- sf_mfilter_local.txt ----------
>>>>>
>>>>> if(isin("X-ORBS-Stamp", "ImagineNet_Spam")) then
>>>>> call feature_manual(1, "Imagine Net Spam RBL")
>>>>> end if
>>>>>
>>>>> ---------- mfilter.rul ----------
>>>>>
>>>>> if (isin("X-ORBS-Stamp", "ImagineNet_Watch")) then
>>>>> call report(HIDDEN@e@somewhere.tld", "ImagineNet_Watch RBL
>>>>> Hit")
>>>>> end if
>>>>>
>>>>>
>>>>> If you use a score of 1 for feature_manual, you will need to use
>>>>> SurgeMail 6.4b-47 or later and, according to NetWin, g_sf_binary
>>>>> must be enabled (g_sf_binary "TRUE").
>>>>>
>>>>> This configuration provides the following.
>>>>>
>>>>> 1. Block IP's, CIDR subnets, or ranges and put comments in the
>>>>> file (when, who, why, etc.).
>>>>>
>>>>> 2. The first RBL is a hard block (deny).
>>>>>
>>>>> 3. The second RBL either tells SurgeMail to classify a message
>>>>> as spam (result of 127.0.0.2) OR sends me a report if the IP is on
>>>>> my watch list (result of 127.0.0.10).
>>>>>
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> Jim Lohiser
>>>>> Imagine Net, Inc.
>>>>>
>>>>>
>>>>>
>>>>> On Oct 14, 2013, at 2:15 PM, David Camm HIDDEN@advwebsys.com> wrote:
>>>>>
>>>>>> jim -
>>>>>>
>>>>>> interesting. how'd you do that?
>>>>>>
>>>>>> david camm
>>>>>> advanced web systems
>>>>>> keller, tx
>>>>>> On 10/9/2013 10:55 AM, JDL wrote:
>>>>>>> I have started maintaining our own RBL. Is there are tellmail
>>>>>>> command to force SurgeMail to clear its RBL cache? I have
>>>>>>> reduced g_orbs_cache_life from the default of 7200 to 3600.
>>>>>>> However, if I add a spammer to my RBL, it can take quite a while
>>>>>>> for SurgeMail to see the change. I was looking for a way to
>>>>>>> clear the RBL cache without restarting SurgeMail.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Jim Lohiser
>>>>>>> Imagine Net, Inc.
>>>>>>>
>>>>
>>>
>>
>
>
>
|
