Spam from an IP range...

Guy Story KC5GOI kc5goi at gmail.com
Sun Feb 22 20:11:43 GMT 2009


On Sun, Feb 22, 2009 at 3:06 AM, Jason Ede <J.Ede at birchenallhowden.co.uk>wrote:

>  Over the last few days I've noticed we're getting a lot of spam from the
> IP range 209.152.178.0/24
>
>
>
> Normally with subjects such as Win Free Laser Eye Surgery - Optical Express
>
>
>
> For example...
>
>
>
> X-Greylist: delayed 00:20:01 by SQLgrey-1.7.5
> Received: from permforce.com (248.permforce.com [209.152.178.248])
>      by gateway.birchenallhowden.com (Postfix) with ESMTP id 981F71D707EA
>      for <XXXX at XXXXXXXXX>; Sun, 22 Feb 2009 08:44:03 +0000 (GMT)
> Received: by permforce.com id hk48560ikece for < XXXX at XXXXXXXXX >; Sun, 22
> Feb 2009 08:24:00 +0000 (envelope-from <wonderful at permforce.com>)
> Date: 22 Feb 2009 08:24:00 GMT
> Message-Id: <11F9D156843.9Dk4F71C at permforce.com>
> From: Vision Repair<wonderful at permforce.com>
> To: XXXX at XXXXXXXXX
> Subject: Win Free Laser Eye Surgery - Optical Express
> Mime-Version: 1.0
> Content-Type: text/html; charset="ISO-8859-1"
>
>
>
>
>
> They're coming from different addresses in that range and different domains
> such as unaskedtool.com unaskeddrive.com. The emails are all getting nuked
> by spamassassin and sanesecurity defs so far.
>
>
>
> Does anyone else know much about this range and if could just safely block
> the entire /24 range?
>
>
>
John, I use a table in Postfix to block ranges but the same thing can be
done in MailScanner.  Blocking by IP address range is a major player on my
UCE control.  Worse case you may have to white list a specific address in
that range.  I use my spam.blacklist.rule to do this.  In the past I had the
spam rules deal with this in MailScanner.  If you approve a ip address in
that range, make sure it is at the top of the list and the ones you want to
block at the bottom.  You can do it by CIDR notation or regex entries.  I
have both.  As far as how safe that specific range is, that is up to you.  A
whois lookup shows that block belongs to a /19 for a hosting company.

My reason for Postfix doing it first is if I deny the connection, then
Postfix and MailScanner have less to process.  What my IP address table does
not address, MailScanner does.

Guy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090222/d671015c/attachment.html


More information about the MailScanner mailing list