<br><br><div class="gmail_quote">On Sun, Feb 22, 2009 at 3:06 AM, Jason Ede <span dir="ltr"><<a href="mailto:J.Ede@birchenallhowden.co.uk">J.Ede@birchenallhowden.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-GB">
<div>
<p>Over the last few days I've noticed we're
getting a lot of spam from the IP range <a href="http://209.152.178.0/24" target="_blank">209.152.178.0/24</a></p>
<p> </p>
<p>Normally with subjects such as Win Free Laser Eye Surgery -
Optical Express</p>
<p> </p>
<p>For example...</p>
<p> </p>
<p>X-Greylist: delayed 00:20:01 by SQLgrey-1.7.5<br>
Received: from <a href="http://permforce.com" target="_blank">permforce.com</a> (<a href="http://248.permforce.com" target="_blank">248.permforce.com</a> [209.152.178.248])<br>
by <a href="http://gateway.birchenallhowden.com" target="_blank">gateway.birchenallhowden.com</a> (Postfix) with ESMTP id
981F71D707EA<br>
for <XXXX@XXXXXXXXX>; Sun, 22 Feb 2009 08:44:03 +0000
(GMT)<br>
Received: by <a href="http://permforce.com" target="_blank">permforce.com</a> id hk48560ikece for < XXXX@XXXXXXXXX >; Sun,
22 Feb 2009 08:24:00 +0000 (envelope-from <<a href="mailto:wonderful@permforce.com" target="_blank">wonderful@permforce.com</a>>)<br>
Date: 22 Feb 2009 08:24:00 GMT<br>
Message-Id: <<a href="mailto:11F9D156843.9Dk4F71C@permforce.com" target="_blank">11F9D156843.9Dk4F71C@permforce.com</a>><br>
From: Vision Repair<<a href="mailto:wonderful@permforce.com" target="_blank">wonderful@permforce.com</a>><br>
To: XXXX@XXXXXXXXX<br>
Subject: Win Free Laser Eye Surgery - Optical Express<br>
Mime-Version: 1.0<br>
Content-Type: text/html; charset="ISO-8859-1"</p>
<p> </p>
<p> </p>
<p>They're coming from different addresses in that range
and different domains such as <a href="http://unaskedtool.com" target="_blank">unaskedtool.com</a> <a href="http://unaskeddrive.com" target="_blank">unaskeddrive.com</a>. The emails are
all getting nuked by spamassassin and sanesecurity defs so far.</p>
<p> </p>
<p>Does anyone else know much about this range and if could
just safely block the entire /24 range?</p></div></div><br>
<br></blockquote></div><br>John, I use a table in Postfix to block ranges but the same thing can be done in MailScanner. Blocking by IP address range is a major player on my UCE control. Worse case you may have to white list a specific address in that range. I use my spam.blacklist.rule to do this. In the past I had the spam rules deal with this in MailScanner. If you approve a ip address in that range, make sure it is at the top of the list and the ones you want to block at the bottom. You can do it by CIDR notation or regex entries. I have both. As far as how safe that specific range is, that is up to you. A whois lookup shows that block belongs to a /19 for a hosting company.<br>
<br>My reason for Postfix doing it first is if I deny the connection, then Postfix and MailScanner have less to process. What my IP address table does not address, MailScanner does.<br clear="all"><br>Guy<br>