[Dshield] Blocking Offending Countries

jayjwa jayjwa at atr2.ath.cx
Wed Jun 29 05:19:10 GMT 2005

On Tue, 28 Jun 2005, Adrien de Beaupre wrote:

-> Thanks Frank. I agree, block content. Or more specifically
-> allow only the content required for your business/organizational
-> needs.

Content blocking is very, very easy for spammers to go thru. Just look at 
some of the creative ways they do it. I'm not saying it doesn't work at 
all, it just doesn't work *enough*.

-> I understand the desire to believe that blocking IP connections
-> by country is somehow increasing security. I would like to point

And yet it does, at least in my case. I seriously cut down on the number 
of weird log entries I had to follow up on, spam I had to report, and 
other incidents to take time away from what I really wanted to be doing 
with my computer. To this day, I've never, ever got one single piece of 
legitimate traffic from China, which is what I was initially bringing up. 
One of my first posts stated that I don't usually do it, and I don't like 
to, but China was a rare exception based on the lack of responses I got 
from all the ISP's that I tried to contact there, and on content after 

-> In any case, I have never seen an accurate
-> listing of IP blocks by country,

http://www.blackholes.us/  is pretty close, I think.

-> so whom are you blocking
-> anyway?

Places like 21cn.com, who spammed me on a weekly basis, sometimes more. 
I have no idea who they are or how they got my address, but they presisted 
even after I left a message with the initial block from my MTA. 
Netvigator.com, (actually listed as Hong Kong, but close enough for me) 
who connected to my ftp server and preceeded to download *everything*, 
several times over, before I caught and kicked him/them/it off. Outblaze, 
who's actual spam-cannons are in the US but use open relays/proxies in 
Korea/China, and are actually based there, according to their register 
info. These guys had a massive spam run several months back when I got 
spam from them daily, always in a similar form with a similar look, done 
thru an open relay/proxy in China/Korea. All 222.*, which is a regular
guest on the Dshield block list, plus all of the slots in my iptables 
listing for which I see packet and byte counts. So, I do see they are 
knocking- they just can't come in.

Confidentiality Notice: This email may contain confidential
and privileged information. If in the event that it does,
please send it back to me with a reply telling me how
stupid I am for sending confidential info to a public forum.

More information about the list mailing list