Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers.
-
Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers. So far no other senders of IPv6 spam. 95% of spam attempts are still IPv4 from various Chinese, US, pacific country sources. The most annoying spam sender stays hostgnome from UK. (All of these attempts are blocked by my mail server, so never make it past the initial HELO part).
-
Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers. So far no other senders of IPv6 spam. 95% of spam attempts are still IPv4 from various Chinese, US, pacific country sources. The most annoying spam sender stays hostgnome from UK. (All of these attempts are blocked by my mail server, so never make it past the initial HELO part).
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
-
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
@jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::
-
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
@jwildeboer That's ... Woah. I understand how it works, but where did we go wrong that it does and turned IP ranges into rentals?
-
Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers. So far no other senders of IPv6 spam. 95% of spam attempts are still IPv4 from various Chinese, US, pacific country sources. The most annoying spam sender stays hostgnome from UK. (All of these attempts are blocked by my mail server, so never make it past the initial HELO part).
@jwildeboer Do you block them by IP or by domain?
-
@jwildeboer Do you block them by IP or by domain?
-
@jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::
@tramtrist @jwildeboer So true
-
@jwildeboer That's ... Woah. I understand how it works, but where did we go wrong that it does and turned IP ranges into rentals?
@larsmb @jwildeboer wait I donβt get it. How can we track their AS?
-
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
@homelab @jwildeboer I have questions, if you don't mind.
- How long do you block the IPs for?
- How do you find the ASs/could you share the cron job?
-
@jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::
@jwildeboer @tramtrist a lot of the spam I get these days is from GMail addresses.
-
@jwildeboer Can you share with us the source of the list of IP addressen?
-
@larsmb @jwildeboer wait I donβt get it. How can we track their AS?
@tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.
Hence, blocking by ASN, not by IP address range.
-
@tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.
Hence, blocking by ASN, not by IP address range.
@larsmb @tramtrist Yep. Use AS to find assigned ranges, feed them to firewall. Every 12 hours.
-
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
Because a few people asked how I block the IP ranges from hostgnome:
- Mailserver detects IP address trying to to deliver spam: 91.237.124.193
- Via `whois` I find the corresponding AS: 201579 (picture 1)
- Then I find all IP ranges associated with with this AS (picture 2)
- Then I go through the ranges and add them to my firewall.Rinse, repeat.
-
@homelab @jwildeboer I have questions, if you don't mind.
- How long do you block the IPs for?
- How do you find the ASs/could you share the cron job?
@rpbook See https://social.wildeboer.net/@jwildeboer/116058656812877639 I will not share for how long I block these ranges, but definitely for more than a few days or weeks
-
@jwildeboer Can you share with us the source of the list of IP addressen?
@heuveltop `whois` and AS lookup. See https://social.wildeboer.net/@jwildeboer/116058656812877639
-
Because a few people asked how I block the IP ranges from hostgnome:
- Mailserver detects IP address trying to to deliver spam: 91.237.124.193
- Via `whois` I find the corresponding AS: 201579 (picture 1)
- Then I find all IP ranges associated with with this AS (picture 2)
- Then I go through the ranges and add them to my firewall.Rinse, repeat.
@jwildeboer @homelab typo AS201579, not AS20579.
-
Because a few people asked how I block the IP ranges from hostgnome:
- Mailserver detects IP address trying to to deliver spam: 91.237.124.193
- Via `whois` I find the corresponding AS: 201579 (picture 1)
- Then I find all IP ranges associated with with this AS (picture 2)
- Then I go through the ranges and add them to my firewall.Rinse, repeat.
@jwildeboer if you want, you can automate that part by querying radb.net:
```
./filter.sh AS201579
23.166.72.0/24
62.169.151.0/24
84.32.41.0/24
91.237.124.0/24
185.91.69.0/24
193.138.195.0/24
# ./filter.sh --ipv6 AS201579
2a13:2480::/29
2602:f9e4::/36
```
Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh -
@jwildeboer if you want, you can automate that part by querying radb.net:
```
./filter.sh AS201579
23.166.72.0/24
62.169.151.0/24
84.32.41.0/24
91.237.124.0/24
185.91.69.0/24
193.138.195.0/24
# ./filter.sh --ipv6 AS201579
2a13:2480::/29
2602:f9e4::/36
```
Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh@anton Oooh! Nice! I will extend that to add the ranges to my crowdsec based firewall
Far better than my crude script. Thank you for sharing! -
@jwildeboer @homelab typo AS201579, not AS20579.
@shaman007 thx! fixed.
