Re: CRIME Korean spam & Klez

From: jeffrey (jeffrey@private)
Date: Wed May 22 2002 - 12:31:10 PDT

Next message: VICTORIA.EVANS@private: "RE: CRIME Virus list"

Previous message: John McHugh: "Re: CRIME Virus list"
Next in thread: John E Jewkes-AAA0OR-AAA0ID: "Re: CRIME Korean spam & Klez"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I use address *ranges*. ie something like  211.32.0.0-211.71.255.255 
This will block 50 Class B's (each Class B has about 65,000 IP 
addresses)

Over time, I have compiled lists of ranges that I can count on to be 
1) likely spam/relay sources, and 2) unlikely to ever have a legit 
need to send us mail. (The one I mention above is mostly the Korea 
Network Information Center.) It's takes some research, and a lot of 
look-ups at ARIN, APNIC, and RIPE, but it sure has helped us.

Note that I *only* block port 25 - I do not want to interfere with 
http or DNS traffic. (I act as a small ISP.)

I am also NOT advocating this for everyone - I'm just describing a 
process and its results.  ;-)



>Thank you, but how do you block at the firewall when they are all 
>coming from different ISP addresses?  You have to enter each one 
>individually right?  One person has gotten over 90 in one week, that 
>will certainly be timing consuming, but they may try it anyway as it 
>has been a real headache. Wouldn't it be easier for the ISP to block 
>before the mail is sent out to all their customers?  Thanks, Have a 
>great day, Heidi
>
>
>----- Original Message -----
>From: jeffrey
>Sent: Wednesday, May 22, 2002 7:01 AM
>To: crime@private
>Subject: Re: CRIME Korean spam & Klez
>
>Though perhaps draconian, I have had great success with blocking most
>of the chinese and korean IP space at a firewall (just port 25). Yes,
>I get a lot of log entries and, yes, there is a chance I may block a
>legit email (someday), but it has reduced that source to the merest
>trickle....
>
>Most viruses come in as attachments. Most attachments come in with a
>.xxx suffix that can be filtered at the mail server level. I haven't
>accepted a .com, .vbs, .shr, etc. file via email in a long time,
>because of the probability of it being a virus.
>
>
>
>>I know of several people who have been having a big problem with
>>receiving Korean Spam e-mails.  One in particular, receives eight
>>plus Korean spam mails per day.  This has greatly disrupted their
>>business.  The information has been sent to the Korean War Project,
>>see link below. If you are having any trouble with the Korean spam
>>the links below will provide you with more information.

Next message: VICTORIA.EVANS@private: "RE: CRIME Virus list"
Previous message: John McHugh: "Re: CRIME Virus list"
Next in thread: John E Jewkes-AAA0OR-AAA0ID: "Re: CRIME Korean spam & Klez"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:30 PDT