You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jean-Paul Natola <jn...@familycareintl.org> on 2008/04/29 16:56:05 UTC
netstat info-blacklist IP
I was running in major overloads on my box and I kept noticing entries such
as these
enewsletter11.ru.2500 TIME_WAIT
enewsletter11.ru.2353 ESTABLISHED
enewsletter11.ru.2371 TIME_WAIT
enewsletter11.ru.2350 ESTABLISHED
half of them would eventually time out-
SMTP command timeout on connection from enewsletter11.ruceci.com
(enewsletter.ruceci.com) [208.74.102.200]
others made it through
and I checked the messages that made it through- they are definitely UCE
I did trace it back to this IP
enewsletter11.ruceci.com (enewsletter.ruceci.com) [208.74.102.200]
which is a datacenter in KS
Arsalon Technologies LLC
I'm not sure what is going on but why are they stuck to my server-
Is it safe to blacklist the IP - if so I don't recall seeing info on
blacklist IP's
By the way how can I get more data on why it timed out ?
Thanks
Re: netstat info-blacklist IP
Posted by mouss <mo...@netoyen.net>.
Jean-Paul Natola wrote:
> How do I go about shunning the IP - via Exim or via SA?
>
> And where if possible
>
the most effective is at the firewall level. why let it open a TCP session?
RE: netstat info-blacklist IP
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
How do I go about shunning the IP - via Exim or via SA?
And where if possible
-----Original Message-----
From: Jack Pepper [mailto:pepperjack@autoshun.org]
Sent: Tuesday, April 29, 2008 11:48 AM
To: users@spamassassin.apache.org
Subject: Re: netstat info-blacklist IP
Quoting Jean-Paul Natola <jn...@familycareintl.org>:
> I did trace it back to this IP enewsletter11.ruceci.com
> (enewsletter.ruceci.com) [208.74.102.200]
> which is a datacenter in KS: Arsalon Technologies LLC
Send them a friendly/helpful note (include packet traces or mail logs)
since we will politely assume they don't know about it already. Then
shun the IP at the perimeter.
>
> Is it safe to blacklist the IP - if so I don't recall seeing info on
> blacklist IP's
That's a matter of personal style. I shun ip addresses and block
incoming SMTP connections quite agressively. Users don't seem to
mind, it keeps the bad traffic down. In one week last month,
perimeter blacklisting dropped 1.5 million incoming SMTP connections.
I don't know what those people wanted to tell me, and I really don't
care. Every address is there because of some identifiable bot-related
network behavior.
Some people thing shunning is bad.
As we say in Nebraska, " ... but you gotta do what works for you".
> By the way how can I get more data on why it timed out ?
>
only if something show up in your mail logs or firewall logs.
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: netstat info-blacklist IP
Posted by Jack Pepper <pe...@autoshun.org>.
Quoting Jean-Paul Natola <jn...@familycareintl.org>:
> I did trace it back to this IP enewsletter11.ruceci.com
> (enewsletter.ruceci.com) [208.74.102.200]
> which is a datacenter in KS: Arsalon Technologies LLC
Send them a friendly/helpful note (include packet traces or mail logs)
since we will politely assume they don't know about it already. Then
shun the IP at the perimeter.
>
> Is it safe to blacklist the IP - if so I don't recall seeing info on
> blacklist IP's
That's a matter of personal style. I shun ip addresses and block
incoming SMTP connections quite agressively. Users don't seem to
mind, it keeps the bad traffic down. In one week last month,
perimeter blacklisting dropped 1.5 million incoming SMTP connections.
I don't know what those people wanted to tell me, and I really don't
care. Every address is there because of some identifiable bot-related
network behavior.
Some people thing shunning is bad.
As we say in Nebraska, " ... but you gotta do what works for you".
> By the way how can I get more data on why it timed out ?
>
only if something show up in your mail logs or firewall logs.
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com