[Dshield] Blocking Offending Countries

Tony Earnshaw tonye at billy.demon.nl
Wed Jun 29 17:06:17 GMT 2005


ons, 29.06.2005 kl. 13.42 skrev Chris Brenton:

[...]

I've kept out of this as long as possible, but you obviously know what
you're talking about (slime, slime).

> For me, a single malicious payload results in a 'whois -h whois.arin.net
> xxx.xxx.xxx.xxx'. If the results produce a country that I don't need to
> communicate with, the entire block goes /dev/null. No more future
> problems.

I run a zealously administered smallish (1150+ users) e-mail low-volume
(no more than 2,000 messages per 24, about 30% unwanted stuff smtp 5xx
rejected )outfit. It's Postfx 2.1.x, which gives good logs and good
postmaster notification of every rejected message.

I read the logs daily, react daily to the postmaster failed mail
messages.

What I've observed is, that a general rule of thumb is that ISPs tend to
keep different IP space for their business and consumer customers. This
is the rule, but by no means gospel; what's more, this culture varies
from country to country on each continent. The more westernized the
country, the more the rule hods good.

When a user at my site gets spam or virus (well, he doesn't get virus,
because ...) I'll always try to do a (j)whois on the IP number of the
connecting node, then look at the IP range/CIDR of that block. If it's
obvious that the exploiter is running a consumer/DUL shop, the that
whole IP range/CIDR gets put into my block list. If it seems that the IP
range/CIDR belongs solely to the ISP for business use, it doesn't. Then
I have to rely on my own anti-spam software. I always do this block by
block (and there have been scores of them, including the US), I've never
blocked a single country yet, I'd try to avoid that at all costs -
though the rejected blocks could grow in time to encompass a country
(there's only one I can think of at the moment - China, because we don't
do business with it and because of its internally fascist Internet
policy).

There are plenty of bona-fide domains and MTAs in Japan, Korea, Taiwan -
hell the US, Canada, Sweden, Brazil etc from which my school might want
to receive mail.

Did I mention that I was running a smallish outfit? If I were running a
large one, I'd set up a spam trap and watch that instead and do the
same. And yes, I do use a very small and select number of DNSBLs, plus
greylisting. The anti-spam software has almost nothing to do ...

[...]

Thanks for the input!

--Tonni

-- 
mail: tonye at billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list