RE: [pfSense Support] blocking spammers xml
I imported a spamhaus blacklist into my Alias and it's really slowed things down. Derrick Conner -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2008 2:40 AM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml to bring up an old conversation... We literally have seen a drop in spam across the network of about 93% I have redirected the mail coming from those ip ranges to a different server - and pretty much 99% (all but just a few emails_) were actually junk mail. Great stuff. :-) On Sep 23, 2008, at 12:20 AM, Glenn Kelley wrote: I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/ detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer
Re: [pfSense Support] blocking spammers xml
its a ton of ips might be good using a speedy box with lots of ram Quad Core Xeon here - with 4gb ram helped a ton On Oct 5, 2008, at 2:16 AM, Derrick Conner wrote: I imported a spamhaus blacklist into my Alias and it's really slowed things down. Derrick Conner -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2008 2:40 AM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml to bring up an old conversation... We literally have seen a drop in spam across the network of about 93% I have redirected the mail coming from those ip ranges to a different server - and pretty much 99% (all but just a few emails_) were actually junk mail. Great stuff. :-) On Sep 23, 2008, at 12:20 AM, Glenn Kelley wrote: I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/ detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey
RE: [pfSense Support] blocking spammers xml
Sorry, I meant it slowed the SPAM. The 2.6 GHz Xeon and 4 gigs ram is doing just fine. Derrick Conner DR IT(tm) Microsoft Certified Partner CIO/Senior Systems Engineer EE, MCSE+I, CNE, Office: 210-824-5166 x30 Cell: 210-213-1616 [EMAIL PROTECTED] http://www.dr-it.com For a more immediate response, please send all help requests to [EMAIL PROTECTED] or call our Hotline at 210-807-3554. CONFIDENTIALITY NOTICE: This communication and all attachments are intended only for the use of the individual(s) or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. All contents are the copyright property of the sender. If you are not the intended recipient, you are bound to respect the sender's worldwide legal rights, furthermore you are notified that any use, dissemination, forwarding, distribution, or copying of the communication is strictly prohibited. Unintended recipients must delete the e-mail and destroy all electronic copies in all systems, retaining no copies in any media. Please notify the sender immediately by e-mail if you have received this by mistake and delete this e-mail from your system. Thank you for your cooperation. -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Sunday, October 05, 2008 1:27 AM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml its a ton of ips might be good using a speedy box with lots of ram Quad Core Xeon here - with 4gb ram helped a ton On Oct 5, 2008, at 2:16 AM, Derrick Conner wrote: I imported a spamhaus blacklist into my Alias and it's really slowed things down. Derrick Conner -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2008 2:40 AM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml to bring up an old conversation... We literally have seen a drop in spam across the network of about 93% I have redirected the mail coming from those ip ranges to a different server - and pretty much 99% (all but just a few emails_) were actually junk mail. Great stuff. :-) On Sep 23, 2008, at 12:20 AM, Glenn Kelley wrote: I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/ detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED
Re: [pfSense Support] blocking spammers xml
to bring up an old conversation... We literally have seen a drop in spam across the network of about 93% I have redirected the mail coming from those ip ranges to a different server - and pretty much 99% (all but just a few emails_) were actually junk mail. Great stuff. :-) On Sep 23, 2008, at 12:20 AM, Glenn Kelley wrote: I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/ detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11861 USA | - . |-*- Digital Fusion Plugins -*- --
Re: [pfSense Support] blocking spammers xml
Glenn Kelley wrote: to bring up an old conversation... We literally have seen a drop in spam across the network of about 93% I have redirected the mail coming from those ip ranges to a different server - and pretty much 99% (all but just a few emails_) were actually junk mail. spammers seem to remember old IPs for a long time, so rehoming your mail server can reduce spam. putting in a deliberately broken backup MX with big number can also screw them up - spammers often inject email into the non-primary MXers because sometimes that sometimes avoids spam being rejected. SPF and other techniques aren't actually that effective, or effective for long IMHO; in fact Postini found that spammers adopted SPF before regular users! lots of useful strategies, but this isn't really the place to deal with it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] blocking spammers xml
Since a great many of these are dynamic IPs that send spam, rather than make a giant list, I found it better to block the whole thing. Anyone who uses those entries I sent, needs to be aware, it was my preference so one should edit to suit theirs. I did an IPWHOIS on every one of them based on firewall logs, so they were the ones of the most traffic. Amsterdam being the winner. Derrick I am thinking /8 would be cruel - however if your find blocking that entire region from your network - then who cares... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking spammers xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 it should look something like this: http://www.netsecdb.de/index.php?q=node/996 question: can i merge aliases with upload of xml-config? I would like to let the rulesets unchanged and only exchange dedicated aliases in firewalls. headers and footers of example xml dummy are still missing. regards, Claus Glenn Kelley schrieb: Claus Awesome... Now I guess I need to figure out how to get that imported... But this is exactly what I am looking for... I am thinking a few little things would help - but thats a great place to start ! Glenn On Sep 23, 2008, at 6:40 PM, Claus Marxmeier wrote: i have complete ripe http://www.ripe.net/, apnic http://www.apnic.net/, jpnic http://www.jpnic.net/, cnnic http://www.cnnic.net/en/index/index.htm /in netsecdb.de database / arin http://www.arin.net/, lacnic http://www.lacnic.net/, afrinic http://www.afrinic.net/, nicbr http://www.nic.br/, krnic http://www.krnic.net/english/ /import, when needed current stats: / Database STATS (refreshed every 30 minutes) Status of: 2008-09-24 00:12:00 known nets:3362078 bgp-routes:5197010 tor exits:829 open proxies:574 ad-trackers:2130 spammer nets:44166 spamlink dests:209 smtp/s nets blocked:43764 hacker-nets: 673 bot-servers:74 web-spammer:653 spyware:1264 customer-nets:1092 I do not need to look up things any more :) Every 30 we currently generate: * hosts.deny files for plesk/qmail/xinetd * evil-client.cidr for postfix, * exim4_local_host_blacklist for exim4.x, * .htaccess-files for apache, * iptables-scripts for debian/SuSE and * cmdlets for use with Microsoft Exchange Server7 Series and in addition for our 2 pfsenses alias-xmls. Rulesets are fixed - only aliases extend/change. Just provide a template and i would suggest http://www.netsecdb.de/index.php?q=node/969 for source of static blocking by firewall. webserver and mta already have config files for blocking. regards, Claus Paul Mansfield schrieb: Claus Marxmeier wrote: already doing that for hacker networks and spamlinkdests with 2 embedded pfsense from database in netsecdb.de to use /8 would be a little bit tooo cruel, wouldn't it? better yet, just look up the IP in apnic and if it's there, deny it (and cache) :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] claus.vcf- To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - -- Claus Marxmeier Hausanschrift: Johann-Kierspel-Straße 5 51491 Overath - Immekeppel [EMAIL PROTECTED] http://www.marxmeier.de Phone +49 - 2204 - 305940 Mobil +49 - 172 - 5144659 ___ This computer is protected by netsecurity-database from www.netsecdb.de ___ Hinweis: Die vorliegende E-Mail enthält möglicherweise vertrauliche Daten. Falls Ihr Name nicht in der Liste der Adressaten erscheint, beachten Sie den Inhalt der E-Mail zunächst nicht weiter, öffnen Sie keine Dateianhänge und wenden Sie sich umgehend an den Absender [EMAIL PROTECTED] Sicherheitserklärung: Der Inhalt dieser E-Mail ist ausschliesslich fuer den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Ich bitte Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Ich moechte Sie ausserdem darauf hinweisen, dass die Kommunikation per E-Mail ueber das Internet unsicher ist, da fuer unberechtigte Dritte grundsaetzlich die Moeglichkeit der Kenntnisnahme und Manipulation besteht - auch wenn diese Nachricht durch einen Schlüssel signiert wurde. This message may contain confidential and/or privileged information. If you are not the intended recipient or have received this message in error please notify the sender immediately and delete this message. Any unauthorized copying, disclosure or distribution of the material contained in this message is strictly forbidden. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI2n8IUIsBFYVeBxARAmkDAKCmkH17NFNr2WT1Epqr+canmLO4ogCfVw3E sLpPLJ5YWPefNjSrjE/tz88= =d1Fl -END PGP SIGNATURE- begin:vcard fn:Claus Marxmeier n:Marxmeier;Claus adr:;;Johann-Kierspel-Strasse 5;Overath-Immekeppel;NRW;51491;Deutschland email;internet:[EMAIL PROTECTED] tel;home:+49-2204-917365
RE: [pfSense Support] blocking spammers xml
Darn good idea! I'm going to set that up right now. Thanks! Don't know why this didn't come to me. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 11:21 PM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico|| smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11861 USA | - . |-*- Digital Fusion Plugins
Re: [pfSense Support] blocking spammers xml
I would love to pull in all that fun stuff from this nice tool http://blacklist.linuxadmin.org/ Of course that makes the iptables ruleset. I am very interested in how we could do this easily for the entire community. Wish I knew code better - write a little script to create all of these. :-) On Sep 23, 2008, at 10:47 AM, Derrick Conner wrote: Darn good idea! I'm going to set that up right now. Thanks! Don't know why this didn't come to me. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 11:21 PM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico|| smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging
Re: [pfSense Support] blocking spammers xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 already doing that for hacker networks and spamlinkdests with 2 embedded pfsense from database in netsecdb.de to use /8 would be a little bit tooo cruel, wouldn't it? Regards, Claus Glenn Kelley schrieb: I would love to pull in all that fun stuff from this nice tool http://blacklist.linuxadmin.org/ Of course that makes the iptables ruleset. I am very interested in how we could do this easily for the entire community. Wish I knew code better - write a little script to create all of these. :-) On Sep 23, 2008, at 10:47 AM, Derrick Conner wrote: Darn good idea! I'm going to set that up right now. Thanks! Don't know why this didn't come to me. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 11:21 PM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico|| smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11861 USA | - . |-*- Digital Fusion Plugins
Re: [pfSense Support] blocking spammers xml
Claus Marxmeier wrote: already doing that for hacker networks and spamlinkdests with 2 embedded pfsense from database in netsecdb.de to use /8 would be a little bit tooo cruel, wouldn't it? better yet, just look up the IP in apnic and if it's there, deny it (and cache) :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking spammers xml
I hate when I hit the wrong hot key to fast. This http://countries.nerd.dk/isolist.txt has an entire list as well. Here is my thougth - wondering if you could help I am thinking of a few addons - here is the first one. An addon that queries http://countries.nerd.dk/isolist.txt - or even a mirror we setup (perhaps on pfsense or our our servers here - we host a number of mirrors including the North American TER for typo3) this would import the country changes when someone wants to do it (manually or on cron - or schedule) Then - people could dynamically build aliases much easier this way. They could pull in say an entire list of countries or just one country and then use those to build rules against. Now - i might need help to clean this idea up. Once we have it hashed out - I would be willing to pay $100 towards a bounty to get this done... I dont want to post the bounty on the forums till I have the wording just right... Glenn On Sep 23, 2008, at 11:13 AM, Glenn Kelley wrote: I would love to pull in all that fun stuff from this nice tool http://blacklist.linuxadmin.org/ Of course that makes the iptables ruleset. I am very interested in how we could do this easily for the entire community Wish I knew code better - write a little script to create all of these. :-) On Sep 23, 2008, at 10:47 AM, Derrick Conner wrote: Darn good idea! I'm going to set that up right now. Thanks! Don't know why this didn't come to me. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 11:21 PM To: support@pfsense.com Subject: Re: [pfSense Support] blocking spammers xml I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico|| smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per
Re: [pfSense Support] blocking spammers xml
Im kinda new on this - so your advice is greatly appreciated. I am sure their is a better way - thus the reason for discussion :-) Im far from an expert ... my wife tells me I am not perfect either... Boo Hiss :-) My thought is - this community - which appears to be an excellent resource of great people - will be able to help me become perfect - and an expert. (ok bad joke) Anyhow - seeing what others are doing should help. I am thinking /8 would be cruel - however if your find blocking that entire region from your network - then who cares... guess its good for some and not good for others... We for example colocate for a company based out of China... We therefore would need to use these to actually allow traffic to their IP Block but want to block that traffic from the rest of our network... On a side note - PIX eat your heart out. I am running this on a Quad Core Xeon and ... it has zero load... blowing the doors off of the pix running in line w/ it. had the system sitting on the side... and voila - instant firewall We also run vYatta and man does that kick but as well. time to perhaps once we have this 100% put that puppy (pix) on eBay Hat's off to the MonoWall and pFsense dev teams. Glenn On Sep 23, 2008, at 11:38 AM, Paul Mansfield wrote: Claus Marxmeier wrote: already doing that for hacker networks and spamlinkdests with 2 embedded pfsense from database in netsecdb.de to use /8 would be a little bit tooo cruel, wouldn't it? better yet, just look up the IP in apnic and if it's there, deny it (and cache) :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking spammers xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 i have complete ripe http://www.ripe.net/, apnic http://www.apnic.net/, jpnic http://www.jpnic.net/, cnnic http://www.cnnic.net/en/index/index.htm /in netsecdb.de database / arin http://www.arin.net/, lacnic http://www.lacnic.net/, afrinic http://www.afrinic.net/, nicbr http://www.nic.br/, krnic http://www.krnic.net/english/ /import, when needed current stats: / Database STATS (refreshed every 30 minutes) Status of: 2008-09-24 00:12:00 known nets:3362078 bgp-routes:5197010 tor exits:829 open proxies:574 ad-trackers:2130 spammer nets:44166 spamlink dests:209 smtp/s nets blocked:43764 hacker-nets:673 bot-servers:74 web-spammer:653 spyware:1264 customer-nets:1092 I do not need to look up things any more :) Every 30 we currently generate: * hosts.deny files for plesk/qmail/xinetd * evil-client.cidr for postfix, * exim4_local_host_blacklist for exim4.x, * .htaccess-files for apache, * iptables-scripts for debian/SuSE and * cmdlets for use with Microsoft Exchange Server7 Series and in addition for our 2 pfsenses alias-xmls. Rulesets are fixed - only aliases extend/change. Just provide a template and i would suggest http://www.netsecdb.de/index.php?q=node/969 for source of static blocking by firewall. webserver and mta already have config files for blocking. regards, Claus Paul Mansfield schrieb: Claus Marxmeier wrote: already doing that for hacker networks and spamlinkdests with 2 embedded pfsense from database in netsecdb.de to use /8 would be a little bit tooo cruel, wouldn't it? better yet, just look up the IP in apnic and if it's there, deny it (and cache) :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - -- Claus Marxmeier Hausanschrift: Johann-Kierspel-Straße 5 51491 Overath - Immekeppel [EMAIL PROTECTED] http://www.marxmeier.de Phone +49 - 2204 - 305940 Mobil +49 - 172 - 5144659 ___ This computer is protected by netsecurity-database from www.netsecdb.de ___ Hinweis: Die vorliegende E-Mail enthält möglicherweise vertrauliche Daten. Falls Ihr Name nicht in der Liste der Adressaten erscheint, beachten Sie den Inhalt der E-Mail zunächst nicht weiter, öffnen Sie keine Dateianhänge und wenden Sie sich umgehend an den Absender [EMAIL PROTECTED] Sicherheitserklärung: Der Inhalt dieser E-Mail ist ausschliesslich fuer den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Ich bitte Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Ich moechte Sie ausserdem darauf hinweisen, dass die Kommunikation per E-Mail ueber das Internet unsicher ist, da fuer unberechtigte Dritte grundsaetzlich die Moeglichkeit der Kenntnisnahme und Manipulation besteht - auch wenn diese Nachricht durch einen Schlüssel signiert wurde. This message may contain confidential and/or privileged information. If you are not the intended recipient or have received this message in error please notify the sender immediately and delete this message. Any unauthorized copying, disclosure or distribution of the material contained in this message is strictly forbidden. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI2XBbUIsBFYVeBxARAvWxAJ0R7j/JsIZIit4E3EaGpOEkIcuHEgCaAsCg KLmHC0u5wi3DeBjA4ZjZOUA= =z/y/ -END PGP SIGNATURE- begin:vcard fn:Claus Marxmeier n:Marxmeier;Claus adr:;;Johann-Kierspel-Strasse 5;Overath-Immekeppel;NRW;51491;Deutschland email;internet:[EMAIL PROTECTED] tel;home:+49-2204-917365 tel;cell:+49-172-5144659 x-mozilla-html:FALSE url:http://ww.marxmeier.de version:2.1 end:vcard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking spammers xml
Claus Awesome... Now I guess I need to figure out how to get that imported... But this is exactly what I am looking for... I am thinking a few little things would help - but thats a great place to start ! Glenn On Sep 23, 2008, at 6:40 PM, Claus Marxmeier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 i have complete ripe http://www.ripe.net/, apnic http://www.apnic.net/, jpnic http://www.jpnic.net/, cnnic http://www.cnnic.net/en/index/index.htm /in netsecdb.de database / arin http://www.arin.net/, lacnic http://www.lacnic.net/, afrinic http://www.afrinic.net/, nicbr http://www.nic.br/, krnic http://www.krnic.net/english/ /import, when needed current stats: / Database STATS (refreshed every 30 minutes) Status of: 2008-09-24 00:12:00 known nets:3362078 bgp-routes:5197010 tor exits:829 open proxies:574 ad-trackers:2130 spammer nets:44166 spamlink dests:209 smtp/s nets blocked:43764 hacker-nets:673 bot-servers:74 web-spammer:653 spyware:1264 customer-nets:1092 I do not need to look up things any more :) Every 30 we currently generate: * hosts.deny files for plesk/qmail/xinetd * evil-client.cidr for postfix, * exim4_local_host_blacklist for exim4.x, * .htaccess-files for apache, * iptables-scripts for debian/SuSE and * cmdlets for use with Microsoft Exchange Server7 Series and in addition for our 2 pfsenses alias-xmls. Rulesets are fixed - only aliases extend/change. Just provide a template and i would suggest http://www.netsecdb.de/index.php?q=node/969 for source of static blocking by firewall. webserver and mta already have config files for blocking. regards, Claus Paul Mansfield schrieb: Claus Marxmeier wrote: already doing that for hacker networks and spamlinkdests with 2 embedded pfsense from database in netsecdb.de to use /8 would be a little bit tooo cruel, wouldn't it? better yet, just look up the IP in apnic and if it's there, deny it (and cache) :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - -- Claus Marxmeier Hausanschrift: Johann-Kierspel-Straße 5 51491 Overath - Immekeppel [EMAIL PROTECTED] http://www.marxmeier.de Phone +49 - 2204 - 305940 Mobil +49 - 172 - 5144659 ___ This computer is protected by netsecurity-database from www.netsecdb.de ___ Hinweis: Die vorliegende E-Mail enthält möglicherweise vertrauliche Daten. Falls Ihr Name nicht in der Liste der Adressaten erscheint, beachten Sie den Inhalt der E-Mail zunächst nicht weiter, öffnen Sie keine Dateianhänge und wenden Sie sich umgehend an den Absender [EMAIL PROTECTED] Sicherheitserklärung: Der Inhalt dieser E-Mail ist ausschliesslich fuer den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Ich bitte Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Ich moechte Sie ausserdem darauf hinweisen, dass die Kommunikation per E-Mail ueber das Internet unsicher ist, da fuer unberechtigte Dritte grundsaetzlich die Moeglichkeit der Kenntnisnahme und Manipulation besteht - auch wenn diese Nachricht durch einen Schlüssel signiert wurde. This message may contain confidential and/or privileged information. If you are not the intended recipient or have received this message in error please notify the sender immediately and delete this message. Any unauthorized copying, disclosure or distribution of the material contained in this message is strictly forbidden. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI2XBbUIsBFYVeBxARAvWxAJ0R7j/JsIZIit4E3EaGpOEkIcuHEgCaAsCg KLmHC0u5wi3DeBjA4ZjZOUA= =z/y/ -END PGP SIGNATURE- claus .vcf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking spammers xml
I did these a little different... in XML I added in filters section filters rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os protocoltcp/udp/protocol source addressspammers/address /source destination any/ port25/port /destination descrspammers/descr /rule /filters then below the rules / filters section aliases alias namespammers/name address66.0.0.0/8 66.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8 200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 190.0.0.0/8/address descrSMTP Block Known Spam Networks/descr typenetwork/type detailsmtp block spam Canada||smtp block Spam Canada||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Asia||smtp block Spam Amsterdam||smtp block Spam Amsterdam|| smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico|| smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||/detail /alias /aliases Seems to work well. On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote: I've attached my cleaned up XML of all the subnets I block. Feel free to post it, or whatever you want to do with it. I would have sent it to Joe Laffey, but I think my spam filter got him. Derrick -Original Message- From: Glenn Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 10:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] blockign china I would need to know perl . I have given my wife a few of those in the past hmmm going to her jewlery box all kidding aside - i think your right. I will see what I can come up w/ - i think this might help the pfsense community @ large. In fact - it seems simple enough - it might make a very simple pkg just a thought - I think if it were a pkg - it could then parse those lists every month or so - cron job 1 time per month and then reinject the changes This way it stays up to date... I would say 95% of the hacking attempts we are seeing in our datacenter are all out of China and Korea - the last 5 % would be say 4% from Russia and 1% from script kiddies in the US Then again 99.256% of all statistics are made up 98.721% of the time I know my #'s are close however Glenn On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote: On Mon, 22 Sep 2008, Glenn Kelley wrote: Thanks Joe - I saw that... My concern was typing all of those into the system one by one by one... Its okay if I gotta do it :-) My hope was that someone already has - and that they could put out that part of their xml file - so the community could all benefit. I would think you could write a perl script to convert those into a segment of XML that you could then paste into a saved config. Then reload that config. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11861 USA | - . |-*- Digital Fusion Plugins -*- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Big Spammers .zip