New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I can add a wildcard at *.bl.mxrbl.com so it can replicate the intent of mxtoolbox.
Do you know what null routing does?
Do you know what cutting power to the server does?
Tell me what a responsible host should do and why null routing and cutting power is insufficient?
For testing I'd generally expect 2.0.0.127.bl.mxrbl.com to respond. Like spamhaus
Name: 2.0.0.127.dbl.spamhaus.org
Address: 127.0.1.255
I test all day in production but here’s one you can try:
root@pdns1:~# rbladd 1.3.3.7 Apr 01 18:25:08 [bindbackend] Parsing 0 domain(s), will report when done Apr 01 18:25:08 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed Current records for 7.3.3.1.bl.mxrbl.com IN A will be replaced New rrset: 7.3.3.1.bl.mxrbl.com. 600 IN A 127.0.0.2
LET and pastes never work for me.
As far as I know, UCEPROTECT is ran by one person who uses a fake name online (Claus von Wolfhausen), and he's ridiculously sexist:
http://www.uceprotect.org/cart00neys/2021-001.html
It's a garbage blacklist that's just used to extort people. Unfortunately Microsoft do appear to use them
Care to share few listings here? Specially those "fake" ones.
Sure.
FYI, our ASN is AS133398. You can look us up. Our entire ASN is on the their Level3 list.
http://www.uceprotect.net/en/asn-details.php?asn=133398&accesskey=2263e2d610b47f33380cd614ef8daebb
Here you can see 8 IPs listed. All the IPs with multiple impacts have been null routed and server shut down. You can see the latest impacts were today and yesterday. And yet all the IPs with multiple impacts were disabled over a week ago. It is simply IMPOSSIBLE for the reports to be genuine.
Even if they were genuine, the listing affects our entire ASN. We have almost 9,000 IPs under our network, and all are affected because of an alleged 8 IPs sending out spam. And it's not even true. But even if it were true, that's a case rate of less than 0.1%.
Bloody ridiculous.
I will not play their games. I will not pay them for express delisting.
Took a quick look at your asn. 185.36.81.0/24 is marked as still growing in reports. And seems asn had hundreds of listings from few different subnets. Uncontrolled level 1 brought you to level 3. To slow to react at spam. This means properly unsupervised network.
You can't delist with express while your reports are still growing. Monitor your network activities.
Fake reports cant be remedied.
Good bit of brute force from those recently:
Just from a quick run of:
Runs against the DA servers.
Yeah I’m gonna have to say looking at the ASN that’s the /24 that they report as still growing, and I have brute force attacks from it today. From an IP that I can presently ping (185.36.81.21).
Then from the others:
45.125.65.63 brute force on 3/28 and 3/29
91.224.92.142 - 1 today
91.224.92.155 - A few on 3/29 and 3/30
91.224.92.140 - A bunch on 3/30
So I guess these are actually all accounted for in the last 2-3 days. All SMTP brute force which means that if they are successful elsewhere, they’re sending spam. The randomized EHLO statements are familiar, this is a common botnet.
So @LTniger was right, and despite my dislike for them I had no reason to rant against them in this thread.
I don't usually null route or shutdown servers with a single report. Interesting though that 45.125.65.63 shows up. This was null routed over a week ago now, and server shut down a few days ago.
Can you still send out spam from an IP if only inbound traffic is being blocked?
I cannot understand how spam could be getting through with a null route in place.
Its a handful of IPs. Not sure that's really worth of blacklisting an ASN with >8K IPs. All null routed now any way.
Yeah. I don't know how this botnet works but I assume it's every action isn't commanded externally, it's probably given the code to run independently and triggered to start running from external command.
UDP technically doesn't need a return path, but how do you do a brute force, or do any kind of smart exploit when you have no return packets? So DDoS, sure, it works. But brute force? I can't figure that out.
We dropped here any IP related stuff completly and go only for Text patterns and heuristics on attachments. Sure it is more effort at the start than simply asking a RBL and you need enough email income to adapt, but the benefit of a lot less false positives plus you can deliver from everywhere is big.
I have no problem if Spamhaus, UCE and all the others would disappear for ever, their idea worked in the 2000, now they are completly useless.
I think his point is the host was already compromised and the C&C sends spoofed packets to the compromised hosts to hide its location.
Some of those IP addresses are also listed in AbuseIPDB. The 185.36.81.98 has been reported 479 times to AbuseIPDB and the most recent report was 3 hours ago. You might have to check if hosts at those IPs were compromised before you remove the null routes.