Jump to content
Sign in to follow this  
sarky

Why BlackList a Gateway?

Recommended Posts

Hi All,

After doing a lot of research for Yonks and i have not seen a post which actually answers my question.

I am an ISP with a /24 Address, in a country that is known to be SPAMAHOLIC :), i am taking a satellite feed to serve my customer base with over 600 Clients.

I have stuck up a firewall and i keep updating with ports that the latest Viruses are using so the unaware will not be able to harm or replicate on the Wide net.

Proxy and Natting is something which is widely used on my side and definitely on a lot of other networks around the World.

I am going to secure my Mailserver to make sure that it is not used to send spam out of it but i am still researching on the software to use Any points here will be well apreciated for mailserver <Sendmail>

I keep receiving Email about IPa or IPb sending spam with the header files attached, after checking it out, all spam generating from my system is sent through FREE WEBMAIL, where a kid of 6 can have an email address.

If my network is being used to access a http site and do the crime HOW can i or other admins out there be able to track those http queries.

One solution i heard a couple of years ago from the IP Source (Main Feed), Said block all access to FREE MAIL <Funny One Mind>.

The above solution is a dire solution and in if i end up blocking half of the list or the main ones, i would loose customers and i might as well close up shop.

Major clients are cybercafe's and they know the fight we are going through but still it is not something which can lead to a 100% eradication.

I would like to hear other admins out there on points about tackling this above issue.

Thank you all

Sarky

Edited by sarky

Share this post


Link to post
Share on other sites

If you were to provide us with an IP address maybe we can come up with some hints on what kind of garbage is causing your issues. And even work on some possible solutions which may not be as drastic as you make them sound....

Edited by dra007

Share this post


Link to post
Share on other sites

Yeah sure my new IP range at the moment is 81.56.151.0/24, i have 3 complaints or more already generating from 3 or so IPS.

Thanks

Sarky

Share this post


Link to post
Share on other sites

If you and your browsing provider customers have NTP synchronization and real-time access to your and their verbose NAT/firewall logs and your SpamCop Reports, you should be able to work together to track specific HTTP POST commands back through your and their NAT/firewall to the real culprits, and then if you have stringent TOS/AUP, you should be able to nail the real culprits to the wall. This may require some additional disk space for the logs and processing power for generating and searching the logs.

Share this post


Link to post
Share on other sites

yes we get a lot of spam from proxad:

81.56.151.15 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 3 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 81.56.151.15 is lns-vlq-39f-81-56-151-15.adsl.proxad.net but lns-vlq-39f-81-56-151-15.adsl.proxad.net has no DNS information

Because of the above problems, express-delisting is not available

Listing History

In the past 52.5 days, it has been listed 14 times for a total of 27.1 days

Other hosts in this "neighborhood" with spam reports

81.56.150.115 81.56.151.178

..and some history:

Report History:

--------------------------------------------------------------------------------

Submitted: Thursday, April 06, 2006 3:28:41 PM -0400:

***spam*** Re: news for you

1711558103 ( http://oiaew904.bearotesur.com ) To: postmaster#cnc-noc.net[at]devnull.spamcop.net

1711558102 ( http://oiaew904.bearotesur.com ) To: abuse[at]cnc-noc.net

1711558101 ( 81.56.151.15 ) To: spamcop[at]imaphost.com

1711558100 ( 81.56.151.15 ) To: abuse[at]proxad.net

--------------------------------------------------------------------------------

Submitted: Monday, March 06, 2006 8:34:23 AM -0500:

Re: Paramcqy news

1680724352 ( 81.56.151.15 ) To: abuse[at]proxad.net

---------------------------------------------------------------------------------

Submitted: Thursday, March 02, 2006 1:17:21 AM -0500:

touris t news

1676061421 ( 81.56.151.15 ) To: abuse[at]proxad.net

-----------------------------------------------------------------

Submitted: Thursday, February 23, 2006 8:27:50 PM -0500:

Re: fibri n

1669451358 ( 81.56.151.15 ) To: abuse[at]proxad.net

It is also listed in cbl:

IP Address 81.56.151.15 was found in the CBL.

It was detected at 2006-04-08 19:00 GMT (+/- 30 minutes).

ATTENTION: If you are running IPSwitch Imail, Ensim, or similar shared hosting software, please contact the CBL by email. Otherwise, this IP is infected with/emitting spamware/spamtrojan traffic and needs to be fixed.

Share this post


Link to post
Share on other sites
More examples of spam from this machine can be found at http://psbl.surriel.com/evidence?ip=81.56....=Check+evidence

41910[/snapback]

Sorry guys i dont know what was wrong with me, i gave you guys the wrong ip well two digits were wrong instead of 81.56.151.0/24 it is 62.56.151.0/24.

sorry once more for that it is a new set of IPs and i have not memorised them as of yet :)

Sarky

Share this post


Link to post
Share on other sites

Let's take another tack ..... not sure why you're asking "us" to review your /24 .... You started with words about a "gateway" .. then you talked of having reports about "3 other IPS" ....

The SpamCopDNSBL derives its data from spamtrap hits, spam reported, all being parsed ro discover the "source" of the spam. On one hand, if it's the "gateway" that's being reported, the scenario would be that the header data is insufficient for the SpamCop.net parser to go beyond that gateway. However, you comment on "3 other IPS" suggests that it isn't "the gateway" that's being identified, rather the "actual" source of the spew. That would take one back to chcking the access logs and determining who the user was that had 'control' of those IP addresses at the time of the spew.

Or maybe I'm not seeing your actual question.???

Just picking on your posting IP address;

http://www.senderbase.org/?searchBy=ipaddr...ing=62.56.151.2

Date of first message seen from this address 2006-03-26

Network Owner IP Planet Networks Ltd.

Domain satcom-systems.net

CIDR range 62.56.144.0/20

# of domains controlled by this network owner 260

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 2.7 .. 2332%

Last 30 days .. 1.7 ... 232%

Average ........ 1.2

That's a lot of e-mail for "your system" ...????

Parsing input: 62.56.151.2

host 62.56.151.2 = 62.56.151.2.rmts.satcom-systems.net (cached)

Routing details for 62.56.151.2

Report routing for 62.56.151.2: abuse[at]ipplanet.net

Reports routes for 62.56.151.2:

routeid:15467303 62.56.128.0 - 62.56.255.255 to:abuse[at]ipplanet.net

Administrator interested in all reports

Monday, August 22, 2005 5:46:54 AM -0500

ipplanet bought by gilat

04/09/06 13:02:16 Slow traceroute 62.56.151.2

Trace 62.56.151.2 ...

192.116.117.253 RTT: 200ms TTL:160 (No rDNS)

213.31.188.252 RTT: 201ms TTL:160 (No rDNS)

* * * failed

62.56.151.2 RTT: 764ms TTL: 48 (62.56.151.2.rmts.satcom-systems.net ok

whois -h whois.ripe.net 62.56.151.2 ...

inetnum: 62.56.151.0 - 62.56.151.255

netname: CIDR-Raycon-1

descr: Raycon, Nigeria

country: NG

admin-c: SG4118-RIPE

tech-c: SG4118-RIPE

status: ASSIGNED PA

mnt-by: AS12491-MNT

source: RIPE # Filtered

person: Sarkis Gabriel

address: Warri, Nigeria

phone: + 234 8035500740

e-mail: sarky[at]raycon.net

nic-hdl: SG4118-RIPE

source: RIPE # Filtered

% Information related to '62.56.128.0/17AS12491'

route: 62.56.128.0/17

descr: Gilat Satcom

origin: AS12491

mnt-by: AS12491-MNT

source: RIPE # Filtered

OK, going back to the first post, you seem to be complaining about something called "FREE WEBMAIL" .. I'm not familiar with that outfit. But if one was to assume that you're talking about something generic, then what I'm reading is that the spam e-mal was traced back beyond the "FREE WEBMAIL" service to the IP address of the computer linked to that "FREE WEBMAIL" service. Not sure what the "problem" is then .. back to talking to the owner of the computer that was using one of "your assigned IP addresses" to send that e-mail. Back to me wondering what the actual question might be.

Share this post


Link to post
Share on other sites
Let's take another tack ..... not sure why you're asking "us" to review your /24 .... You started with words about a "gateway" .. then you talked of having reports about "3 other IPS" ....

The SpamCopDNSBL derives its data from spamtrap hits, spam reported, all being parsed ro discover the "source" of the spam.  On one hand, if it's the "gateway" that's being reported, the scenario would be that the header data is insufficient for the SpamCop.net parser to go beyond that gateway.  However, you comment on "3 other IPS" suggests that it isn't "the gateway" that's being identified, rather the "actual" source of the spew.  That would take one back to chcking the access logs and determining who the user was that had 'control' of those IP addresses at the time of the spew.

Or maybe I'm not seeing your actual question.???

41914[/snapback]

The use of the Word Gateway was emphasising on the fact that my IP gets blocked instead of Yahoo get punnished for allowing spam to come through its WebMail system.

With the lack of IPs i use a NATed network at the home end and it is hard to know which computer did it, because the Real IP is the one shown and nothing links them together.

Also using a WebProxy on the network hides a lot of activities, in a WebMail more often you will see the IP of the webproxy and not where they are originating from.

My problem is that someone on the network did something he should not do, that is agreed and for me to monitor anything called HTTP is not easy, so the middle point as i can see it, companies with free webmail should work on something to make sure it does not allow spam out of there network, i.e user types his spam clicks send, it should block.

I hope the above makes sense.

Sarky

Share this post


Link to post
Share on other sites
The use of the Word Gateway was emphasising on the fact that my IP gets blocked instead of Yahoo get punnished for allowing spam to come through its WebMail system.

Technically, Yahoo wasn't "the source" of the spam in the case you describe. And from another viewpoint, the SpamCopDNSBL listing of Yahoo e-mail servers have their own gigantic Topics/Discussions here, as does GMail .. etc., etc. etc.....

My problem is that someone on the network did something he should not do, that is agreed and for me to monitor anything called HTTP is not easy, so the middle point as i can see it, companies with free webmail should work on something to make sure it does not allow spam out of there network, i.e user types his spam clicks send, it should block.

41915[/snapback]

Though sympathies are with you, this is part of being an ISP. The flip side of your "they should block outgoing spam" is actually addressed in one of the "problem" areas of the SpamCop FAQ here;

E-mail Submittal Problems / Issues

E-Mail spam submittals blocked by your ISP? Updated!

Emailed spam Submissions Disappearing? No Confirmation e-mails?

The actual user complaints on this boil down to "why was the original spam allowd to enter my InBox?" .... these outgoing filters are now interfering with the possibilty of doing something about that spew .. not that those outgoing e-mails "are" spam, but that they "contain" the spam complained about .....

Share this post


Link to post
Share on other sites

You got it, I just want to do my business the best way i can, for example things which ar e in my hands putting up a firewall so no one can access external port 25 on other mail servers except my ISP mailserver.

but the WebMail is not something we as ISP can do anything about but we get the HIT and yes it has originated from my IP but is there anything out there i can put on my network to see the traffic going out VIA http protocol and intercept?

Also an example i thought about, if my Sendmail config is screwed and users outside my network can send mail out through my mailserver who is the initiator?

Thanks again

Sarky

Edited by sarky

Share this post


Link to post
Share on other sites

Went to Yahoo, saw 3 new in the InBox, 857 in the spam folder ... then all the fancy flying elephants and such chose to choke my firewall, which then crashed the video card ... reboot, catch up elsewhere, then back to posting what was going to be a quick response ... no idea what systems/code you're running so .. short and sweet ... mail.yahoo.com would seem to be the trigger to look for ... yet one of those issues where 550+ of your users are no problem, but .... number downsized based on how many of your users do use Yahoo e-mail, then you'd want to compare date/time-stamps to the data in the complaint. But again, it boils down to what kind of log files you've got running or want to spin up ....

Share this post


Link to post
Share on other sites
With the lack of IPs i use a NATed network at the home end and it is hard to know which computer did it, because the Real IP is the one shown and nothing links them together.

41915[/snapback]

That is where your logs come in. It os your customer doing what they are not supposed to and it would be your AUP they have broken. There is little you can do in this instance in the way of prohibiting it from happening in the first place but you should be able to track and punish the culprit given the IP used, where it went, and the time it was used.

Share this post


Link to post
Share on other sites

if i have to generalise it, it is said that over in Nigeria 80% use Yahoo for mail, so blocking Yahoo ain't a choice at the mo.

All my machines are running Fedora, as for logs yeah i do have some good login system everything is loged in Radius accounting so that is not a problem to pull out the info if the IP is there, for now NATting the System makes it hard for one to pin point the exact person. I can pin point the Location of the entry and if i am not lucky and i had more than 1 user at that particular time using that AP then it is hard to be sure.

The only thing i do not understand is the logic behind shutting down the Entry point and not the mailserver which actualy accepted it to be delivered. In a nutshell i think those big corporation need to do something about there mailserver or actualy check there outgoing mail for the Key words which spam now a days is based on.

Thanks

Sarky

Share this post


Link to post
Share on other sites
Sorry guys i dont know what was wrong with me, i gave you guys the wrong ip well two digits were wrong instead of 81.56.151.0/24 it is 62.56.151.0/24.

sorry once more for that it is a new set of IPs and i have not memorised them as of yet :)

Sarky

41913[/snapback]

Your old set of IP's have a few machines spamming and your new set currently has another one. I didn't have to look to far so you could easily find the others.

62.56.151.10

CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=62.56.151.10

--------------------------------------------------------------------------------

XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4

http://www.spamhaus.org/query/bl?ip=62.56.151.10

Share this post


Link to post
Share on other sites

The only thing i do not understand is the logic behind shutting down the Entry point and not the mailserver which actualy accepted it to be delivered. In a nutshell i think those big corporation need to do something about there mailserver or actualy check there outgoing mail for the Key words which spam now a days is based on.

41921[/snapback]

Yes, technically, the mail clients like Hotmail, Yahoo & G-Mail should be held accountable for facilitating the spam, but since most headers are forged and almost ALL addresses are forged, the best and only process to track the spam is via the originating IP.

I think you as the ISP should work to:

1- cease infected machines on your network

2- work with Yahoo and others if you feel they facilitated in sending the messages.

The SCBL can only do so much... it takes the responsability of the ISPs to help solve the problem, not just the reporters and reporting processes.

Share this post


Link to post
Share on other sites

if i have to generalise it, it is said that over in Nigeria 80% use Yahoo for mail, so blocking Yahoo ain't a choice at the mo.

41921[/snapback]

OMG. Nigeria? And your customers are mostly Cybercafes? So it probably boils down to two words: 419 scams.

At least some of your customer's customers are criminals. Catching them, OTOH, will be difficult, to say the least.

And since you're using a Webproxy and/or NAT (if I understand you correctly), only the proxy address will be visible to the world outside.

I can understand why you're blaming Yahoo and other freemail providers: Traffic between the freemail web server and the client is commonly encrypted, so you cannot even tell if someone is sending normal mail or a 419 scam.

But there might be some things you can do to mitigate the problem:

- clean the infected PCs on your network (has been said before, I know)

- Set up several web proxies or use virtual IPs. Route all your *identifiable* customers through one of them.

- Split the cybercafes into different routes. See if you can identify "cleaner" and "scammier" ones.

Good luck,

A. Friend

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×