[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-devel
Subject:    Re: Private email to me
From:       Dean Anderson <dean () av8 ! com>
Date:       2002-01-31 23:35:56
[Download RAW message or body]

Well, smtp attacks from a few thousand separate addresses is probably
pretty hard to arrange, unless you are looking at the relay addresses and
not the source addresses.

Finding a few thousand relays is pretty easy thanks to orbz, rss, etc.
Unless you block access to the relay abuse sites. Thats also a wise thing
for companies and ISP's to do.  However, abusing a relay also leaves the
source IP address of the abuser.

Because of the number of different addresses, and the likelihood that its
only one abuser, I suspect that the abuser was close by: check your arp
cache for bogons which match the connect addresses.  Someone on the same
ethernet can easilly spoof an address, but doing so will leave some
evidence in the arp cache.

With patience and logging, the abuser can eventually be found.

BTW, here is my list of abuser blocks:

		--Dean

!
! block orbs nd imrss
!
access-list 104 deny ip 199.0.22.2 0.0.0.255 any
access-list 104 deny ip 202.36.148.5 0.0.0.255 any
access-list 104 deny ip 202.36.147.16 0.0.0.255 any
access-list 104 deny ip 194.178.232.55 0.0.0.255 any
access-list 104 deny ip 202.138.0.0 0.0.255.255 any
access-list 104 deny tcp 61.9.188.0 0.0.0.255 any
access-list 104 deny ip host 205.231.149.25 any
! orbl
access-list 104 deny ip 204.177.80.10 0.0.0.255 any log
access-list 104 deny ip 204.177.81.3 0.0.0.255 any log
access-list 104 deny ip 205.244.2.170 0.0.0.255 any log
access-list 104 deny ip 193.162.142.121 0.0.0.255 any log
access-list 104 deny ip 62.242.0.188 0.0.0.3 any log
! rss
access-list 104 deny tcp 204.152.184.74 0.0.0.255 any eq 25
!access-list 104 deny udp 204.152.184.0 0.0.0.255 any eq 53
! cyberverse (die.net)
access-list 104 deny ip 209.151.233.0 0.0.0.255 any
access-list 104 deny ip 64.208.8.0 0.0.0.255 any
! cyberabuse
access-list 104 deny ip 213.186.32.0 0.0.7.255 any log
access-list 104 deny ip 213.244.21.0 0.0.0.127 any log
access-list 104 deny ip any host 130.105.15.0 log
!
! gmx.net relay scanner
access-list 104 deny ip 213.165.64.100 0.0.0.0 any log

		--Dean

On Thu, 31 Jan 2002, Chad Miller wrote:

> On Thu, Jan 31, 2002 at 06:30:54PM +0000, Miquel van Smoorenburg wrote:
> > In article <E16WK4N-0006P5-00@giles.striker.ottawa.on.ca>,
> >  <aland@striker.ottawa.on.ca> wrote:
> > >  I do like Chad's idea the best, though.  Set the MX records to
> > >unqualified names, and watch the spammers identify themselves
> > >immediately.  If nothing else, it will make spam the problem of the
> > >local idiot ISP's, instead of *my* problem.
> >
> > Unfortunately, in DNS, there is no such thing as an unqualified
> > address.
>
> Yeah -- I tried mailing you personally after I realized it was illegal
> for a nameserver to give 'em out, but (you guessed it) the mail bounced.
>
> 						- chad
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
[prev in list] [next in list] [prev in thread] [next in thread]