Good evening, Greg,
On Thu, 12 Feb 2004, Greg Cirino - Cirelle Enterprises wrote:
> Unless you need folks from the 80.0.0.0/8
> to email directly, just firewall those ranges
> from getting to port 25
>
> by the way there are a bunch from the 8x.0.0.0/8
> that do nothing but spam.
>
> my 2 cents (in 2004 currency exchange rates)
Greg, have you considered what you're saying?
The 80.x.x.x block is allocate to RIPE (http://www.ripe.net) for
suballocation to its members, who are ISPs located in Europe, the Middle
East, Central Asia, and Africa.
Unless I've misunderstood what you said, you seem to be
recommending that we blacklist a significant portion - probably between 5%
and 15% - of the landmass of the earth, because some of the people whose
IP addresses starting with 80 spam.
I _sincerely_ hope that you were kidding and that my funnybone
needs a serious tuning. :-)
Just for grins, I went back to the IP addresses used by the web
servers I have in my sa-blacklist. Granted, these are _destination_
addresses, rather than the source of the spam. Here are the first octets
of those IP addresses (the second column) and the how frequently they show
up in spammer web servers:
1 0
3 1
6 10
2 115
60 12
5 127
21 128
10 129
18 130
1 131
2 134
2 137
2 138
3 139
13 140
1 141
13 146
4 147
2 148
1 155
52 157
16 161
1 162
2 165
4 167
30 168
1 171
11 192
30 193
33 194
22 195
1 196
140 198
34 199
474 200
166 202
52 203
132 204
52 205
72 206
497 207
165 208
383 209
85 210
244 211
75 212
63 213
977 216
80 217
332 218
519 219
172 220
86 221
89 24
119 38
36 4
611 61
50 62
349 63
1024 64
367 65
1203 66
70 67
57 68
558 69
59 80
65 81
23 82
3 83
By your logic, we might want to blacklist 64 (Concentric) and 66
(Sprint) against outbound web traffic. *smile*
Just in case anyone else's sense of humor is as badly damaged as
mine seems to be, _don't do this_.
Cheers,
- Bill
---------------------------------------------------------------------------
"...exploiting this vulnerability would cause the RPC service to
fail, with the attendant loss of any RPC-based services the server
offers, as well as potential loss of some COM functions.
...Although Windows NT 4.0 is affected by this vulnerability,
Microsoft is unable to provide a patch for this vulnerability for
Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not
support the changes that would be required to remove this vulnerability.
Windows NT 4.0 users are strongly encouraged to employ the workaround
discussed in the FAQ below, which is to protect the NT 4.0 system with a
firewall that blocks Port 135."
-- http://www.microsoft.com/technet/security/bulletin/MS03-010.asp?frame=true
"Microsoft is betting that customers using 7-year-old Windows NT
4 Server--35 percent of the total--are ripe for an upgrade."
-- http://news.com.com/2100-1012-994437.html
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
On Thu, 12 Feb 2004, Greg Cirino - Cirelle Enterprises wrote:
> Unless you need folks from the 80.0.0.0/8
> to email directly, just firewall those ranges
> from getting to port 25
>
> by the way there are a bunch from the 8x.0.0.0/8
> that do nothing but spam.
>
> my 2 cents (in 2004 currency exchange rates)
Greg, have you considered what you're saying?
The 80.x.x.x block is allocate to RIPE (http://www.ripe.net) for
suballocation to its members, who are ISPs located in Europe, the Middle
East, Central Asia, and Africa.
Unless I've misunderstood what you said, you seem to be
recommending that we blacklist a significant portion - probably between 5%
and 15% - of the landmass of the earth, because some of the people whose
IP addresses starting with 80 spam.
I _sincerely_ hope that you were kidding and that my funnybone
needs a serious tuning. :-)
Just for grins, I went back to the IP addresses used by the web
servers I have in my sa-blacklist. Granted, these are _destination_
addresses, rather than the source of the spam. Here are the first octets
of those IP addresses (the second column) and the how frequently they show
up in spammer web servers:
1 0
3 1
6 10
2 115
60 12
5 127
21 128
10 129
18 130
1 131
2 134
2 137
2 138
3 139
13 140
1 141
13 146
4 147
2 148
1 155
52 157
16 161
1 162
2 165
4 167
30 168
1 171
11 192
30 193
33 194
22 195
1 196
140 198
34 199
474 200
166 202
52 203
132 204
52 205
72 206
497 207
165 208
383 209
85 210
244 211
75 212
63 213
977 216
80 217
332 218
519 219
172 220
86 221
89 24
119 38
36 4
611 61
50 62
349 63
1024 64
367 65
1203 66
70 67
57 68
558 69
59 80
65 81
23 82
3 83
By your logic, we might want to blacklist 64 (Concentric) and 66
(Sprint) against outbound web traffic. *smile*
Just in case anyone else's sense of humor is as badly damaged as
mine seems to be, _don't do this_.
Cheers,
- Bill
---------------------------------------------------------------------------
"...exploiting this vulnerability would cause the RPC service to
fail, with the attendant loss of any RPC-based services the server
offers, as well as potential loss of some COM functions.
...Although Windows NT 4.0 is affected by this vulnerability,
Microsoft is unable to provide a patch for this vulnerability for
Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not
support the changes that would be required to remove this vulnerability.
Windows NT 4.0 users are strongly encouraged to employ the workaround
discussed in the FAQ below, which is to protect the NT 4.0 system with a
firewall that blocks Port 135."
-- http://www.microsoft.com/technet/security/bulletin/MS03-010.asp?frame=true
"Microsoft is betting that customers using 7-year-old Windows NT
4 Server--35 percent of the total--are ripe for an upgrade."
-- http://news.com.com/2100-1012-994437.html
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------