CDT Report on Spam
Chris Zwilling
chris at nukequarters.com
Fri Mar 21 22:52:55 CST 2003
I've basically taken the same approach as Duane - I've also created my own
RBL in postfix and I am using it alongside of relays.ordb.org and
relays.visi.com...
Unfortunatly my list has grown to about 900 blocks of IPs. It is kind of
fun greping my mail logs for rejected messages hoping for a new one day
record of rejected SPAMs... yesterday was a red letter day with 55!
Using the relays servers is not really effective - I have only seen one or
two rejected messages from their use since I started using them a few
months ago.
If anyone would like my list emailed to them, let me know.
;--------------------------------;
; The problem with reality is ; chris at nukequarters.com
; that there isn't a coherent ; http://www.nukequarters.com
; soundtrack. ;
;--------------------------------;
On Thu, 20 Mar 2003, Duane Attaway wrote:
> On Thu, 20 Mar 2003, Bob Batson wrote:
>
> > The CDT has just issued a report on spam called "Why Am I Getting All
> > This Spam?" which makes for interesting reading, especially their
>
> Good article with great facts.
>
> Since spam seems to be spewing from the same 20 or so networks from places
> I don't know anyone or possibly doing business, I found myself creating a
> small RBL in twenty lines of iptables:
>
> -A INPUT -s 64.37.64.0/255.255.192.0 -j DROP
> -A INPUT -s 213.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 200.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 195.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 218.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 210.0.0.0/254.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 217.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 164.77.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 212.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 80.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 61.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 65.102.23.0/255.255.255.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 194.67.57.18 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 152.160.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 202.0.0.0/254.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 4.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 146.83.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 193.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 148.208.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 208.161.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP
> -A INPUT -s 207.102.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP
>
> What I did was do a "whois -h whois.arin.net" on each spam connection and
> put an entry into iptables for their network size. Pipe that into
> iptables-restore and I get the rare spam each week from a network I know
> has an active abuse department. Those I do not block.
>
> I found spammers love to harvest from usenet. I discovered this after I
> mispelled my username for my newsreader by accident. They continue to
> spam for years after posting. THAT never gave me any incentive to fix my
> email address... Addresses on my web page do not seem to initiate spam.
>
> --
> "It is the duty of a patriot to protect his country from its government"
> -Thomas Paine
> http://dattaway.org
>
>
>
More information about the Kclug
mailing list