[TheForge] off-topic: request
Terry L. Ridder
[email protected]
Tue Jun 25 12:17:00 2002
hello;
i have received many suggestions concerning my
request and have written up the below explaination.
<begin explaination>
the dns blackholes are not working. plus they
are heavy hits on dns servers and bandwidth.
currently, in monitoring just two t1s 15 to 20
percent of the traffic is spammers, crackers,
virus, porn peddlers, and other lower-life forms.
( trash )
the 'we' is three isps in the northern illinois
and southern wisconsin area and myself. the customers
of the isps want the isp to filter out the trash.
i want it gone since 23 percent of my wireless t1
is trash.
what we are building up is a database of spammers,
crackers, virus, porn peddlers, etc. from this
database, firewall and router access lists will be
generated.
primary target linux:
ipchains and iproute2
iptables and iproute2
secondary target:
cisco pix firewall
cisco routers
currently the database is being built using tcpdump log
files and iptables statistics.
i started by monitoring entire ip address blocks for
countries like korea, china, thailand, indonesia, russia.
once i had the statistics of what ip address blocks where
attempting to send spam, i broke those ip adddress blocks
out into smaller ip address blocks.
example:
211.160.0.0/16 covers all ip addresses from
211.160.0.0 through 211.160.255.255
211.160.0.0/17 covers all ip addresses from
211.160.0.0 through 211.160.127.255
211.160.128.0/17 covers all ip addresses from
211.160.128.0 through 211.160.255.255
once i have narrowed done the ip address block
those ip addresses end up in the database.
so instead of blocking all of korea just block
the korean ip address blocks which are sending
the spam.
iptables statistics and tcpdump log files are
processed each day to update the database. this
is to remove the ip addresses which are no longer
being used for trash and add new ones.
using the database e-mail messages are generated
to the isps who are assigned the blocked ip address
blocks explaining why they are being blocked. each
e-mail message contains the tcpdump log files and
iptables statistics for their ip address blocks.
the goal is to block the spammers, crackers, virus,
porn peddlers before they ever get into the network
and also to prevent them from routing through the
network. basically, isolate them from portions of
the internet.
e-mail spam with full e-mail headers makes the task
of narrowing down ip address blocks faster. we are
also using 'spam traps' to find the spammers.
'spam traps' are valid e-mail addresses embedded in
a web page which the normal web surfer would never see.
spammers which scan web pages for e-mail addresses would
however see them. they send e-mail to the address and
the valid e-mail does not belong to a real end-user but
rather is just forwarded to a program which processed the
spam and their ip address ends up in the database.
the database currently contains nearly 10,000 entries.
<begin explaination>
On Tue, 25 Jun 2002, [email protected] wrote:
In a message dated 6/23/02 7:40:36 PM Eastern Daylight Time,
[email protected] writes:
terrylr>
terrylr> we are trying to put together a reasonable database of
terrylr> who the spammers, crackers, and other lower life-forms
terrylr> are.
terrylr>
bill>
bill> Try these guys:
bill>
bill> http://www.spamhaus.org/
bill>
bill>
bill> Bill Alleman
bill>
--
Terry L. Ridder ><>