Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers.
-
@jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::
@tramtrist @jwildeboer So true
-
@jwildeboer That's ... Woah. I understand how it works, but where did we go wrong that it does and turned IP ranges into rentals?
@larsmb @jwildeboer wait I don’t get it. How can we track their AS?
-
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
@homelab @jwildeboer I have questions, if you don't mind.
- How long do you block the IPs for?
- How do you find the ASs/could you share the cron job?
-
@jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::
@jwildeboer @tramtrist a lot of the spam I get these days is from GMail addresses.
-
@jwildeboer Can you share with us the source of the list of IP addressen?
-
@larsmb @jwildeboer wait I don’t get it. How can we track their AS?
@tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.
Hence, blocking by ASN, not by IP address range.
-
@tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.
Hence, blocking by ASN, not by IP address range.
@larsmb @tramtrist Yep. Use AS to find assigned ranges, feed them to firewall. Every 12 hours.
-
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
Because a few people asked how I block the IP ranges from hostgnome:
- Mailserver detects IP address trying to to deliver spam: 91.237.124.193
- Via `whois` I find the corresponding AS: 201579 (picture 1)
- Then I find all IP ranges associated with with this AS (picture 2)
- Then I go through the ranges and add them to my firewall.Rinse, repeat.
-
@homelab @jwildeboer I have questions, if you don't mind.
- How long do you block the IPs for?
- How do you find the ASs/could you share the cron job?
@rpbook See https://social.wildeboer.net/@jwildeboer/116058656812877639 I will not share for how long I block these ranges, but definitely for more than a few days or weeks
-
@jwildeboer Can you share with us the source of the list of IP addressen?
@heuveltop `whois` and AS lookup. See https://social.wildeboer.net/@jwildeboer/116058656812877639
-
Because a few people asked how I block the IP ranges from hostgnome:
- Mailserver detects IP address trying to to deliver spam: 91.237.124.193
- Via `whois` I find the corresponding AS: 201579 (picture 1)
- Then I find all IP ranges associated with with this AS (picture 2)
- Then I go through the ranges and add them to my firewall.Rinse, repeat.
@jwildeboer @homelab typo AS201579, not AS20579.
-
Because a few people asked how I block the IP ranges from hostgnome:
- Mailserver detects IP address trying to to deliver spam: 91.237.124.193
- Via `whois` I find the corresponding AS: 201579 (picture 1)
- Then I find all IP ranges associated with with this AS (picture 2)
- Then I go through the ranges and add them to my firewall.Rinse, repeat.
@jwildeboer if you want, you can automate that part by querying radb.net:
```
./filter.sh AS201579
23.166.72.0/24
62.169.151.0/24
84.32.41.0/24
91.237.124.0/24
185.91.69.0/24
193.138.195.0/24
# ./filter.sh --ipv6 AS201579
2a13:2480::/29
2602:f9e4::/36
```
Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh -
@jwildeboer if you want, you can automate that part by querying radb.net:
```
./filter.sh AS201579
23.166.72.0/24
62.169.151.0/24
84.32.41.0/24
91.237.124.0/24
185.91.69.0/24
193.138.195.0/24
# ./filter.sh --ipv6 AS201579
2a13:2480::/29
2602:f9e4::/36
```
Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh@anton Oooh! Nice! I will extend that to add the ranges to my crowdsec based firewall
Far better than my crude script. Thank you for sharing! -
@jwildeboer @homelab typo AS201579, not AS20579.
@shaman007 thx! fixed.
-
@anton Oooh! Nice! I will extend that to add the ranges to my crowdsec based firewall
Far better than my crude script. Thank you for sharing!@jwildeboer nicht von mir. Liegt seit einigen Jahren auf der Festplatte rum.
-
R ActivityRelay shared this topic
