Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (Darkly)
  • No Skin
Collapse
Brand Logo
  1. Home
  2. Uncategorized
  3. Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers.

Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers.

Scheduled Pinned Locked Moved Uncategorized
selfhostmailadmin
21 Posts 8 Posters 0 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • モスケ^^ ❄️🐈🔥🐴T モスケ^^ ❄️🐈🔥🐴

    @larsmb @jwildeboer wait I don’t get it. How can we track their AS?

    Lars Marowsky-Brée 😷L This user is from outside of this forum
    Lars Marowsky-Brée 😷L This user is from outside of this forum
    Lars Marowsky-Brée 😷
    wrote last edited by
    #12

    @tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.

    Hence, blocking by ASN, not by IP address range.

    Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
    0
    • Lars Marowsky-Brée 😷L Lars Marowsky-Brée 😷

      @tramtrist @jwildeboer I suspect the AS doesn't change, just the prefixes the AS announces.

      Hence, blocking by ASN, not by IP address range.

      Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
      Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
      Jan Wildeboer 😷:krulorange:
      wrote last edited by
      #13

      @larsmb @tramtrist Yep. Use AS to find assigned ranges, feed them to firewall. Every 12 hours.

      1 Reply Last reply
      0
      • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

        Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.

        #SelfHost #MailAdmin @homelab

        Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
        Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
        Jan Wildeboer 😷:krulorange:
        wrote last edited by
        #14

        Because a few people asked how I block the IP ranges from hostgnome:

        - Mailserver detects IP address trying to to deliver spam: 91.237.124.193
        - Via `whois` I find the corresponding AS: 201579 (picture 1)
        - Then I find all IP ranges associated with with this AS (picture 2)
        - Then I go through the ranges and add them to my firewall.

        Rinse, repeat.

        #SelfHost #MailAdmin @homelab

        Andrey BondarenkoS AntonA 2 Replies Last reply
        1
        0
        • Russell PhillipsR Russell Phillips

          @homelab @jwildeboer I have questions, if you don't mind.

          1. How long do you block the IPs for?
          2. How do you find the ASs/could you share the cron job?
          Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
          Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
          Jan Wildeboer 😷:krulorange:
          wrote last edited by
          #15

          @rpbook See https://social.wildeboer.net/@jwildeboer/116058656812877639 I will not share for how long I block these ranges, but definitely for more than a few days or weeks 🙂

          1 Reply Last reply
          0
          • heuveltopH heuveltop

            @jwildeboer Can you share with us the source of the list of IP addressen?

            Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
            Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
            Jan Wildeboer 😷:krulorange:
            wrote last edited by
            #16

            @heuveltop `whois` and AS lookup. See https://social.wildeboer.net/@jwildeboer/116058656812877639

            1 Reply Last reply
            0
            • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

              Because a few people asked how I block the IP ranges from hostgnome:

              - Mailserver detects IP address trying to to deliver spam: 91.237.124.193
              - Via `whois` I find the corresponding AS: 201579 (picture 1)
              - Then I find all IP ranges associated with with this AS (picture 2)
              - Then I go through the ranges and add them to my firewall.

              Rinse, repeat.

              #SelfHost #MailAdmin @homelab

              Andrey BondarenkoS This user is from outside of this forum
              Andrey BondarenkoS This user is from outside of this forum
              Andrey Bondarenko
              wrote last edited by
              #17

              @jwildeboer @homelab typo AS201579, not AS20579.

              Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
              0
              • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

                Because a few people asked how I block the IP ranges from hostgnome:

                - Mailserver detects IP address trying to to deliver spam: 91.237.124.193
                - Via `whois` I find the corresponding AS: 201579 (picture 1)
                - Then I find all IP ranges associated with with this AS (picture 2)
                - Then I go through the ranges and add them to my firewall.

                Rinse, repeat.

                #SelfHost #MailAdmin @homelab

                AntonA This user is from outside of this forum
                AntonA This user is from outside of this forum
                Anton
                wrote last edited by
                #18

                @jwildeboer if you want, you can automate that part by querying radb.net:
                ```
                ./filter.sh AS201579
                23.166.72.0/24
                62.169.151.0/24
                84.32.41.0/24
                91.237.124.0/24
                185.91.69.0/24
                193.138.195.0/24
                # ./filter.sh --ipv6 AS201579
                2a13:2480::/29
                2602:f9e4::/36
                ```
                Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh

                Jan Wildeboer 😷:krulorange:J 1 Reply Last reply
                0
                • AntonA Anton

                  @jwildeboer if you want, you can automate that part by querying radb.net:
                  ```
                  ./filter.sh AS201579
                  23.166.72.0/24
                  62.169.151.0/24
                  84.32.41.0/24
                  91.237.124.0/24
                  185.91.69.0/24
                  193.138.195.0/24
                  # ./filter.sh --ipv6 AS201579
                  2a13:2480::/29
                  2602:f9e4::/36
                  ```
                  Source: https://share.aditsystems.de/ztdku91ezQ/filter.sh

                  Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                  Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                  Jan Wildeboer 😷:krulorange:
                  wrote last edited by
                  #19

                  @anton Oooh! Nice! I will extend that to add the ranges to my crowdsec based firewall 🙂 Far better than my crude script. Thank you for sharing!

                  AntonA 1 Reply Last reply
                  0
                  • Andrey BondarenkoS Andrey Bondarenko

                    @jwildeboer @homelab typo AS201579, not AS20579.

                    Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                    Jan Wildeboer 😷:krulorange:J This user is from outside of this forum
                    Jan Wildeboer 😷:krulorange:
                    wrote last edited by
                    #20

                    @shaman007 thx! fixed.

                    1 Reply Last reply
                    0
                    • Jan Wildeboer 😷:krulorange:J Jan Wildeboer 😷:krulorange:

                      @anton Oooh! Nice! I will extend that to add the ranges to my crowdsec based firewall 🙂 Far better than my crude script. Thank you for sharing!

                      AntonA This user is from outside of this forum
                      AntonA This user is from outside of this forum
                      Anton
                      wrote last edited by
                      #21

                      @jwildeboer nicht von mir. Liegt seit einigen Jahren auf der Festplatte rum.

                      1 Reply Last reply
                      0
                      • R ActivityRelay shared this topic
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                      • Login

                      • Don't have an account? Register

                      • Login or register to search.
                      Powered by NodeBB Contributors
                      • First post
                        Last post
                      0
                      • Categories
                      • Recent
                      • Tags
                      • Popular
                      • World
                      • Users
                      • Groups