Re: CRIME Korean spam & Klez

From: jeffrey (jeffrey@private)
Date: Wed May 22 2002 - 12:31:10 PDT

  • Next message: VICTORIA.EVANS@private: "RE: CRIME Virus list"

    I use address *ranges*. ie something like  211.32.0.0-211.71.255.255 
    This will block 50 Class B's (each Class B has about 65,000 IP 
    addresses)
    
    Over time, I have compiled lists of ranges that I can count on to be 
    1) likely spam/relay sources, and 2) unlikely to ever have a legit 
    need to send us mail. (The one I mention above is mostly the Korea 
    Network Information Center.) It's takes some research, and a lot of 
    look-ups at ARIN, APNIC, and RIPE, but it sure has helped us.
    
    Note that I *only* block port 25 - I do not want to interfere with 
    http or DNS traffic. (I act as a small ISP.)
    
    I am also NOT advocating this for everyone - I'm just describing a 
    process and its results.  ;-)
    
    
    
    >Thank you, but how do you block at the firewall when they are all 
    >coming from different ISP addresses?  You have to enter each one 
    >individually right?  One person has gotten over 90 in one week, that 
    >will certainly be timing consuming, but they may try it anyway as it 
    >has been a real headache. Wouldn't it be easier for the ISP to block 
    >before the mail is sent out to all their customers?  Thanks, Have a 
    >great day, Heidi
    >
    >
    >----- Original Message -----
    >From: jeffrey
    >Sent: Wednesday, May 22, 2002 7:01 AM
    >To: crime@private
    >Subject: Re: CRIME Korean spam & Klez
    >
    >Though perhaps draconian, I have had great success with blocking most
    >of the chinese and korean IP space at a firewall (just port 25). Yes,
    >I get a lot of log entries and, yes, there is a chance I may block a
    >legit email (someday), but it has reduced that source to the merest
    >trickle....
    >
    >Most viruses come in as attachments. Most attachments come in with a
    >.xxx suffix that can be filtered at the mail server level. I haven't
    >accepted a .com, .vbs, .shr, etc. file via email in a long time,
    >because of the probability of it being a virus.
    >
    >
    >
    >>I know of several people who have been having a big problem with
    >>receiving Korean Spam e-mails.  One in particular, receives eight
    >>plus Korean spam mails per day.  This has greatly disrupted their
    >>business.  The information has been sent to the Korean War Project,
    >>see link below. If you are having any trouble with the Korean spam
    >>the links below will provide you with more information.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:30 PDT