[Cialug] SPAM Class C

David Champion dchamp1337 at gmail.com
Wed Feb 26 19:33:59 UTC 2020 

I did see something about that technique, sounds like a pain to combat on
your own.

I suspect some of the larger providers like gmail etc. have an
algorithm that can detect them and shut them down. Or maybe something like
a Barracuda mail filter appliance might catch them?

-dc


On Wed, Feb 26, 2020 at 1:29 PM kristau <kristau at gmail.com> wrote:

> Welcome to my life over the past month or so. These are not going to
> appear in the RBLs because they are hit-and-run attacks. As best I can
> tell, this is what they are doing:
> - Registering/hijacking an expired domain and setting up several
> sub-domains under it. Typically this domain will already have a "good"
> reputation with the RBLs and are established enough to get by the
> "this domain is too young" block lists as well.
> - Setting up several mail servers on a /24 or sometimes even a /16
> - Configuring those mail servers with valid DKIM/DMARC
> - Blasting SPAM until they get shut down by their hosting provider
> Much of that is likely scripted and probably enabled by tech like
> Docker containers.
>
> So far, the only strategy I've come up with is to:
> - Wait until I receive a message
> - Investigate the headers to find the source IP address
> - Block the /24 subnet of that IP on my firewall.
> Some messages get through, but if I catch it quickly enough, I do see
> the dropped packets of subsequent attempts logged on the firewall.
>
> On Wed, Feb 26, 2020 at 11:32 AM David Champion <dchamp1337 at gmail.com>
> wrote:
> >
> > See also: postfix reject_rbl_client
> >
> > -dc
> >
> >
> > On Wed, Feb 26, 2020 at 11:23 AM L. V. Lammert <lvl at omnitec.net> wrote:
> >
> > > ----- Message Text -----
> > > We have been seeing many (20+) crap domains sending SPAM from this
> Class
> > > C:
> > >
> > >         93.119.107.
> > >
> > > And starting today from a different one:
> > >
> > >         46.166.148.
> > >
> > > If anyone is managing a blacklist, suggest adding.
> > >
> > >         Lee
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> > >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>
>
>
> --
> Tired programmer
> Coding late into the night
> The core dump follows
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>

More information about the Cialug mailing list