Afghanistan internet favourites

So another .af address (my blog) had a quick chat with the email server.

smtpd[*]: connect from unknown[117.55.207.29]
policyd-spf[*]: None; identity=helo; client-ip=117.55.207.29; helo=[117.55.207.4]; envelope-from=mfd@thezoo; receiver=user@thezoo
policyd-spf[*]: Fail; identity=mailfrom; client-ip=117.55.207.29; helo=[117.55.207.4]; envelope-from=mfd@thezoo; receiver=user@thezoo
smtpd[*]: NOQUEUE: reject: RCPT from unknown[117.55.207.29]: 554 5.7.1 Service unavailable; Client host [117.55.207.29] blocked using xbl.spamhaus.org; https://www.spamhaus.org/query/ip/117.55.207.29; from=<MFD@thezoo> to=<user@thezoo> proto=ESMTP helo=<[117.55.207.4]>
smtpd[*]: disconnect from unknown[117.55.207.29]

the man who became a pig

So lets say a big hello to

address: Neda Telecommunications 13, Esmat Muslim Street,Shar-e-Naw Kabul, Afghanistan
e-mail: abuse@neda.af

Oddly there pretending to be the zoo – Probably not pork product spam then.

The paradox of cavemen selling art

I wrote a geoip script (my blog) and if you mess about with various log formats it works with many output logs since they all differ to a certain extent and so i ran it aganust our email server.

So i got curious and wondered what Afghanistan was sending….

/smtpd[*]: connect from unknown[103.224.215.18]
policyd-spf[*]: Neutral; identity=mailfrom; client-ip=103.224.215.18; helo=[103.224.215.18]; envelope-from=*@billwatsonfineart.com; receiver=thezoo
/smtpd[*]: NOQUEUE: reject: RCPT from unknown[103.224.215.18]: 554 5.7.1 Service unavailable; Client host [103.224.215.18] blocked using xbl.spamhaus.org; 103.224.215.18; from=.215.18; from=<*@billwatsonfineart.com> to=<*@billwatsonfineart.com> to=<thezoo> proto=ESMTP helo=<[103.224.215.18]>
/smtpd[*]: disconnect from unknown[103.224.215.18]

No idea but Afganistan selling art sounds wrong based on this (my blog).  I am sure the domain owner would not be welcome in Kabul.

 103.224.214.1 - 103.224.215.254
 Giganor-BroadBand-wireless-customers
 H # 263, Shora Street 4, Cart e 3, Kabul Kabul
 AF
 abuse-mailbox:  support@giganor.com

This ‘Freedom’ seems wasted on Islamic believers, However i guess it might be drugs or something deemed moral after all it been already flagged as spam its certainly not bacon.

The moral to this story do not use godaddy (my blog) who our cavemen are using for a false identity.

A picard moment for you (shodan.io)

Oh yes its our friendly scumbags from shodan (my blog) – over to you captain

connect from 
cloud.census.shodan.io[94.102.49.193]

Its from our beachhut scanning outpost in the Seychelles (my blog) and a small /24 this time if you want to mass block this scammy isp and its lovely client.

So shields up, and i hope you never get this recycled ip addresss once shodan.io have fucked it up reputation wise.  I never delist shodian.io ip addresses from who ever the isp is.

Enjoy your day.

rpz zones for the few not the many

Bananas was interested in rpz zones which nothing to do with car parking or planning regulations but dns zones, they look quite simple until you try and get one.

seocrookHowever with a bit searching rpz zones could be manually created and work but then its a little out of date, most threat zones are small rather than large so having a good mail server is way more important than a rpz zone blocking a specific url sent in a scammy email say.

bank.barclays.co.uk.olb-auth-loginlink.action. asdasd45.as4d56asdas.da 4s65d46asdasdsd. ta77lia. com _b

Whois says Egypt owner and hosted in DE  and  I guess it depends on how dumb your network users are, how money grabbing and unethical an ssl certificate provider is and how long it takes them to ignore abuse emails to the hosting provider to shutdown something.

Getting bad site data is quite easy once you start but making it rpz friendly is another  Theme and user content directories are popular for bad permissions and like the link above look shady.

Some malware domains just use an ip address so whether or not an rpz zone would work is a little more questionable.  A general and unscientific match of mail server abuse to phlishing domains (a grep) seems that these are tasked to one job only so there is no overlap by domain name.

rpz’s sound great but with freshness and everybody playing catch up perhaps its best that there left as something that just cisco users have.

Email for imaginary zoo staff

portal2melstoriesThe monkey houses email server is quite busy and to keep it that way the website has some famous video game characters  listed in a comment in html so your usually a robot extracting them rather than a carbon based lifeform with a computer.

It amazes me that people actually email these addresses which do not exist but might because there ‘listed’.

China seems to like them and these captains of banana management, and who am i not to keep the spammers happy?  Have no idea what was sent to these imaginary zoo employees but you too can buy them from spammers.

Some spammers get close but make the most amusing mistakes, you know who to email, our imaginary zoo staff will be happy to get your email honest.

Shodan.io’s beachhut in the Seychelles.

seuchelles-dumpAnother sighting for you (my blog) from the unbeautiful Seychelles this time.  It is 89.248.172.16 from an isp i have mentioned for dns probers quasinetworks.com (my blog)and its a house..

connect from house.census.shodan.io[89.248.172.16]

picardSo one more to crimson firewall.  I like blocking shodan.io ip addresses and you should too.

I like writing posts about shodan.- come on send me more shodan this is fun.

 

Facebook spammers

portal2melstoriesI was looking at the zoo’s mailserver logs (hint really exciting) and saw facebook trying to connect to an unknown user. I decided to see more and got something like this.

66.220.155.142
66.220.155.145
66.220.155.147
66.220.155.151
69.171.232.128
69.171.232.130
69.171.232.136
69.171.232.139
69.171.232.142
69.171.232.155
69.171.232.162
69.171.232.164
69.171.232.165
69.171.232.168
69.171.232.170
69.171.232.178

I have printed the magic command somewhere on this blog so this is not impossible output.

69.171.232 Which is facebook and i decided that there no reason to tolerate this crap since no ape here in the zoo is officially on facebook or the new person they think exists.   I also made a cron job so the zoo can be alerted as to extra activity which i have not yet blocked it runs once a day.

Fuck off Facebook.

Keeping ghostforfacebook.com happy

portal2melstoriesRemember them ? (my blog)  well a new range of addresses was being used by them the assistant was not a spam target, the boss was.

It made me laugh while looking at the cron logs some months ago.

I blocked the range of new addresses.  Have not heard from them since.

I might unblock some spam ranges in a years time to further punish the isp who hopefully got paid but if they did not hey that’s not my problem if they sell crap to spammers and let me value your ranges as crap is my logic.

 

Fun blocking facebook mail

malletFacebook (or its ‘users’*) where trying to send something to an made up email address.  So i decided to block facebook mail.   Why ? – because i can

I deployed the mallet (my blog)

ip route show | grep 69.171;ip route show | grep 66.220
prohibit 69.171.232.128
prohibit 69.171.232.130
prohibit 69.171.232.135
prohibit 69.171.232.136
prohibit 69.171.232.139
prohibit 69.171.232.142
prohibit 69.171.232.143
prohibit 69.171.232.145
prohibit 69.171.232.147
prohibit 69.171.232.150
prohibit 69.171.232.151
prohibit 69.171.232.155
prohibit 69.171.232.162
prohibit 69.171.232.164
prohibit 69.171.232.165
prohibit 69.171.232.168
prohibit 69.171.232.170
prohibit 69.171.232.178
prohibit 66.220.155.141
prohibit 66.220.155.142
prohibit 66.220.155.143
prohibit 66.220.155.145
prohibit 66.220.155.147
prohibit 66.220.155.151
prohibit 66.220.155.152

toolsI hope you find this informative if your getting undeliverable crap from facebook via email.

Another facebook like name is ghostforfacebook (my blog) There worth banning too.

*i would guess crooks.