[Dshield] Novice regarding reporting spam, would like to learn how to.

James Riden j.riden at massey.ac.nz
Wed Apr 28 20:36:21 GMT 2004


"Peter Stendahl-Juvonen" <peter.stendahl-juvonen at welho.com> writes:

> At least a part of spam involves possible security issues.
>
> Would fellow DShielders with insights kindly assist in the first attempt
> to report spam?

Start at the top and work back through your trusted hosts. First
untrusted IP that appears is 211.59.140.77

A lot of spam is relayed via trojaned dialup/DSL machines these days,
so let's do a quick lookup in XBL (xbl.spamhaus.org) which lists these
kinds of relays:

http://www.spamhaus.org/query/bl?ip=211.59.140.77

Sure enough, it's there. You can also do lookups at openrbl.org if you
want to check a wider variety of lists.

> 1) To whom would you report this example of spam?

% whois -h whois.apnic.net 211.59.140.77

211/8 seems APNIC-ish from memory - otherwise arin or ripe will
redirect you. Yep, it's KRNET.

% whois -h  whois.krnic.net 211.59.140.77

gives abuse at thrunet.com.


If your mail admin can start rejecting mail based on the XBL, you
wouldn't have had to see this in the first place - but that's a
decision for each site to make and I can't say whether it's
appropriate for yours.

hope that helps,
 Jamie
-- 
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




More information about the list mailing list