On Tue, 2009-06-23 at 22:17 +0200, Arvid Picciani wrote:
> >> It does make you wonder why they never seem to end up on any of the
> >> spamhaus lists. Perhaps they are brilliant list washers ?
> >>
> >
> > Same here - I see lots of these and they don't score on many lists.
>
> It might be an uneducated guess, but i also have some very annoying
> hosts on the radar which i started blocking manually because they are on
> neither spamhaus nor sorbs.
>
> > Yep, that looks familiar...
> >
> > # The Solo Networks 8.19.136.0 - 8.19.143.255
> > 8.19.136.0/21 REJECT
> >
> > # The Solo Networks 67.218.160.0 - 67.218.191.255
> > # 67.218.164.0/24 Surpass Solutions - cybersonicview.com
> > # 67.218.173.0/24 X3 Hosting Systems
> > # 67.218.180.0/24 LogiTech Interactive
> > 67.218.160.0/19 REJECT
> >
> > My policy, I block the /24 straight away, and hits from 3 separate
> > /24's earns a block for the whole netblock (as illustrated above).
> >
You are a man after my own heart - that's what I do! I notice this
morning another 115 attempts from them overnight;
less /var/log/mail.info | grep localbl | wc -l
115
>
> How did you indentify these blocks as spammers
by the mail they send :-) Teeth Whitening for $100 -> Acai Power Slim
etc.
> and why doesnt spamhaus
I've asked that in the past of Spamhaus and was openly abused by people
running to their defence - even Steve Lindford himself. He called me a
'moron' (but he had just lost a Court Case so I forgive him). This was
over the very block I highlighted yesterday, and I asked him why
spamhaus was missing it. That must have been 4 months ago.
Some U.K. providers (such as Fasthosts & Rackspace(UK)) never seem to
get a listing for any of their ranges - which is interesting when you
consider they are probably the largest providers of hosting in the UK
and that Spamhaus hosts with one of them.
I know that Barracuda have a 'paid' white list (in addition to the
Mickey Mouse 'emailreg.org' thing they are selling). I wonder if
Spamhaus offer a similar 'feature'. The only other logical explanation
is that it is seriously lacking in missing this kind of trash.
> do so? They claim to have the worst spammer organisations on their list.
> I've got a whole list of Ips from india and korea which are on no list
> but send spam regulary.
I have to agree. I don't dispute that Spamhaus traps a lot of spam. What
is of more technical interest is what they miss. Being suspicious by
nature, it looks to be a bit too much to be a coincidence on occasions.
> Should i care to investigate and maybe reject the the entire block? I'm
> pretty new on hunting down sources. All I know is the whois databse
> which is mostly useless for that purpose.
There is a nice quirk. Whois the IP. A bad example of the output;
whois 8.19.138.6
Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1)
8.0.0.0 - 8.255.255.255
The Solo Networks LVLT-SPIRE-4-8-19-136 (NET-8-19-136-0-1)
8.19.136.0 - 8.19.143.255
>From this I've blocked the lower line (Solo Networks) and my logs show
overnight attempts from 8.19.136->143 over 100 times a night. That would
be a serious amount of crap in an inbox in the morning.
>
> --
> Arvid
>
>
