Blocking a netblock because why not

There is an ip address or block whch when i grep-ed**  and wc -l* counted 11000 lines of fail.  Email might be hard but that level of failure deserves a more detailed examination.

Eventually i whois lookup the thing – find it is in Romania and see this.

remarks: *** Abuse Reports to : abuse@e2servers.com
remarks: *** This IP block is used for web hosting, ***
remarks: *** dedicated and co-located servers. In ***
remarks: *** case of spam, please only deal with ***
remarks: *** originator IP only. ***
remarks: *** DO NOT DEAL WITH THE WHOLE IP BLOCK ***
remarks: ************************************************

Not knowing whether i would be playing whack a mole with a secondary mx or more i decided to mallet the whole block (my block) after all 11000 things say where shit at this.

I enjoy funny whois messages this one from iran (my blog) is fun and i guess our new chums at e2servers.com will not be able to help there client until our servers gets a reboot whenever that is.

I did not contact them as clearly its more fun if we dont.

So if your a client of them you know why things dont work.

*nothing to do with a toilet -joke ** not a hollywood rape method

rpz updates in the real world

So after this i discovered that the updates where not huge so i waited a day and counted,  my diff syntax left much to be desired

$ wc -l domains.txt domains.old ips.txt ips.old
15269 domains.txt
15125 domains.old
1903 ips.txt
2010 ips.old

Cleaning up except the house

So dns went up, and the ip side of things went down – it seems isp’s do clean up bad ip’s, but not those with dns.

Another day in rpz mode

wc -l domains.rpz domains.rpz.0
30193 domains.rpz.0
31027 domains.rpz

So not a lot of movement -166 in a day  rpz.0 is older and  the rpz file the freshest.

Since the zoo does not pay for rpz access your still need a virus scanner on email since some names and ip’s are a bit too fresh.   But saying that the rpz will drop traffic from intenal clients so if you have  to deal shit microsoft clients your generally a lot safer.

I log rpz activity and only i have triggered them so far, so for the zoo its probably unnecessary being a non microsoft shop since ms software is a security threat (my blog).

Updates will be made to the rpz’s but not often after all if your domain or ip’s are listed then you probably deserve some quarantine period.

Spamhauses drop lisrs do not really change

wc -l drop.txt drop.txt.0 edrop.txt edrop.txt.0
800 drop.txt
801 drop.txt.0
56 edrop.txt
56 edrop.txt.0

Comm utility output is hard to gauge although the lines remain the same, it would appear i have to sort to get a meaningfull changes.

hostwindsdns.com suppliers to script kiddies

hostwinds.com are registered in Seattle america so lets extend a warm helllo to peter@hostwinds.com and i am wary as to who they are,  I appear to just get script kiddies testing things here say.

smtpd[24268]: warning: Connection rate limit exceeded: 23 from hwsrv-218079.hostwindsdns.com[23.254.161.184] for service smtp

It is not the first time i have noticed them and they come in bulk, and so i have blocked them as if you inform them nothing happens – so if your using them to send stuff to the zoo i suggest you get a better provider.

If your looking for a extremely scammy isp hostwinds.com seems a good mafiia owned one.

If the zoo needs its security testing then you too might end up with your own blog entry.

upsetting the indian from the ‘phone company’

kkaran bahree my number one go to indian outsourcing crook

I get a call from zoo reception here in the monkey house  – somebody wants to talk about something ‘technical’.  I wonder what i will be told is broken – Weee…

me: hello

indian guru:(my blog) are you x

me: no i am bananas

indian guru: I’m from the technical bit of the phone company and have detected a problem with your router

me: we dont have internet** just a phone line

indian guru: how do you connect your ipad?

me: we dont have an ipad – is that a notepad with the letter i written on a pad of paper ?

indian guru: click

Problem solved apparently.- do not have either an ipad (my blog) or apple products, or pad of paper* with the letter i written on it and things are fine.

Another problem ‘fixed’.  I deserve a new title or another banana.- suggest one in the comments.  Feel free to ask us questions – satisfaction guaranteed.

*i guess you need 26 pads of paper to write a note, or perhaps at least a noun pad and a consonant pad – joke ** the zoo has internet not me.

the return of the webform bot

The zoo has a web form bot lookup from years and years ago to be honest i not sure it was working since it does not see any action until it caught some web bots trying to send us messages of no value which a script reports to me daily.

Not sure if they got past our captcha either.

It has been a while but i am glad i did not dump that feature.even with the settings we had.

even more Microsoft viruses from india

Kkaran Bahree

The zoo does get viruses from people sending bad microsoft [microshit] products and recently most of them have come from india so come and meet

BANNED (.asc,CCE28122017_009107.vbs) [103.236.153.42]:52331 [103.236.153.42] <Maria@capitaltradesmarketinggroup.com> -> <x@>, quarantine: J/banned-Jfl4doEQpwiO, Queue-ID:x, Message-ID: <5137A521-D766-34F2-F5DC-56E9EF9701AE@capitaltradesmarketinggroup.com>

who is

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to ‘103.236.152.0 – 103.236.155.255’

% Abuse contact for ‘103.236.152.0 – 103.236.155.255’ is ‘mastermind@qcpl.in’

inetnum: 103.236.152.0 – 103.236.155.255
netname: MASTERMIND
descr: MASTER MIND INFOCOM
admin-c: AN486-AP
tech-c: SA823-AP
country: IN
mnt-by: MAINT-IN-IRINN
mnt-irt: IRT-MASTERMIND-IN
mnt-routes: MAINT-IN-MASTERMIND
status: ASSIGNED PORTABLE
last-modified: 2015-08-26T06:43:16Z
source: APNIC

irt: IRT-MASTERMIND-IN
address: SHOP NO 242, 2ND FLOOR,SARDAR COMPLEX,KADODARA,Surat,Gujarat-394327
e-mail: mastermind@ qcpl.in
abuse-mailbox: mastermind@ qcpl.in
admin-c: AN486-AP
tech-c: SA823-AP
auth: # Filtered
mnt-by: MAINT-IN-MASTERMIND
last-modified: 2015-08-26T06:41:04Z
source: APNIC

Now i have also read that the world has got wise to Indian it ‘experts’ be they technical  support fraudsters, and the disingenuous seo and website developers in which you have to give them a a+ rating or you never see the thing to rate its quality.

I am amused that these it professionals use hotmail or whatever the Microsoft free internet email name is these days to send these requests to do ‘business’.   The zoo has it’s own mail server

Had the zoo’s rules not have been triggered then no doubt some scammer from india would probably be thinking about ringing us up and fixing our computers he/she intentionally tried to broke.- something to look forward to.

The poster boy for inidian it is no doubt Kkaran Bahree who was caught selling your bank details some years ago

blocklist.de revisited

that shit hacker from the core

In this (my blog) i set up automated reporting and it works well. Despite the zoo warning ssh probers they still visit.

Postfix 3 (my blog) means postfix rate limits itself a lot of bad email servers and isps and so ssh attempts are the majority of reports sent. I suppose the idea works as most sites appear once or twice and then never reappear so it depends on if the isp is receptive to such reports so it still means your going to see a lot china attempting to steal our public domain banana smoothie recipe.

blocklist’s reports are not particularity good bit since i get a copy as well i have no gripes about not getting those and tools do exist to do it yourself [grep and wc].

I assume most attempts are windows bots or the odd typo by a real user although i am sure sure a non caring isp who allows complete subnets to abuse could be malice.

Since this data becomes available to all and usable in multiple formats you might be benefiting from my reporting and not know it.

Overall it seems to do good rather than bad.

Is spamcop tracked by spammers via reporting addresses?

lets poison the gin

lets poison the gin

The zoo reports spam to spamcop not much since a lot is prefiltered and automatically deleted.  However i do wonder if spamcop is tracked by spammers. I say this as i have new spam definitions and when i report the small number of spam to the addresses on spamcop.

I do think much of spamcop is genuine and spamcop is worth supporting be it with our submissions or other ways  but maybe reporting spam to spammers is still not a good idea.

Its not a horrid problem for us but some abuse spamcop.  I guess they want reports if they do spam us again and i am happy to oblige.- after all the more the merrier.

blocklist.de in debian stretch

scumbag spammer Robert Soloway

Bananas likes to collect data for blocking be dmarc rejects and even lists of bad ranges so i decided to collect data and pass it on that spammers and probers made without me – seems only fair to pass it on to a wider audience.

The attempt was a bit botched and confusing with api keys and email.  I also wanted reports and so i had an hour of woe and really odd error messages, i even had to adjust postfix to let it send email out rather than just be a local affair on our internal instance.

citizen may the children’s entertainer

The site needed config details and once you have ‘servers’ things it kind of make more sense.  The client software is horrible and they suggest reconfiguring it there way rather than adapting what i know works.  That probably did not help but it is good to know how it works rather than have it working and consider it magical or religious with ‘faith’.

In the end i gave up with .local config files and made backups and put the revised files where the debian os put them – it probably makes nightmares for me down the road** but it sent mail.

tube recycle those 1’s and 0’s

Api keys are confusing there are two – each ‘server’ has a unique key* and a user has a key (five digits) of which one exists that is api key the config files appear to like rather than the per server thing in this regard i am just a submitter of data.

The action for blocklist_de i did not use but I kept my existing email report, whether that sends via an http(s) api rather than email was something i never quite got figured out although the log file had some interesting stuff in for a change.

Email reporting appears to work for me as well as well as the blocklist and once i provided postfix with a gateway setting [not needed until now] mail was routed rather than remain undelivered.   Oddly most of the ssh attempts we usually get appear to have dried up after all its good to tell the probers as to how there data will be shared.

It appears setup – time will tell if it makes a difference.

*remember the zoo has four domains **time for dpkg.dist files

 

.win tld

scumbag spammer Robert Soloway

Bananas was reading the mail logs one morning when a .win domain caught our attention for being deened spam. I was sure it was but knowing where it was i unzipped and read it in console.

.win is for

There is a vast array of global online gaming opportunities to suit all tastes. The new .WIN generic Top Level Domain (TLD) contains online gaming resources

no i did not know that either.

But the email was for spamming life insurance and more html than text.

The moral was .win tld is very deserving of its spam rating.