Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Ever heard of being null-routed for being on SBL? - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Ever heard of being null-routed for being on SBL?

2

Comments

  • VPSSoldiers said: I still don't see this being cause for null-routing an entire subnet.

    If this has been an ongoing issue, then this seems like a normal escalation. It wasn't just one IP. That Spamhaus listing shows 3 IPs so 5% of your IP space was affected.

    I don't know the whole story, so I am not taking sides. But from a DC perspective, these spam complaints cause no end of headaches especially when you get whole blocks listed. Part of being a VPS provider is to actively monitor your server for abuse, its going to happen and its going to happen regularly. So you need to find a way to detect excessive outbound SMTP and either block the IP or shutdown the VM.

  • VPSSoldiers said: Please come up with some PERMANENT way to slap a lid on this garbage

    Well, mission accomplished for whoever wrote that.

  • And typically I do, within 5 mins of notification. But in this case I didn't even really get the chance. I'm not knocking Dacentec, my initial post was just wondering if this was a normal way to go about things. As the last DC I actively worked with was Liquid Web several years ago, so I was curious if this was normal practice now a days... I'm starting to think the only way to keep spam from happening is to require photo ID before opening ports, though I don't like limiting people in that way.

    I was also just corrected, I was on ZEN and XBL but I caught that one before an abuse ticket was created. ( I think that was the guy that was sending out all of those Chase emails (that Chase didn't care about) )

    Any-who I think I will be making some changes to how someone gets port 25 opened, again. I appreciate all of your guy's help

  • if my DC/Upstream starts to null my own IP range(s) i will go batshit insane and run them down, while minimally excuseable for their own ranges sub-allocated/assigned to a customer i see absolutely zero reason to ever touch my own space. Even more so if i run my own BGP with them. They can cancel the contract (within the written timeframe), sure, but not simply go around nulling shit - if this is in the contract i simply don't sign it (Atrato for example has such a clause).

    Today you have to be extra careful on such things, you never know who wants to fuck around with you (and with some contacts it is very simple to get a fake SBL up as Spamhaus relies majorly on external "sources") - i rather be "safer" by using a "criminal" upstream than waking up and having a /24 filtered/ACLd/nulled due to a spamhaus listing for 5% of it.

    Thanked by 2singsing vimalware
  • MaouniqueMaounique Host Rep, Veteran

    I have seen this happen, but with due notice and warning.
    One incident a month ago about the same spammer might trigger some nerve twitching.
    It is a bit bizarre this was done for the customer's space, but not unheard of, no.

  • Ok, let me ask you guys another question, what do you see as being "due notice" for an incident like this, just out of curiosity?

  • Only ever been nulled once, and the DC had just gotten a call from the FBI that the guy was hosting child porn. Of course, that's not including ColoCrossing's trigger happy SMTP null routing and DDoS attacks.

  • @VPSSoldiers said:
    Ok, let me ask you guys another question, what do you see as being "due notice" for an incident like this, just out of curiosity?

    Null or drop outbound 25 on the offending IPs only + 24 hours notice to remove the spamming customer.

  • dacentecdacentec Member, Host Rep

    VPSSoldiers said: Ok, let me ask you guys another question, what do you see as being "due notice" for an incident like this, just out of curiosity?

    It depends on how many notices, the severity of the notices, account history.

    If a customer signed up for a server and large block of IPs and started getting SBLs right away we might terminate the entire account.

    Thanked by 1vpsGOD
  • Steven_F said: Only ever been nulled once, and the DC had just gotten a call from the FBI

    Now that actually sounds like a good reason for nulling without warning.

    Thanked by 1VPSSoldiers
  • Steven_F said: Only ever been nulled once, and the DC had just gotten a call from the FBI that the guy was hosting child porn. Of course, that's not including ColoCrossing's trigger happy SMTP null routing and DDoS attacks.

    In US you don't have much choice on that - Though if the FBI calls (yes, i had this before, also secret service and something called "National Cyber Security Division" which seems to be some homeland security thing) and have a nice story (or even proof) i still can't touch the servers, i simply cannot follow laws from other countries or i risk legal problems myself. They should go the usual way and call my local police (or a higher up instance like the government or federal police) and send me a local court order (depending on crime, for CP a mail or fax is enough, but i need that or i cannot open and verify the content without incriminating myself), then i will happily comply.

    Thanked by 1Ole_Juul
  • @singsing said:
    Now that actually sounds like a good reason for nulling without warning.

    It was (and is) a perfectly good reason, except the DC told me to go look at the content to verify. I was like, nope. No thank you, the FBI calling is proof enough.

    @William said:

    I was told to just terminate the client. They didn't ask for his info or anything, which I found a bit weird.

  • @VPSSoldiers said:
    (as I check blacklists every 2 hours)

    So you don't get much sleep do you?

  • Actually no, but I check it with a script which emails me what IP's are on what blacklists, manually checking would suck, lol.

    https://github.com/ConnorStr/blacklist_checker

  • jarjar Patron Provider, Top Host, Veteran

    Part of growing, finding that sweet spot where people who want to abuse your services no longer feel welcome, while everyone else does.

    Here's something I made that you can copy:

    https://catalysthost.com/refund-request-form/

  • Steven_F said: They didn't ask for his info or anything, which I found a bit weird.

    That actually makes a lot of sense. The contact info you have on file in these cases is either complete baloney, or doesn't belong to the true perpetrator.

  • @Jar you actually have people ask for a refund? The people I have just chargeback...

  • So... can I get that refund then? I only sent 500,000 viagra emails to people who definitely subscribed to it.

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    @VPSSoldiers said:
    Jar you actually have people ask for a refund? The people I have just chargeback...

    I dunno I don't really handle that anymore, only thing I do for Catalyst is manage shared hosting email under the roof of MXroute. But...I like to joke too ;)

  • dacentecdacentec Member, Host Rep

    VPSSoldiers said: I check it with a script which emails me what IP's are on what blacklists

    This usually isn't enough. As others have mentioned you need some blocking or active countermeasures.

  • Typically I do too, today has just been one of those days that nothing has gone right... BTW I'm still waiting for Spamhaus (who would of guessed) to de-list me or to tell me why they won't...

  • dacentec said: This usually isn't enough. As others have mentioned you need some blocking or active countermeasures.

    and I keep trying to find something that works half way decent, right now all IPs have port 25 blocked whilst I figure out what I'm going to do later tonight.

  • MunMun Member

    Do yourself a favor a limit port 25, if over a certain limit block. Maybe @dacentec can help setup a switch /router level acl.

  • StealthyHostingStealthyHosting Member, Host Rep

    @VPSSoldiers said:
    Actually no, but I check it with a script which emails me what IP's are on what blacklists, manually checking would suck, lol.

    https://github.com/ConnorStr/blacklist_checker

    So you've seen and handles the spamhaus, spamcop, and multitude of SBL listings?

    From the IPs listed on the spamhaus listing:

    From [email protected] Mon Oct 12 12:04:58 2015
    Delivery-date: Mon, 12 Oct 2015 12:04:58 -0400
    Received: from [172.98.196.13] (helo=oxp6bv.mesego.review)
    by mail.victim.example with esmtp (Exim 4.63)
    (envelope-from XareltoClaimSupport@mesego.review)
    id 1Zlfas-0000Ao-Ah
    for [email protected]; Mon, 12 Oct 2015 12:04:58 -0400
    Received: from 01f8996f.oxp6bv.mesego.review (amavisd, port 6222)

    From [email protected] Mon Oct 12 13:09:06 2015
    Delivery-date: Mon, 12 Oct 2015 13:09:06 -0400
    Received: from [172.98.196.17] (helo=sd57mhy.cajixic.faith)
    by mail.victim.example with esmtp (Exim 4.63)
    (envelope-from J.G.Wentworth@cajixic.faith)
    id 1Zlgaw-00086E-Bd
    for [email protected]; Mon, 12 Oct 2015 13:09:06 -0400
    Received: from 02063b33.sd57mhy.cajixic.faith (amavisd, port 11223)

    From [email protected] Mon Oct 12 14:02:34 2015
    Delivery-date: Mon, 12 Oct 2015 14:02:34 -0400
    Received: from [172.98.196.19] (helo=jtznkyc.heduhe.review)
    by mail.victim.example with esmtp (Exim 4.63)
    (envelope-from LendingTreePartners@heduhe.review)
    id 1ZlhQg-0003A7-Ax
    for [email protected]; Mon, 12 Oct 2015 14:02:34 -0400
    Received: from 01f5f395.jtznkyc.heduhe.review (amavisd, port 11224)

  • Steven_F said: I was told to just terminate the client. They didn't ask for his info or anything, which I found a bit weird.

    So if your DC asks you for customer data on an abuse report you cannot even independently verify you just give it to them? Under which legal obligation? You know giving it to them very likely violates US law, right?

    Another ISP to never use, list gets longer every week.

    dacentec said: This usually isn't enough. As others have mentioned you need some blocking or active countermeasures.

    Says the ISP that does no such thing on their own VPS.... you should eat your own soup before you complain.

    Thanked by 2doughmanes k0nsl
  • They'll null the main IP of your server for a DMCA complaint. 1st complaint ever and similarly, they open the ticket and expect some kind of response within an hour or two. I responded within a reasonable 24 hours.

    Spamhaus is shaking down providers hard with their extortion scheme of mandating they use SMTP filtering which they kindly refer you to and clear proof the Spamhaus mafia/extortion scheme.

  • @StealthyHosting You just pasted the same stuff that this whole thread is about, just trying to get your signature spam in?

  • Mun said: Do yourself a favor a limit port 25, if over a certain limit block. Maybe @dacentec can help setup a switch /router level acl.

    I had the port limited with iptables when this happened, and I tested it over and over again to verify it was working. But in this case it seems like something to do with the emails themselves not the amount of emails sent.

  • William said: So if your DC asks you for customer data on an abuse report you cannot even independently verify you just give it to them? Under which legal obligation? You know giving it to them very likely violates US law, right?

    Why would the DC even ask for the customer info; they're not paid for directing investigations on behalf of the FBI. From the sidelines here, I thought the poster was wondering why the FBI didn't ask for the customer info.

  • @William said:

    I meant the FBI didn't want it.

Sign In or Register to comment.