[PLUG] Dealing with smtp abuse from a whole entire subnet of DSL and Cable customers...

Darkhorse plug_0 at robinson-west.com
Sat Apr 10 11:36:02 UTC 2004


I have an inordinate number of improperly set up mail sources from
evidently DSL and Cable customers.  These people are probably virused.
It seems that registered sites only send .01% of the garbage I get.

I've been blocking a lot of ip addresses of the form 69.10.92.xxx
where xxx is seemingly almost every number between 1 and 254. 
These are not properly registered sites.  I'm almost tempted to 
write a program that looks up every possible address with that 
69.10.92 subnet blocking combinations that either don't resolve
or that haven't been in the maillog within the past 72 hours as
errors.  One concern is that even if these addresses are 
infected machines today, I might not want to block them
indefinitely.

Maybe it's best to use jabber to establish initial contact and
then explicitly list valid source email addresses.  I don't know
that NT/200x/XP users would like that though or even be able to 
install a chat program.

I've noticed that computers at Providence hospital aren't set
up correctly.  They are not masquerading correctly as I have 
gotten mail from an address that must be internal to
their network.  If I start blocking every address that
doesn't forward resolve, I'm looking at potentially blocking
a lot of legit sites.  I don't want my server logs flooding
with this user doesn't exist from every ip in a single subnet,
nor do I want to lose all my bandwidth to 200+ hosts 
trying to send me the same garbage.  If nothing else, 
the logging is cutting my performance.  What I guess I
should do is come up with a dynamic subnet blocking system.

My Internet speed has gone up significantly blocking over 100 
ip addresses in the 69.10.92.xxx network.  It looks like I was 
getting hit with denial of service.  All I can think is that 
it costs so much for my server to even ignore connection 
attempts where I'm getting a whole subnet, looks like a 
Class C one, hitting me. 

I'm using a dns ignorant database and trying to apply address 
tests, what I'm finding is that probably none of this addresses 
denial of service.  The best is not having an ip 
conversation with certain abusive hosts.

     --  Michael C. Robinson





More information about the PLUG mailing list