Blocking IP range

[iamtuhin_2004]

Hi everyone, I recently found lots of spam mail from lots of different IP. I manage and check those IP and found some of those IP is belonging to a group of IP range and they are continuing spam me using those ranges of IP.

So what I did I check those IP with some free whois lookup web tools to find there range of IP.

Say, A spam server IP is xxx.xxx.120.7, I found this is IP is belong to and range from xxx.xxx.0.0 to xxx.xxx.255.255. So I block xxx.xxx.*.*, and result is good, no more spam from this range of IP.

So I beginning to blocked lots of IP range and stop spam mail to 5% to 10%. Sometime I block xxx.*.*.*.

Also before I block some range of IP, I also check any of my user actually not send any mail to those range of IP, so I really don’t need to received any mail from those range of IP too.

Also I manage to collect the entire server IP which my mail server sends mail.

Before I block any range of IP, I check with my good server list that I don’t mistakenly block them.

No more talking, so my question is, how can I find some more INFO of this range of IP?

Actually how can I find which domain is belong to what IP within this range of IP?

I think I am not clear, say within this xxx.xxx.*.* IP, they must have some sub network.

How can I find how many subnet is there and which domain belong to this subnet.

Sorry for my immense mail.

Thanks.

[iamtuhin_2004]

Hi everyone, I recently found lots of spam mail from lots of different IP. I manage and check those IP and found some of those IP is belonging to a group of IP range and they are continuing spam me using those ranges of IP.

So what I did I check those IP with some free whois lookup web tools to find there range of IP.

Say, A spam server IP is xxx.xxx.120.7, I found this is IP is belong to and range from xxx.xxx.0.0 to xxx.xxx.255.255. So I block xxx.xxx.*.*, and result is good, no more spam from this range of IP.

So I beginning to blocked lots of IP range and stop spam mail to 5% to 10%. Sometime I block xxx.*.*.*.

Also before I block some range of IP, I also check any of my user actually not send any mail to those range of IP, so I really don’t need to received any mail from those range of IP too.

Also I manage to collect the entire server IP which my mail server sends mail.

Before I block any range of IP, I check with my good server list that I don’t mistakenly block them.

No more talking, so my question is, how can I find some more INFO of this range of IP?

Actually how can I find which domain is belong to what IP within this range of IP?

I think I am not clear, say within this xxx.xxx.*.* IP, they must have some sub network.

How can I find how many subnet is there and which domain belong to this subnet.

Sorry for my immense mail.

Thanks.

Why the spammers making the information highway as a hell? whats with it they find?

[StevenUnderwood]

This is not related to the spamcop email service. It is not related the the spamcop bl, nearest I can figure it belongs in the lounge with your other post.

[Farelf]

...No more talking, so my question is, how can I find some more INFO of this range of IP?

Actually how can I find which domain is belong to what IP within this range of IP?

I think I am not clear, say within this xxx.xxx.*.* IP, they must have some sub network.

How can I find how many subnet is there and which domain belong to this subnet.

Well SenderBase might be a useful starting point. Say you get spam from 204.13.69.220, looking that up on senderBase, http://www.senderbase.org/search?searchBy=...g=204.13.69.220 shows the network owner is AKANOC Solutions and includes

Network Owner: AKANOC Solutions Inc.

Registered on: 2005-04-07

Updated on: 2005-04-07

Expires on: unknown

Netblock(s): 204.13.64.0/21

...

NetRange: 204.13.64.0 - 204.13.71.255

CIDR: 204.13.64.0/21

NetName: AKANOC-SJC

NetHandle: NET-204-13-64-0-1

Parent: NET-204-0-0-0-0

NetType: Direct Allocation

NameServer: RDNS1.AKANOC.COM

NameServer: RDNS2.AKANOC.COM

...

The netblock is given as 204.13.64.0/21 - however entering that into SenderBase - http://www.senderbase.org/search?searchStr...04.13.64.0%2F21 shows there appears to be just one other "problem" IP address in that block - 204.13.68.210, not currently listed by SpamCop. Play around with it with your own cases, see if it gives you what you want.

...Why the spammers making the information highway as a hell? whats with it they find?

A very few of them make money, all of them hope to make money.

[showker]

Well SenderBase might be a useful starting point. Say you get spam from 204.13.69.220, looking that up on senderBase, http://www.senderbase.org/search?searchBy=...g=204.13.69.220 shows the network owner is AKANOC Solutions and includes The netblock is given as 204.13.64.0/21

Can anyone point to a DEFINITION of "IP address" in plane, simple language?

Does it mean a single computer?

(Sorry for the stupid question, but there doesn't seem to be a

topic here for "stupid questions")

I've been tracking them and working with them -- blindly not

knowing exactly what each of the sets of numbers actually mean.

AND... possibly, Farell, could share what the "slash" does / means.

RE: 204.13.64.0/21

Does that mean a 'range' of numbers? Say, from zero to twenty-one?

... and , does that slash technique work on all servers?

Is there a plane-language web site that explains all this?

I've added a bunch of IP addresses to our server block-list.

But I suspect there's a better way to block entire populations.

For instance, how would I block the ENTIRE COUNTRY OF BRAZIL?

Or, CHINA?

I've tried figuring it out. But it just doesn't make sense.

I get spam from 88.224.248.53 which is Turkey.

People from Turkey have no business on my server.

But then I get spam from another "88" ip number, and it's

Comcast in Texas. Well, of course I don't want to block

Comcast in Texas.

So what gives??? How can I block ALL OF TURKEY ???

Someone should write a simple tutorial that us non-geeks

can understand... AND implement.

[Farelf]

Can anyone point to a DEFINITION of "IP address" in plane, simple language?...

I found this helpful - Understanding IP Addressing: Everything You Ever Wanted To Know - not sure if it qualifies as plain English (I sure didn't understand all of it but then I didn't try to, it told me all I needed at the time).

...Does it mean a single computer?...

Nope - heaps of computers are (usually) behind the one IP address - the reference above may make that clearer.

...(Sorry for the stupid question, but there doesn't seem to be a topic here for "stupid questions")...

As the saying goes, the only stupid question is the one you don't ask.

...AND... possibly, Farell, could share what the "slash" does / means.

RE: 204.13.64.0/21

Does that mean a 'range' of numbers? Say, from zero to twenty-one?

Yes, it means a range but it's a bit more complicated (the above refence cover that too). /21 means a block of 2048 addresses (in a continuous series). There must be an excellent reason for the way the /numbers work (I just don't know it) but essentially the size of the block =2^(32-n) where n is the range number like 21 [as in 2 raised to the power of (32 less 21)]. Aaagh! you might say - never mind, there are tables translating the numbers in the reference somewhere - and you can always feed like =2^(32-21) into a spreadsheet as a formula if you need to know. Maybe it's enough to know /13 means 524,288 addresses and /27 means 32.

... and , does that slash technique work on all servers?...

It's just a numbering convention and it will work in software that needs to look at ranges of addresses - like the SenderBase entry box. Not sure about filters - but you won't need to worry about that if you use standard lists (below).

...I've added a bunch of IP addresses to our server block-list.

But I suspect there's a better way to block entire populations.

For instance, how would I block the ENTIRE COUNTRY OF BRAZIL?

Or, CHINA?...

I understand there are standard lists for such purposes - users of same can advise you but see Filter out foriegn TLD's (sic)

...I've tried figuring it out. But it just doesn't make sense. ...

No it doesn't which is why you need lists that dedicated complilers put together - and maintain (they keep changing).

...I get spam from 88.224.248.53 which is Turkey.

People from Turkey have no business on my server.

But then I get spam from another "88" ip number, and it's

Comcast in Texas. Well, of course I don't want to block

Comcast in Texas.

So what gives??? How can I block ALL OF TURKEY ??? ...

I think I get more spam from Comcast Texas than from Turkey which just shows how needs differ.

...Someone should write a simple tutorial that us non-geeks

can understand... AND implement. ...

Amen to that - but I figure such publications DO exist. "The internet for dummies" maybe. I wouldn't be too proud to read something like that - must remember to pick up a copy.

[TriumphTalk]

I think I get more spam from Comcast Texas than from Turkey which just shows how needs differ.Amen to that - but I figure such publications DO exist.

Funny I am finding this as well. Is there now way anything can be done about this?

[Miss Betsy]

If you are asking about Comcast Texas, no there doesn't seem to be a whole that can be done. There are so many Comcast customers that most server admins do not want to block Comcast so they 'whitelist' (or poke holes) for the Comcast mail servers. The rest of the IP addresses are trojanized machines that Comcast will not do anything about.

Perhaps someone will tell you the IP addresses of the Comcast servers and then you can block all the rest. Unfortunately I don't know enough about how a server admin does the job to more specific than that.

Miss Betsy

[Farelf]

... which is why you need lists that dedicated complilers put together - and maintain (they keep changing). ...

This resource talks about conversions between IP address and IP number Locating Countries from IP addresses and goes on to present a table of IP numbers and countries. This one references a CSV table of IP numbers and corresponding countries - The IP to Country Database, again note IP numbers NOT IP addresses. I have no idea how current or accurate these may be, I only know LinkScanner Online currently finds no exploits on the pages referenced.

As mentioned in an earlier link (Will - Telarin's post), these are not hard to find - Google did it - but you may need to look further for current and accurate lists.

[TriumphTalk]

I found this site that seems to have an updated IP country database

Web Site Clicky

[showker]

Okay... Comcast vs. the BAD GUYS

I've read all of the references given in this thread, (over several days) and

have come to the conclusion that this realm belongs to the ivory tower

geeks -- and there's just no "simple" answer or solution.

I don't care about Comcast subscribers. Only a fool would block

Comcast. Besides any spam from them is probably forged.

Since I research the "sender" or "spamvertiser" of the spam, form post,

or forum posting, I'm not that concerned with the email of it.

It's enlightening to discover WHO will PROFIT from the criminal attempt.

So... several NEW QUESTIONS emerge from this thread:

A sample this morning was put through the SpamCop reporting

system -- which reported that the spam came from a computer

in Arlington, VA.

However, the actual spam included gibberish, and a GIF file

promoting pharmacutical products at one : www . RXfarm . org.

Obviously SpamCop can't read embedded GIF files.

Tracking the domain, I learn it's located on a server in MEXICO.

The domain uses NS servers in New Jersey and Mexico City.

Now I know that it's either a U.S. criminal who has set up shop

on some butt-wipe ISP in Mexico, or a Mexican criminal.

Blocking this ISP does me no good other than preventing anyone

on that network from reaching my server... right?

Is that a correct asumption to make?

However, in another, similar spam... and then robot forms entry

from the SAME IP address, I learn that the offending criminal

who has done the dirty work is located at that specific IP.

If I block THAT IP address, he cannot get to my server RIGHT?

Is THAT a correct asumption to make?

These are the ones I tracked this morning:

218.49.123.31 Korea (frequent offenders)

221.165.196.116

210.183.41.56

200.158.124.204 Brazil (frequent offenders)

202.57.177.170 thailand (frequent offenders)

217.197.156.143 - Czech Republic (frequent offenders)

212.191.77.244 - Poland (frequent offenders)

87.68.65.225 - Israel (probably terrorists)

62.149.128.160 Aruba Italy (frequent offenders)

200.79.160.7 Mexico (the online drug pharmacy mentioned)

Since I had to pay for a block of IP addresses, am I to assume that

everyone in the world who operates a domain MUST have at least

ONE of these numbers assigned to them? (I had to buy 32 of them)

http://200.79.160.7/ goes directly to a domain, a web site on a server.

Is it a correct assumption that this domain is on a computer server in

a physical location where others are also hosted... as in an ISP ?

Doesn't it also suggest that the OWNER of that IP number, probably

has others? Possibly many others?

So, if I block : 200.79.160/20 am I blocking ALL of the possible IPs

this Mexican ISP has to offer?

The last two sets of numbers seem to be significant, but the first

two don't -- because they lead all over the planet.

Thanks everyone... this is the most meaningful thread I've

been involved in here to date.

[StevenUnderwood]

Besides any spam from them is probably forged.

No, more likely the spam IS coming from a comprimised Comcast end user machine. The sending IP address can not be forged, which is why DNSBL's work.

Blocking this ISP does me no good other than preventing anyone

on that network from reaching my server... right?

Is that a correct asumption to make?

It depends on how you are implementing the block, but generally, yes.

However, in another, similar spam... and then robot forms entry

from the SAME IP address, I learn that the offending criminal

who has done the dirty work is located at that specific IP.

You would need to prove that point. Again, this sending IP is probably controlled by the spammer, but is not the spammer himself.

If I block THAT IP address, he cannot get to my server RIGHT?

Is THAT a correct asumption to make?

Generally, yes.

Since I had to pay for a block of IP addresses, am I to assume that

everyone in the world who operates a domain MUST have at least

ONE of these numbers assigned to them? (I had to buy 32 of them)

No, there are many places where multiple domains are operated on shared IP addresses. The owner of the domain is one entity, but it is hosted by another entity.

http://200.79.160.7/ goes directly to a domain, a web site on a server.

Is it a correct assumption that this domain is on a computer server in

a physical location where others are also hosted... as in an ISP ?

Not a safe assumption at all. First, 200.79.160.7 is NOT a domain, but an IP address. Also, if you check the sorbs.net listings:

Database of servers sending to spamtrap addresses:www.simplerx.org. 1H IN A 200.79.160.7

Database of vulnerable/hacked servers:Possible RootKit installed.

This tells me this machine is likely hacked and controlled more by the spammers than the owner.

Doesn't it also suggest that the OWNER of that IP number, probably has others? Possibly many others?

So, if I block : 200.79.160/20 am I blocking ALL of the possible IPs

this Mexican ISP has to offer?

Yes you are, but not necessarily the spammer behind the site you are investigating.