From: Adam Jacob Muller (lists-postfixadam.gs)
Date: Fri Dec 29 2006 - 14:46:51 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Dec 29, 2006, at 1:43 PM, Jim Knuth wrote:

> Heute (29.12.2006/19:30 Uhr) schrieb Robert Schetterer,
>
>> Michael Wang schrieb:
>>> Leonardo Rodrigues Magalhães wrote:
>>>>
>>>> Hello Guys,
>>>>
>>>> It's just me or everything else receives bunches of SPAMs/
>>>> viruses
>>>> connections from rr.com dynamic IPs ???
>>>>
>>>> I have tracked my logs and couldnt find a single usefull message
>>>> from rr.com for several months. I'm thinking of simply blacklisting
>>>> all IPs that have rr.com in the reverse name ....
>>>>
>>>> Have anyone experienced similar problems with rr.com ? Have
>>>> anyone
>>>> blacklisted the whole rr.com ?
>>>
>>> Of my incoming mail in the last week, 3.5% were from rr.com (394 in
>>> total) and all were rejected for various reasons (invalid recipient,
>>> greylisted by SQLgrey with no valid retries, etc.) so yeah all I'm
>>> getting from them at the moment is spam.
>>>
>>>
>> HI ll
>> I blocked the whole dynamic rr.com net via iptables, and nobody
>> misses something since months,
>> blocking mails with firewall ist not very gently, but if the spam
>> connects rise up over 1000 per hour (which acts like a dos attack
>> sometimes), i think this way of blocking
>> is ok.( for sure its not rfc like )
>> rr.com dynamic ips are full of spam zombies, and their hostmaster
>> dont
>> care,after all, their ips are allready in rbls ( might be the
>> better way
>> to block )
>> also some other big providers in france , turkey ,brasil and the
>> usa are
>> heavy zombie infected.
>> I have minimal spam from china and korea, they seem to be better
>> than everybody thinks of, but this may differ to the spammed
>> domain name.
>> Best Regards
>
>> --
>> Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte
>> untersucht
>> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
>
>
> do you know the IP range of rr..com?
>
>
> --
> Viele Gruesse, Kind regards,
> Jim Knuth
> jkjkart.de
> ICQ #277289867
> ----------
> Zufalls-Zitat
> ----------
> Arroganz ist die Karikatur des Stolzes. (Ernst von
> Feuchtersleben)
> ----------
> Der Text hat nichts mit dem Empfaenger der Mail zu tun
> ----------
> Virus free. Checked by NOD32 Version 1946 Build 8665 29.12.2006
>

This is a highly shifting target, if you want to block rr.com don't
even consider attempting to do it by blocking individual address ranges.
Road Runner, like any cable ISP, controls millions if not 10's of
millions of IPs, all separated into many diverse blocks.
Looking through BGP announcements RR also uses many multiple ASN's,
so if your actually insane enough to try this, your going to need to
first distill a list of "road runner ASNs" then look at BGP to pull
out (in some updating fashion) a list of IP ranges, preferably
aggregate that, then block based on that.

It's must easier to just block *.rr.com

Unless, of course, someone has done this already.

-Adam

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]