Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (Darkly)
  • No Skin
Collapse
Brand Logo
  1. Home
  2. Uncategorized
  3. Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers.

Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers.

Scheduled Pinned Locked Moved Uncategorized
selfhostmailadmin
21 Posts 8 Posters 0 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
    Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
    Jan Wildeboer 😷:krulorange:
    wrote last edited by
    #1

    Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers. So far no other senders of IPv6 spam. 95% of spam attempts are still IPv4 from various Chinese, US, pacific country sources. The most annoying spam sender stays hostgnome from UK. (All of these attempts are blocked by my mail server, so never make it past the initial HELO part).

    #SelfHost #MailAdmin @homelab

    Jan Wildeboer 😷:krulorange:J heuveltopH 2 Replies Last reply
    0
    • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

      Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers. So far no other senders of IPv6 spam. 95% of spam attempts are still IPv4 from various Chinese, US, pacific country sources. The most annoying spam sender stays hostgnome from UK. (All of these attempts are blocked by my mail server, so never make it past the initial HELO part).

      #SelfHost #MailAdmin @homelab

      Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
      Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
      Jan Wildeboer 😷:krulorange:
      wrote last edited by
      #2

      Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.

      #SelfHost #MailAdmin @homelab

      γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T Lars Marowsky-BrΓ©e 😷L Russell PhillipsR Jan Wildeboer 😷:krulorange:J 4 Replies Last reply
      0
      • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

        Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.

        #SelfHost #MailAdmin @homelab

        γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T This user is from outside of this forum
        γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T This user is from outside of this forum
        γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴
        wrote last edited by
        #3

        @jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::

        osmodiaO Russell PhillipsR 2 Replies Last reply
        0
        • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

          Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.

          #SelfHost #MailAdmin @homelab

          Lars Marowsky-Brée 😷L This user is from outside of this forum
          Lars Marowsky-Brée 😷L This user is from outside of this forum
          Lars Marowsky-Brée 😷
          wrote last edited by
          #4

          @jwildeboer That's ... Woah. I understand how it works, but where did we go wrong that it does and turned IP ranges into rentals?

          γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T 1 Reply Last reply
          0
          • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

            Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers. So far no other senders of IPv6 spam. 95% of spam attempts are still IPv4 from various Chinese, US, pacific country sources. The most annoying spam sender stays hostgnome from UK. (All of these attempts are blocked by my mail server, so never make it past the initial HELO part).

            #SelfHost #MailAdmin @homelab

            heuveltopH This user is from outside of this forum
            heuveltopH This user is from outside of this forum
            heuveltop
            wrote last edited by
            #5

            @jwildeboer Do you block them by IP or by domain?

            Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
            0
            • heuveltopH heuveltop

              @jwildeboer Do you block them by IP or by domain?

              Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
              Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
              Jan Wildeboer 😷:krulorange:
              wrote last edited by
              #6

              @heuveltop IP.

              heuveltopH 1 Reply Last reply
              0
              • γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴

                @jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::

                osmodiaO This user is from outside of this forum
                osmodiaO This user is from outside of this forum
                osmodia
                wrote last edited by
                #7

                @tramtrist @jwildeboer So true

                1 Reply Last reply
                0
                • Lars Marowsky-BrΓ©e 😷L Lars Marowsky-BrΓ©e 😷

                  @jwildeboer That's ... Woah. I understand how it works, but where did we go wrong that it does and turned IP ranges into rentals?

                  γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T This user is from outside of this forum
                  γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T This user is from outside of this forum
                  γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴
                  wrote last edited by
                  #8

                  @larsmb @jwildeboer wait I don’t get it. How can we track their AS?

                  Lars Marowsky-Brée 😷L 1 Reply Last reply
                  0
                  • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

                    Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.

                    #SelfHost #MailAdmin @homelab

                    Russell PhillipsR This user is from outside of this forum
                    Russell PhillipsR This user is from outside of this forum
                    Russell Phillips
                    wrote last edited by
                    #9

                    @homelab @jwildeboer I have questions, if you don't mind.

                    1. How long do you block the IPs for?
                    2. How do you find the ASs/could you share the cron job?
                    Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
                    0
                    • γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴

                      @jwildeboer so glad you posted this. Huge uptrend for me in the last month from google ipv6 2002::

                      Russell PhillipsR This user is from outside of this forum
                      Russell PhillipsR This user is from outside of this forum
                      Russell Phillips
                      wrote last edited by
                      #10

                      @jwildeboer @tramtrist a lot of the spam I get these days is from GMail addresses.

                      1 Reply Last reply
                      0
                      • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

                        @heuveltop IP.

                        heuveltopH This user is from outside of this forum
                        heuveltopH This user is from outside of this forum
                        heuveltop
                        wrote last edited by
                        #11

                        @jwildeboer Can you share with us the source of the list of IP addressen?

                        Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
                        0
                        • γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴T γƒ’γ‚Ήγ‚±^^ β„οΈπŸˆπŸ”₯🐴

                          @larsmb @jwildeboer wait I don’t get it. How can we track their AS?

                          Lars Marowsky-Brée 😷L This user is from outside of this forum
                          Lars Marowsky-Brée 😷L This user is from outside of this forum
                          Lars Marowsky-Brée 😷
                          wrote last edited by
                          #12

                          @tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.

                          Hence, blocking by ASN, not by IP address range.

                          Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
                          0
                          • Lars Marowsky-BrΓ©e 😷L Lars Marowsky-BrΓ©e 😷

                            @tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.

                            Hence, blocking by ASN, not by IP address range.

                            Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                            Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                            Jan Wildeboer 😷:krulorange:
                            wrote last edited by
                            #13

                            @larsmb @tramtrist Yep. Use AS to find assigned ranges, feed them to firewall. Every 12 hours.

                            1 Reply Last reply
                            0
                            • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

                              Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.

                              #SelfHost #MailAdmin @homelab

                              Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                              Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                              Jan Wildeboer 😷:krulorange:
                              wrote last edited by
                              #14

                              Because a few people asked how I block the IP ranges from hostgnome:

                              - Mailserver detects IP address trying to to deliver spam: 91.237.124.193
                              - Via `whois` I find the corresponding AS: 201579 (picture 1)
                              - Then I find all IP ranges associated with with this AS (picture 2)
                              - Then I go through the ranges and add them to my firewall.

                              Rinse, repeat.

                              #SelfHost #MailAdmin @homelab

                              Andrey BondarenkoS AntonA 2 Replies Last reply
                              1
                              0
                              • Russell PhillipsR Russell Phillips

                                @homelab @jwildeboer I have questions, if you don't mind.

                                1. How long do you block the IPs for?
                                2. How do you find the ASs/could you share the cron job?
                                Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                Jan Wildeboer 😷:krulorange:
                                wrote last edited by
                                #15

                                @rpbook See https://social.wildeboer.net/@jwildeboer/116058656812877639 I will not share for how long I block these ranges, but definitely for more than a few days or weeks πŸ™‚

                                1 Reply Last reply
                                0
                                • heuveltopH heuveltop

                                  @jwildeboer Can you share with us the source of the list of IP addressen?

                                  Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                  Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                  Jan Wildeboer 😷:krulorange:
                                  wrote last edited by
                                  #16

                                  @heuveltop `whois` and AS lookup. See https://social.wildeboer.net/@jwildeboer/116058656812877639

                                  1 Reply Last reply
                                  0
                                  • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

                                    Because a few people asked how I block the IP ranges from hostgnome:

                                    - Mailserver detects IP address trying to to deliver spam: 91.237.124.193
                                    - Via `whois` I find the corresponding AS: 201579 (picture 1)
                                    - Then I find all IP ranges associated with with this AS (picture 2)
                                    - Then I go through the ranges and add them to my firewall.

                                    Rinse, repeat.

                                    #SelfHost #MailAdmin @homelab

                                    Andrey BondarenkoS This user is from outside of this forum
                                    Andrey BondarenkoS This user is from outside of this forum
                                    Andrey Bondarenko
                                    wrote last edited by
                                    #17

                                    @jwildeboer @homelab typo AS201579, not AS20579.

                                    Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
                                    0
                                    • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

                                      Because a few people asked how I block the IP ranges from hostgnome:

                                      - Mailserver detects IP address trying to to deliver spam: 91.237.124.193
                                      - Via `whois` I find the corresponding AS: 201579 (picture 1)
                                      - Then I find all IP ranges associated with with this AS (picture 2)
                                      - Then I go through the ranges and add them to my firewall.

                                      Rinse, repeat.

                                      #SelfHost #MailAdmin @homelab

                                      AntonA This user is from outside of this forum
                                      AntonA This user is from outside of this forum
                                      Anton
                                      wrote last edited by
                                      #18

                                      @jwildeboer if you want, you can automate that part by querying radb.net:
                                      ```
                                      ./filter.sh AS201579
                                      23.166.72.0/24
                                      62.169.151.0/24
                                      84.32.41.0/24
                                      91.237.124.0/24
                                      185.91.69.0/24
                                      193.138.195.0/24
                                      # ./filter.sh --ipv6 AS201579
                                      2a13:2480::/29
                                      2602:f9e4::/36
                                      ```
                                      Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh

                                      Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
                                      0
                                      • AntonA Anton

                                        @jwildeboer if you want, you can automate that part by querying radb.net:
                                        ```
                                        ./filter.sh AS201579
                                        23.166.72.0/24
                                        62.169.151.0/24
                                        84.32.41.0/24
                                        91.237.124.0/24
                                        185.91.69.0/24
                                        193.138.195.0/24
                                        # ./filter.sh --ipv6 AS201579
                                        2a13:2480::/29
                                        2602:f9e4::/36
                                        ```
                                        Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh

                                        Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                        Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                        Jan Wildeboer 😷:krulorange:
                                        wrote last edited by
                                        #19

                                        @anton Oooh! Nice! I will extend that to add the ranges to my crowdsec based firewall πŸ™‚ Far better than my crude script. Thank you for sharing!

                                        AntonA 1 Reply Last reply
                                        0
                                        • Andrey BondarenkoS Andrey Bondarenko

                                          @jwildeboer @homelab typo AS201579, not AS20579.

                                          Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                          Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                                          Jan Wildeboer 😷:krulorange:
                                          wrote last edited by
                                          #20

                                          @shaman007 thx! fixed.

                                          1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          Powered by NodeBB Contributors
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • World
                                          • Users
                                          • Groups