--
Displayed Email Address is a SPAM TRAP
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
SPEWS Delisting FAQ: http://tqmcube.com/spews.php
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.
Maybe SPEWS doesn't include them in the blocklist because they're
firewalled or dropped at the gateway router. That's my next step,
since many wanadoo.* subscribers seem unable to take
"550 5.7.1 Go Away and don't come back!"
at face value.
I was going to put this .sig in:
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin
but the sigmonster came up with one entirely apposite to the topic:
--
In the final analysis, spam supporters are playing with their
company's credibility, reputation, solvency, and existence. If
that's what you want to do, then go ahead. But it makes more
sense to dump a liability than it does to maintain one.
Basically drop everything that is *abo.wanadoo.* Note the
Asterisks.
That is the reange used by much of their DSL and cable ranges.
Additionally this rule set helps... Drop every thing there....
#Quick and dirty. A sizeable percentage zombie or comprised host send
spam is sent from this bakers dozen of ISP types as addressed in
reverse DNS.
*DSL*
*abo.wanadoo*
*.abo.*
*.CPE.*
*dhcp*
*dial*
*dynamic*
*host*
*HOST*
*pool*
*ppp*
*static*
*user*
PC*
*.ip.*
It's not practical to run each hostname to be checked against thousands
of glob or regexp patterns. Still, a few with those magic words can be
useful. But I do block wanadoo.fr, wanadoo.be, and wanadoo.nl via the
indexed lookups that work in Postfix. I have 13,937 entries in that DB
file right now. ISPs that don't provide a subdomain to isolate their
generics get their main domain added.
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|
> It's not practical to run each hostname to be checked against thousands
> of glob or regexp patterns. Still, a few with those magic words can be
> useful. But I do block wanadoo.fr, wanadoo.be, and wanadoo.nl via the
> indexed lookups that work in Postfix. I have 13,937 entries in that DB
> file right now. ISPs that don't provide a subdomain to isolate their
> generics get their main domain added.
I actually don't block the whole ISP or company, as usually the proper
mail server of the ISP isn't used for spamming as much compared to all
the user devices like cable modems and dsl modems. This is doubly true
for dynamic pools.
Despite wanadoo.fr being a host to a lot of spammers on their user
pool. The ISP's mail servers them selves seem to be fairly clean. It is
the HOME users that are the source of the sewage. So I block
ABO.wanadoo.* with ABO being all the personal home connections. So
blocking ABO will not block legitimate email as most (home) users
won't be running their own email servers and anything corporate will
have a proper DSN entry that won't be part of a dynamic range.
Blocking as many of "personal" IP addresses like home/residential
connections seems to be very efficient. I am now blocking around 150 of
the top senders and adding some every day. I am going after the low
handing fruit right now. I am doing this in a mission-critical
corporate environment (a F1000 type company) with no negative fall out
so far.
Blocking just 150 dynamic ISP's cable and DSL modems is preventing
about 50k spam a day on top of the 100k that the RBL services do. No
complaints to speak of.
Would you share your list? It sounds like it would be very useful...
My hypothesis (nice word for guess) is that they have a large number
of infected customers with an exploit that causes email to be relayed
through the ISP with authentication. I also wonder if they are doing
reasonable rate limiting. Our (albeit minuscule) sample suggests that
they are not.
--
Displayed Email Address is a SPAM TRAP
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
SPEWS Delisting FAQ: http://tqmcube.com/spews.php
--
I've been blocking Wanadoo by IPA range for years. Finally got
my first false positive complaint. Found a /21 with servers in
the middle of the abo.wanadoo cesspool. Current blocks are:
80.8/13 ; abo.wanadoo.fr 8-15
81.48/14 ; abo.wanadoo.fr CPE
81.53 ; abo.wanadoo.fr CPE
81.68/14 ; dial/cable/adsl.wanadoo.nl and adsl.euronet.nl
81.248/14 ; wanadoo.fr CPE
82.120/13 ; abo.wanadoo.fr dyn-IP DSL
82.156/15 ; cable.wanadoo.nl
83.112/14 ; wanadoo.fr CPE
83.192/13 ; abo.wanadoo.fr
83.200/14 ; abo.wanadoo.fr CPE spambots, viruses
83.204/15 ; abo.wanadoo.fr
86.192-221 ; wanadoo.fr DSL CPE. Empty-hat telco.
193.248/14 ; abo.wanadoo.fr CPE
193.252/15 ; abo.wanadoo.fr CPE
!193.252.16/21 ; wanadoo.fr/orange.fr SMTP senders
217.128 ; abo.wanadoo.fr CPE
That's rbldnsd format. /16 is implied.
Notice "86.192-221" is 86.192/11 except 86.222/15.
86.222/15 belongs to France Telecom and a quick scan shows
no rDNS in there. We usually block one /15 at a time, as
we receive spam from it, suggesting that /15 hasn't made poo
here yet. Suspect it's not in use. So 86.192/11 might suffice.
I'd love to block everything Wanadoo, everything Uunet,
everything Comcast, etc etc. But if you've got thousands of
real users you can't get away with that.
Currently trying to figure out what to do about Verizon's
callback shenanigans. The public email system really is dying.
--
Cameron
http://spam-vs-freedom.blogspot.com
Thank you for that list.
Ben!