How to monitor any of my IP range being blacklisted?
Hi Does any body now how to monitor all the ranges, to see if they are black listed, check one by one is not an good idea as an ISP. Anybody know a way to check a block of IP like /19 or something. Thanks in advance! -- -- Kind regards. Lu This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received.
Am 02.05.2012 10:47 schrieb Lu Heng: > Anybody know a way to check a block of IP like /19 or something. - You may mirror the rbl of interest. lookup in to your local copy should be fine. - Or you ask the rbl provider for a notification. That may also cost money. - capture all packets, identify SMTP-Responses and check the result strings. Andreas -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr Jörg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen
On May 2, 2012, at 11:05 AM, Andreas Schulze wrote: > Am 02.05.2012 10:47 schrieb Lu Heng: >> Anybody know a way to check a block of IP like /19 or something. > - You may mirror the rbl of interest. lookup in to your local copy should be fine. > - Or you ask the rbl provider for a notification. That may also cost money. > - capture all packets, identify SMTP-Responses and check the result strings. - signup for feedback loops with major email providers (http://blog.wordtothewise.com/isp-information/) - use grepcidr for lookups in local dbs (http://www.pc-tools.net/unix/grepcidr/) - read and act upon abuse@ emails ;) - check with major RBLs for your outgoing SMTP servers being listed (nagios check_rbl plugin) cheers, Jernej
Lu Heng wrote:
Hi
Hi, I guess you are also scanning incoming email already with an antispam software and that your are using the rbl's of interest already. We realized that spammer usually also send spam to email addresses captured from outlook address books an the spambotted PC or relay through your mailservers, if they spambotted a PC of your own customer. So: if there is one of your dialin customers PCs captured with a spambot, you will also receive spam from this PC to your other customers email addresses, to the email address of the customer himself or your own mailservers. So: check your own anti spam results for your own IP address range. If your other customers receive spam from your own IPs, or your mailserver relay with an IP of your own IP range and the scoe is very high, you can surely - be sure that your IP will end up on other rbls, if you are not acting quick enough and try a multi rbl list like http://multirbl.valli.org/ to check that IP and fix the rbls, that already list your IP - inform your customer, that his PC is captured and block outgoing smtp for him (we simply change his dial-in password and log him out, if some thresholds are reached ;o) This surely only works, if you have enough dialin customers and enough other customer domains that are receiving mail and works even better, if your customers are using your own mailservers as outgoing mailservers (ok, this only works, if the spambot is not having an own SMTP engine). We automated this and do not have a lot of botted customers, but we find them and turn them off, before the IPs end up on any other RBL. I bet it also works great, if a webspace or housingserver is misused. There are nice spamassassin modules, that insert the AS of the sender IP into the header, so you can easily scan for this header-field. In SA is also a mechanism called ALL_TRUSTED, that inserts this flag, if the user also identified via POP3 oder SMTP-Auth, if you ever receive an email with a very high score and its all ALL_TRUSTED, you can also be sure, that your own customers PC is spambotted. Surely you will not get any rbl listings because of webvertized URLs or the like ... Kind regards, Frank
Does any body now how to monitor all the ranges, to see if they are black listed, check one by one is not an good idea as an ISP.
Anybody know a way to check a block of IP like /19 or something.
Thanks in advance!
-- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
Dear Lu, all, On 5/2/12 10:47 AM, Lu Heng wrote:
Hi
Does any body now how to monitor all the ranges, to see if they are black listed, check one by one is not an good idea as an ISP.
Anybody know a way to check a block of IP like /19 or something.
Yes, you can use "blacklist" widget of RIPEstat: https://stat.ripe.net It finds periods when parts of a prefix featured in one of several blacklists: so far, we are using data from Spamhaus DROP and UCE PROTECT. Example (sorry, random IP range, it has to belong to someone...) https://stat.ripe.net/212.15.240.0/24#blacklist Please let me know if this serves your purpose, and any feedback that you have. Regards, Vesna -- Vesna Manojlovic BECHA@ripe.net Senior Community Builder +31205354444 for Measurements Tools RIPE NCC http://ripe.net
Hi all, I am new to this list, but have a - to me very important - question. For a good number of years I have made a serious effort to report SPAM, in fact I have built and published a handy-dandy SPAM reporting tool for Windows - see my tag line. Over the years I have consistently found that of all the databases RIPE is the one with by far the fewest entries with a proper e-mail address for reporting SPAM. Can anyone give me some reasons for this and even more importantly what I can do or whom to address to get something done about it? Arnold -- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml
Arnold I'd strongly recommend you read this WG's email archives for extensive discussion on this topic Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ________________________________________ From: anti-abuse-wg-bounces@ripe.net [anti-abuse-wg-bounces@ripe.net] on behalf of Arnold [wiegert@telus.net] Sent: 07 May 2012 19:17 To: anti-abuse-wg@ripe.net Subject: [anti-abuse-wg] no abuse e-mail address for so many of RIPE's entries Hi all, I am new to this list, but have a - to me very important - question. For a good number of years I have made a serious effort to report SPAM, in fact I have built and published a handy-dandy SPAM reporting tool for Windows - see my tag line. Over the years I have consistently found that of all the databases RIPE is the one with by far the fewest entries with a proper e-mail address for reporting SPAM. Can anyone give me some reasons for this and even more importantly what I can do or whom to address to get something done about it? Arnold -- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml
On 07/05/2012 11:42 AM, Michele Neylon :: Blacknight wrote:
Arnold
I'd strongly recommend you read this WG's email archives for extensive discussion on this topic Thank you, Michele, I will do so.
Before signing up, I looked for the archives, but what I found at the time seemed several years old, which led me to believe the list was very quiet - and possibly dormant. When I looked again after receiving your reply, I did find what looks like the current archive which shows the list to be quite active :-) But, from the looks of things - at least the archive I did find http://www.ripe.net/ripe/mail/archives/anti-abuse-wg/ - I will I have to download the archive to be able to search for the thread of interest. Could you please point me to an approximate date - at least a year or month - where I should start looking? TIA, Arnold
Regards
Michele -- Mr Michele Neylon Blacknight Solutions Hosting& Colocation http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
________________________________________ From: anti-abuse-wg-bounces@ripe.net [anti-abuse-wg-bounces@ripe.net] on behalf of Arnold [wiegert@telus.net] Sent: 07 May 2012 19:17 To: anti-abuse-wg@ripe.net Subject: [anti-abuse-wg] no abuse e-mail address for so many of RIPE's entries
Hi all,
I am new to this list, but have a - to me very important - question.
For a good number of years I have made a serious effort to report SPAM, in fact I have built and published a handy-dandy SPAM reporting tool for Windows - see my tag line.
Over the years I have consistently found that of all the databases RIPE is the one with by far the fewest entries with a proper e-mail address for reporting SPAM.
Can anyone give me some reasons for this and even more importantly what I can do or whom to address to get something done about it?
Arnold
-- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml
-- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml
participants (7)
-
Andreas Schulze -
Arnold -
Frank Gadegast -
Jernej Porenta -
Lu Heng -
Michele Neylon :: Blacknight -
Vesna Manojlovic