Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Wanadoo/Orange.fr

9 views
Skip to first unread message

David Cary Hart

unread,
Nov 9, 2006, 9:09:16 AM11/9/06
to
I know that SPEWS does not accept nominations. Nevertheless, how on
earth are these ranges not included?

--
Displayed Email Address is a SPAM TRAP
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
SPEWS Delisting FAQ: http://tqmcube.com/spews.php

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

Mike Andrews

unread,
Nov 9, 2006, 3:17:48 PM11/9/06
to
On Thu, 9 Nov 2006 14:09:16 GMT, David Cary Hart <mode...@celebritytruth.net> wrote in <20061109105...@dch.TQMcube.com>:
> I know that SPEWS does not accept nominations. Nevertheless, how on
> earth are these ranges not included?

Maybe SPEWS doesn't include them in the blocklist because they're
firewalled or dropped at the gateway router. That's my next step,
since many wanadoo.* subscribers seem unable to take

"550 5.7.1 Go Away and don't come back!"

at face value.

I was going to put this .sig in:

Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin

but the sigmonster came up with one entirely apposite to the topic:

--
In the final analysis, spam supporters are playing with their
company's credibility, reputation, solvency, and existence. If
that's what you want to do, then go ahead. But it makes more
sense to dump a liability than it does to maintain one.

puceb...@yahoo.com

unread,
Nov 13, 2006, 7:23:25 AM11/13/06
to
Mike Andrews wrote:
> On Thu, 9 Nov 2006 14:09:16 GMT, David Cary Hart <mode...@celebritytruth.net> wrote in <20061109105...@dch.TQMcube.com>:
> > I know that SPEWS does not accept nominations. Nevertheless, how on
> > earth are these ranges not included?
>

Basically drop everything that is *abo.wanadoo.* Note the
Asterisks.
That is the reange used by much of their DSL and cable ranges.

Additionally this rule set helps... Drop every thing there....

#Quick and dirty. A sizeable percentage zombie or comprised host send
spam is sent from this bakers dozen of ISP types as addressed in
reverse DNS.
*DSL*
*abo.wanadoo*
*.abo.*
*.CPE.*
*dhcp*
*dial*
*dynamic*
*host*
*HOST*
*pool*
*ppp*
*static*
*user*
PC*
*.ip.*

phil-new...@ipal.net

unread,
Nov 13, 2006, 11:31:49 AM11/13/06
to

It's not practical to run each hostname to be checked against thousands
of glob or regexp patterns. Still, a few with those magic words can be
useful. But I do block wanadoo.fr, wanadoo.be, and wanadoo.nl via the
indexed lookups that work in Postfix. I have 13,937 entries in that DB
file right now. ISPs that don't provide a subdomain to isolate their
generics get their main domain added.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|

puceb...@yahoo.com

unread,
Nov 14, 2006, 8:07:13 AM11/14/06
to

phil-new...@ipal.net wrote:
> On Mon, 13 Nov 2006 12:23:25 GMT puceb...@yahoo.com wrote:
> | Mike Andrews wrote:
> |> On Thu, 9 Nov 2006 14:09:16 GMT, David Cary Hart <mode...@celebritytruth.net> wrote in <20061109105...@dch.TQMcube.com>:

> It's not practical to run each hostname to be checked against thousands
> of glob or regexp patterns. Still, a few with those magic words can be
> useful. But I do block wanadoo.fr, wanadoo.be, and wanadoo.nl via the
> indexed lookups that work in Postfix. I have 13,937 entries in that DB
> file right now. ISPs that don't provide a subdomain to isolate their
> generics get their main domain added.

I actually don't block the whole ISP or company, as usually the proper
mail server of the ISP isn't used for spamming as much compared to all
the user devices like cable modems and dsl modems. This is doubly true
for dynamic pools.

Despite wanadoo.fr being a host to a lot of spammers on their user
pool. The ISP's mail servers them selves seem to be fairly clean. It is
the HOME users that are the source of the sewage. So I block
ABO.wanadoo.* with ABO being all the personal home connections. So
blocking ABO will not block legitimate email as most (home) users
won't be running their own email servers and anything corporate will
have a proper DSN entry that won't be part of a dynamic range.

Blocking as many of "personal" IP addresses like home/residential
connections seems to be very efficient. I am now blocking around 150 of
the top senders and adding some every day. I am going after the low
handing fruit right now. I am doing this in a mission-critical
corporate environment (a F1000 type company) with no negative fall out
so far.

Blocking just 150 dynamic ISP's cable and DSL modems is preventing
about 50k spam a day on top of the 100k that the RBL services do. No
complaints to speak of.

Would you share your list? It sounds like it would be very useful...

David Cary Hart

unread,
Nov 15, 2006, 7:25:07 AM11/15/06
to
On Tue, 14 Nov 2006 13:07:13 GMT, puceb...@yahoo.com opined:

>
>
> I actually don't block the whole ISP or company, as usually the
> proper mail server of the ISP isn't used for spamming as much
> compared to all the user devices like cable modems and dsl modems.
> This is doubly true for dynamic pools.
>
> Despite wanadoo.fr being a host to a lot of spammers on their user
> pool. The ISP's mail servers them selves seem to be fairly clean.
> It is the HOME users that are the source of the sewage. So I block
> ABO.wanadoo.* with ABO being all the personal home connections. So
> blocking ABO will not block legitimate email as most (home) users
> won't be running their own email servers and anything corporate will
> have a proper DSN entry that won't be part of a dynamic range.
>
In point of fact, the problems that I am seeing are related to
their SMTP and a complete failure to do any outbound filtering. For
example, I am seeing quite a bit of spam sent to three-ellipse email
addresses (Google Groups).

My hypothesis (nice word for guess) is that they have a large number
of infected customers with an exploit that causes email to be relayed
through the ISP with authentication. I also wonder if they are doing
reasonable rate limiting. Our (albeit minuscule) sample suggests that
they are not.


--
Displayed Email Address is a SPAM TRAP
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
SPEWS Delisting FAQ: http://tqmcube.com/spews.php

--

Cameron L. Spitzer

unread,
Nov 16, 2006, 5:22:54 AM11/16/06
to
In article <20061114175...@dch.TQMcube.com>, David Cary Hart wrote:
> On Tue, 14 Nov 2006 13:07:13 GMT, puceb...@yahoo.com opined:
>> Despite wanadoo.fr being a host to a lot of spammers on their user
>> pool. The ISP's mail servers them selves seem to be fairly clean.
>> It is the HOME users that are the source of the sewage. So I block
>> ABO.wanadoo.* with ABO being all the personal home connections.
> In point of fact, the problems that I am seeing are related to
> their SMTP and a complete failure to do any outbound filtering.

I've been blocking Wanadoo by IPA range for years. Finally got
my first false positive complaint. Found a /21 with servers in
the middle of the abo.wanadoo cesspool. Current blocks are:

80.8/13 ; abo.wanadoo.fr 8-15
81.48/14 ; abo.wanadoo.fr CPE
81.53 ; abo.wanadoo.fr CPE
81.68/14 ; dial/cable/adsl.wanadoo.nl and adsl.euronet.nl
81.248/14 ; wanadoo.fr CPE
82.120/13 ; abo.wanadoo.fr dyn-IP DSL
82.156/15 ; cable.wanadoo.nl
83.112/14 ; wanadoo.fr CPE
83.192/13 ; abo.wanadoo.fr
83.200/14 ; abo.wanadoo.fr CPE spambots, viruses
83.204/15 ; abo.wanadoo.fr
86.192-221 ; wanadoo.fr DSL CPE. Empty-hat telco.
193.248/14 ; abo.wanadoo.fr CPE
193.252/15 ; abo.wanadoo.fr CPE
!193.252.16/21 ; wanadoo.fr/orange.fr SMTP senders
217.128 ; abo.wanadoo.fr CPE


That's rbldnsd format. /16 is implied.
Notice "86.192-221" is 86.192/11 except 86.222/15.
86.222/15 belongs to France Telecom and a quick scan shows
no rDNS in there. We usually block one /15 at a time, as
we receive spam from it, suggesting that /15 hasn't made poo
here yet. Suspect it's not in use. So 86.192/11 might suffice.

I'd love to block everything Wanadoo, everything Uunet,
everything Comcast, etc etc. But if you've got thousands of
real users you can't get away with that.
Currently trying to figure out what to do about Verizon's
callback shenanigans. The public email system really is dying.


--
Cameron
http://spam-vs-freedom.blogspot.com

puceb...@yahoo.com

unread,
Nov 17, 2006, 8:13:08 AM11/17/06
to
Cameron L. Spitzer wrote:
> In article <20061114175...@dch.TQMcube.com>, David Cary Hart wrote:
> > On Tue, 14 Nov 2006 13:07:13 GMT, puceb...@yahoo.com opined:
> 80.8/13 ; abo.wanadoo.fr 8-15
> 81.48/14 ; abo.wanadoo.fr CPE
> 81.53 ; abo.wanadoo.fr CPE
> 81.68/14 ; dial/cable/adsl.wanadoo.nl and adsl.euronet.nl
> 81.248/14 ; wanadoo.fr CPE
> 82.120/13 ; abo.wanadoo.fr dyn-IP DSL
> 82.156/15 ; cable.wanadoo.nl
> 83.112/14 ; wanadoo.fr CPE
> 83.192/13 ; abo.wanadoo.fr
> 83.200/14 ; abo.wanadoo.fr CPE spambots, viruses
> 83.204/15 ; abo.wanadoo.fr
> 86.192-221 ; wanadoo.fr DSL CPE. Empty-hat telco.
> 193.248/14 ; abo.wanadoo.fr CPE
> 193.252/15 ; abo.wanadoo.fr CPE
> !193.252.16/21 ; wanadoo.fr/orange.fr SMTP senders
> 217.128 ; abo.wanadoo.fr CPE
>
>
> That's rbldnsd format. /16 is implied.
> Notice "86.192-221" is 86.192/11 except 86.222/15.
> 86.222/15 belongs to France Telecom and a quick scan shows
> no rDNS in there. We usually block one /15 at a time, as
> we receive spam from it, suggesting that /15 hasn't made poo
> here yet. Suspect it's not in use. So 86.192/11 might suffice.


Thank you for that list.

Ben!

0 new messages