CDT Report on Spam

Duane Attaway dattaway at dattaway.org
Fri Mar 21 05:39:05 CST 2003 

On Thu, 20 Mar 2003, Bob Batson wrote:

> The CDT has just issued a report on spam called "Why Am I Getting All 
> This Spam?" which makes for interesting reading, especially their 

Good article with great facts.

Since spam seems to be spewing from the same 20 or so networks from places
I don't know anyone or possibly doing business, I found myself creating a
small RBL in twenty lines of iptables:

-A INPUT -s 64.37.64.0/255.255.192.0 -j DROP 
-A INPUT -s 213.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 200.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 195.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 218.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 210.0.0.0/254.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 217.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 164.77.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 212.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 80.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 61.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 65.102.23.0/255.255.255.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 194.67.57.18 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 152.160.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 202.0.0.0/254.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 4.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 146.83.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 193.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 148.208.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 208.161.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -s 207.102.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP 

What I did was do a "whois -h whois.arin.net" on each spam connection and
put an entry into iptables for their network size.  Pipe that into
iptables-restore and I get the rare spam each week from a network I know
has an active abuse department.  Those I do not block.

I found spammers love to harvest from usenet.  I discovered this after I
mispelled my username for my newsreader by accident.  They continue to
spam for years after posting.  THAT never gave me any incentive to fix my
email address...  Addresses on my web page do not seem to initiate spam.

--
"It is the duty of a patriot to protect his country from its government"
-Thomas Paine
http://dattaway.org

More information about the Kclug mailing list