[Cialug] SPAM Class C
kristau
kristau at gmail.com
Wed Feb 26 19:27:54 UTC 2020
Welcome to my life over the past month or so. These are not going to
appear in the RBLs because they are hit-and-run attacks. As best I can
tell, this is what they are doing:
- Registering/hijacking an expired domain and setting up several
sub-domains under it. Typically this domain will already have a "good"
reputation with the RBLs and are established enough to get by the
"this domain is too young" block lists as well.
- Setting up several mail servers on a /24 or sometimes even a /16
- Configuring those mail servers with valid DKIM/DMARC
- Blasting SPAM until they get shut down by their hosting provider
Much of that is likely scripted and probably enabled by tech like
Docker containers.
So far, the only strategy I've come up with is to:
- Wait until I receive a message
- Investigate the headers to find the source IP address
- Block the /24 subnet of that IP on my firewall.
Some messages get through, but if I catch it quickly enough, I do see
the dropped packets of subsequent attempts logged on the firewall.
On Wed, Feb 26, 2020 at 11:32 AM David Champion <dchamp1337 at gmail.com> wrote:
>
> See also: postfix reject_rbl_client
>
> -dc
>
>
> On Wed, Feb 26, 2020 at 11:23 AM L. V. Lammert <lvl at omnitec.net> wrote:
>
> > ----- Message Text -----
> > We have been seeing many (20+) crap domains sending SPAM from this Class
> > C:
> >
> > 93.119.107.
> >
> > And starting today from a different one:
> >
> > 46.166.148.
> >
> > If anyone is managing a blacklist, suggest adding.
> >
> > Lee
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
--
Tired programmer
Coding late into the night
The core dump follows
More information about the Cialug
mailing list