Re: Login attacks

• Previous message: Mike Klinke: "Re: public blacklists"
• In reply to: Jeff Kinz: "Re: Login attacks"
• Next in thread: Mike Klinke: "Re: Login attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Jeff Kinz <jkinz@kinz.org>
Date: Wed, 8 Dec 2004 13:43:49 -0500

On Tuesday 07 December 2004 21:24, Jeff Kinz wrote:
>On Tue, Dec 07, 2004 at 06:04:14PM -0800, Rick Stevens wrote:
>> Gene Heskett wrote:
>> > Another that bears blocking completely is 64.0.0.0/24 as its
>> > 100% spam of the non-edible variety. Ditto for 66.0.0.0/24.
>> >
>> > Anybody else have any more to contribute?
>>
>> Whoa, buddy. The entire 64.0.0.0/8 is NOT a spam source. We have
>> a /19 in that space and we're not spammers.
>
>Rick (As usual) has a valid point.
>
>Hotmail is in that range:
>(OK - they may be Korean spammers.... ;-)
>NetRange: 64.4.0.0 - 64.4.63.255 OrgName: MS Hotmail OrgID:
> MSHOTM
>
>XO Communication also in that range:
>NetRange: 64.0.0.0 - 64.3.255.255
>
>Pangea in Canada
>NetRange: 64.4.64.0 - 64.4.95.255
>
>"/24" mask blocking hits large chunks. You may want to do something
>more finely grained.

Humm is that not t'other way around? Its my understanding that a /24
means the first 24 bits are valid, and a /8 would lock only on the
leftmost 8 bit number of the quad.

Understand that I'm talking in an extremely historical sense about
this. In the time when my only tool to filter this was an ip
comparator, I wrote a prefilter that would track the good vs bad
emails from any /8 address block. Tested against known good
addresses it worked just fine, so I let it run for a week using the
64.xx.xx.xx/8 trigger and inspected each mail it caught for validity.
Of the nearly 5000 checked in that week, it properly stashed them all
in the spam folder, and did not trigger any as non-spam. I checked
everyone it caught. Bored me to tears or made me laugh my head
off with the miss-spellings and general mangling of the 'engrish'
language that came thru. As I was on a dialup via long distance at
the time, I figured those 5000 messages (on a 14.4 modem, I did say
this was historical didn't I?) cost me about a 20 dollar bill just in
the ld time. So for those that claim html doesn't hurt, that also
adds to the online time that an ld user has to pay for in addition
to his his ISP connection.

I left that block filtered, and went on to 218 and wiped it out too.
ISTR I had the 62 block, the 211, 213 and the 69 blocks in there
too, but many with /16 or /24 qualifiers. But I don't recall at this
late date where they came from. Memory, second thing to go you
know.
:-)

I do recall that it came to a screeching halt when korea, refusing
to do anything about it, managed to get the whole country on a couple
of temporary 10 day black holes. Talk about gored oxen. The silence
was deafening...

Now of course they're concentrating on phishing, and getting damned
good at it.

Now we have considerably better filters, like spamassassin, and I
don't pay that much attention to the src ip now. However, if they
ever bring back the wanted, dead or alive posters from yesteryear,
I'd go out and do some serious bounty hunting. But TPTB don't
seem to want to count the cost to us since the cost to us is a profit
to someone else and they're all for that, yessiree Bob.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.30% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com attorneys please note, additions to this message
by Gene Heskett are:
Copyright 2004 by Maurice Eugene Heskett, all rights reserved.
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

• Previous message: Mike Klinke: "Re: public blacklists"
• In reply to: Jeff Kinz: "Re: Login attacks"
• Next in thread: Mike Klinke: "Re: Login attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]