Mailing List Archive

New type of SPAM aggression
This is to inform about a new type of SPAM aggression.

We received from Russia, for months, and redirected them automatically to an administrative address for manual inspection. All emails were spam with links. From the standpoint of the attacker(s), all emails were delivered, but none turned into exploits.

Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We followed the address to de-list, but gremlin.ru does not exist.

So, if you are successful against Russian spam, you will be ... blacklisted by an unknown gremlin.
Re: New type of SPAM aggression [ In reply to ]
The spammers at gremlin.ru have just created a homepage, with no information on how to delist an IP.

Their fake dnsbl is listed as genuine in at least two antispam engines.

On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher <ruga@protonmail.com> wrote:

> This is to inform about a new type of SPAM aggression.
>
> We received from Russia, for months, and redirected them automatically to an administrative address for manual inspection. All emails were spam with links. From the standpoint of the attacker(s), all emails were delivered, but none turned into exploits.
>
> Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We followed the address to de-list, but gremlin.ru does not exist.
>
> So, if you are successful against Russian spam, you will be ... blacklisted by an unknown gremlin.
Re: New type of SPAM aggression [ In reply to ]
Hi,

Anyone can start a DNSBL and list IP space of people they don't like, as
you surely know. As long as no one uses such a DNSBL to block traffic,
no harm is done.

The interesting part is which "engines" (I guess that you mean antispam
software or antispam saas providers) think that such a DNSBL should be
actually used. Can you disclose which parties you found?

Kind regards,

Tom

On 06-02-19 14:40, Rupert Gallagher wrote:
> The spammers at gremlin.ru have just created a homepage, with no
> information on how to delist an IP.
>
> Their fake dnsbl is listed as genuine in at least two antispam engines.
>
>
> On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher <ruga@protonmail.com
> <mailto:ruga@protonmail.com>> wrote:
>> This is to inform about a new type of SPAM aggression.
>>
>> We received from Russia, for months, and redirected them automatically
>> to an administrative address for manual inspection. All emails were
>> spam with links. From the standpoint of the attacker(s), all emails
>> were delivered, but none turned into exploits.
>>
>> Today, we learned that "gremlin.ru" included our IPs in their DNSBL.
>> We followed the address to de-list, but gremlin.ru does not exist.
>>
>> So, if you are successful against Russian spam, you will be ...
>> blacklisted by an unknown gremlin.
>>
>
>
Re: New type of SPAM aggression [ In reply to ]
On Wed, 06 Feb 2019 11:55:07 +0000
Rupert Gallagher wrote:

> This is to inform about a new type of SPAM aggression.
>
> We received from Russia, for months, and redirected them
> automatically to an administrative address for manual inspection. All
> emails were spam with links. From the standpoint of the attacker(s),
> all emails were delivered, but none turned into exploits.
>
> Today, we learned that "gremlin.ru" included our IPs in their DNSBL.
> We followed the address to de-list, but gremlin.ru does not exist.
>
> So, if you are successful against Russian spam, you will be ...
> blacklisted by an unknown gremlin.

You reported some spam and now you are listed in a blocklist, therefore
that list is run by the same spammer. There's no evidence of anything
here aside from a paranoid delusion.
Re: New type of SPAM aggression [ In reply to ]
Not the first time I’ve heard of gremlin.ru – found this from a mirror of their FAQ:

---8<---
A: Surely, you have received a bounce message similar to this:
550 Rejected: 192.168.62.14 is listed at work.drbl.example.net
This is well enough to investigate, who (and ever why) had listed your host. First of all, who:
% host -t any 14.62.168.192.work.drbl.example.net
14.62.168.192.work.drbl.example.net has address 127.0.0.2
14.62.168.192.work.drbl.example.net descriptive text
"vote.drbl.example.net@ns.example.net"
Why:
% host -t any 14.62.168.192.vote.drbl.example.net
14.62.168.192.vote.drbl.example.net has address 127.0.0.2
14.62.168.192.vote.drbl.example.net descriptive text
"Open SOCKS proxy"
Fix the SOCKS issue - e.g., by setting up NAT - and do one more NS query:
% host -t soa vote.drbl.example.net
vote.drbl.example.net SOA ns.example.net postmaster.example.net(
1067889002 ;serial (version)
10800 ;refresh period
1800 ;retry refresh this often
604800 ;expiration period
86400 ;minimum TTL
)
Now, write to "postmaster AT example DOT net" and ask them to re-test your server.

Paul


From: Rupert Gallagher <ruga@protonmail.com>
Reply-To: Rupert Gallagher <ruga@protonmail.com>
Date: Wednesday, 6 February 2019 at 11:55
To: SA <users@spamassassin.apache.org>
Subject: New type of SPAM aggression

This is to inform about a new type of SPAM aggression.

We received from Russia, for months, and redirected them automatically to an administrative address for manual inspection. All emails were spam with links. From the standpoint of the attacker(s), all emails were delivered, but none turned into exploits.

Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We followed the address to de-list, but gremlin.ru does not exist.

So, if you are successful against Russian spam, you will be ... blacklisted by an unknown gremlin.


Paul Stead
Senior Engineer
Zen Internet
Re: New type of SPAM aggression [ In reply to ]
Search engines on DNSBLs:

multiRBL.valli.org
www.rbls.org

On Wed, Feb 6, 2019 at 15:19, Tom Hendrikx <tom@whyscream.net> wrote:

> Hi,
>
> Anyone can start a DNSBL and list IP space of people they don't like, as
> you surely know. As long as no one uses such a DNSBL to block traffic,
> no harm is done.
>
> The interesting part is which "engines" (I guess that you mean antispam
> software or antispam saas providers) think that such a DNSBL should be
> actually used. Can you disclose which parties you found?
>
> Kind regards,
>
> Tom
>
> On 06-02-19 14:40, Rupert Gallagher wrote:
>> The spammers at gremlin.ru have just created a homepage, with no
>> information on how to delist an IP.
>>
>> Their fake dnsbl is listed as genuine in at least two antispam engines.
>>
>>
>> On Wed, Feb 6, 2019 at 12:55, Rupert Gallagher <ruga@protonmail.com
>> <mailto:ruga@protonmail.com>> wrote:
>>> This is to inform about a new type of SPAM aggression.
>>>
>>> We received from Russia, for months, and redirected them automatically
>>> to an administrative address for manual inspection. All emails were
>>> spam with links. From the standpoint of the attacker(s), all emails
>>> were delivered, but none turned into exploits.
>>>
>>> Today, we learned that "gremlin.ru" included our IPs in their DNSBL.
>>> We followed the address to de-list, but gremlin.ru does not exist.
>>>
>>> So, if you are successful against Russian spam, you will be ...
>>> blacklisted by an unknown gremlin.
>>>
>>
>>
Re: New type of SPAM aggression [ In reply to ]
On Wed, Feb 6, 2019 at 15:42, RW <rwmaillists@googlemail.com> wrote:

> On Wed, 06 Feb 2019 11:55:07 +0000
> Rupert Gallagher wrote:
>
>> This is to inform about a new type of SPAM aggression.
>>
>> We received from Russia, for months, and redirected them
>> automatically to an administrative address for manual inspection. All
>> emails were spam with links. From the standpoint of the attacker(s),
>> all emails were delivered, but none turned into exploits.
>>
>> Today, we learned that "gremlin.ru" included our IPs in their DNSBL.
>> We followed the address to de-list, but gremlin.ru does not exist.
>>
>> So, if you are successful against Russian spam, you will be ...
>> blacklisted by an unknown gremlin.
>
> You reported some spam and now you are listed in a blocklist, therefore
> that list is run by the same spammer. There's no evidence of anything
> here aside from a paranoid delusion.

No, you idiot! The spammer votes against you on the dnsbl as a revenge. The fact that the dnsbl itself is suspicious and allows downvotes from arrogant spammers just adds up. We do not send spam at all, we never did, and we have never ever sent anything to Russia.
RE: New type of SPAM aggression [ In reply to ]
> … All emails were spam with links. …

We receive such spam mails with a lot of links too.
Is there a rule which detects a certain amount of links inside an e-mail ?


// Hans


--



From: Rupert Gallagher <ruga@protonmail.com>
Sent: Wednesday, February 6, 2019 12:55 PM
To: SA <users@spamassassin.apache.org>
Subject: New type of SPAM aggression

This is to inform about a new type of SPAM aggression.

We received from Russia, for months, and redirected them automatically to an administrative address for manual inspection. All emails were spam with links. From the standpoint of the attacker(s), all emails were delivered, but none turned into exploits.

Today, we learned that "gremlin.ru" included our IPs in their DNSBL. We followed the address to de-list, but gremlin.ru does not exist.

So, if you are successful against Russian spam, you will be ... blacklisted by an unknown gremlin.
Re: RE: New type of SPAM aggression [ In reply to ]
full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0

On Thu, Feb 7, 2019 at 09:12, MAYER Hans <Hans.Mayer@iiasa.ac.at> wrote:

>
>
>> … All emails were spam with links. …
>
> We receive such spam mails with a lot of links too.
>
> Is there a rule which detects a certain amount of links inside an e-mail ?
Re: New type of SPAM aggression [ In reply to ]
Rupert Gallagher skrev den 2019-02-07 19:37:
> full __HAS_URI /(http|https):///
> tflags __HAS_URI multiple
> meta TMU ( _HAS_URI > 10 )
> describe TMU Too many URIs (>10)
> score TMU 5.0

mixed http and https, real spam

browsers would not like it
Re: RE: New type of SPAM aggression [ In reply to ]
On Thu, 7 Feb 2019, Rupert Gallagher wrote:

> full __HAS_URI /(http|https):///
> tflags __HAS_URI multiple
> meta TMU ( _HAS_URI > 10 )
> describe TMU Too many URIs (>10)
> score TMU 5.0

Beaware, if the mail has properly-formed HTML and plain-text alternate
versions, that will double-count every URI.

Also, if you only care about more than ten hits, add

tflags __HAS_URI maxhits=11

...to avoid matching ones you don't care about.


> On Thu, Feb 7, 2019 at 09:12, MAYER Hans <Hans.Mayer@iiasa.ac.at> wrote:
>
>>
>>
>>> … All emails were spam with links. …
>>
>> We receive such spam mails with a lot of links too.
>>
>> Is there a rule which detects a certain amount of links inside an e-mail ?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The difference between ignorance and stupidity is that the stupid
desire to remain ignorant. -- Jim Bacon
-----------------------------------------------------------------------
5 days until Abraham Lincoln's and Charles Darwin's 210th Birthdays
RE: RE: New type of SPAM aggression [ In reply to ]
Dear Rupert,

Many thanks for your configuration you posted.
I installed your ruleset but unfortunately it didn’t not trigger. I run “spamassassin -D < “ redirecting from a text file too and it doesn’t show this rule. But other local rules are triggered which I add. Obviously it does not recognize these url’s. I played around a little bit with the “full” statement but without success. Also with a simplified regex.
Finally I saw you missed an underscrore in “meta” statement. It should be: meta TMU ( __HAS_URI > 10 )
And the “full” statement should be: full __HAS_URI /(http|https):\/\//

I post this to the mailing list because it could be useful for others too.

This is the mail body with which I made some tests:

https://ajnsxz.com/?ajnsxz ajnsxz https://befghkp.ua/?befghkp befghkp https://ailswy.ua/?ailswy ailswy
https://efjqsxy.ua/?efjqsxy efjqsxy http://dfhtv.ua/?dfhtv dfhtv https://begimrv.ua/?begimrv
<https://begimrv.ua/?begimrv> begimrv https://jlprv.net/?jlprv <https://jlprv.net/?jlprv> jlprv
http://efhsz.ua/?efhsz efhsz https://dgiqs.ua/?dgiqs dgiqs http://bgiprx.net/?bgiprx
<http://bgiprx.net/?bgiprx> bgiprx https://cdklmqv.biz/?cdklmqv <https://cdklmqv.biz/?cdklmqv>
cdklmqv https://adgnowz.ua/?adgnowz <https://adgnowz.ua/?adgnowz> adgnowz
http://cfjnorty.ru/?cfjnorty <http://cfjnorty.ru/?cfjnorty> cfjnorty https://bcfhpqvy.ru/?bcfhpqvy
<https://bcfhpqvy.ru/?bcfhpqvy> bcfhpqvy http://beiqv.biz/?beiqv <http://beiqv.biz/?beiqv> beiqv


I learned a lot. Your reply was very helpful.

Kind regards
Hans




From: Rupert Gallagher <ruga@protonmail.com>
Sent: Thursday, February 7, 2019 7:37 PM
To: MAYER Hans <Hans.Mayer@iiasa.ac.at>; SA <users@spamassassin.apache.org>
Subject: Re: RE: New type of SPAM aggression


full __HAS_URI /(http|https):///
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0



On Thu, Feb 7, 2019 at 09:12, MAYER Hans <Hans.Mayer@iiasa.ac.at<mailto:Hans.Mayer@iiasa.ac.at>> wrote:

> … All emails were spam with links. …

We receive such spam mails with a lot of links too.
Is there a rule which detects a certain amount of links inside an e-mail ?
Re: New type of SPAM aggression [ In reply to ]
On Tue, 12 Feb 2019 09:44:02 +0000
MAYER Hans wrote:



> “full” statement should be: full __HAS_URI /(http|https):\/\//



This is still a poor rule, "full" is actually the worst type to use.

Both full and rawbody can find a lot more links than are relevant. It's
already been mentioned that in multipart/alternative emails, links are
double-counted. If the HTML also uses buttons or displays the link as
text, clickable links are then triple-counted. There can also be other
irrelevant links to images, fonts, etc, and it's common for HTML to have
informational links about tools and standards.

"full" is worse than "rawbody" because it will fail completely if the
spammer switches to base64, and it will count additional spurious links
in headers.

Personally I get a lot of legitimate emails with many clickable
links, so this sounds like a bad idea. If you really want to do this you
should use a "body" rule for counting. You may also want to have a
different threshold if Content-Type contains 'multipart/alternative'.
Re: New type of SPAM aggression [ In reply to ]
Let see if the mail arrives with the correct escaping this time.

body __HAS_URI /(http|https):\/\//
tflags __HAS_URI multiple
meta TMU ( _HAS_URI > 10 )
describe TMU Too many URIs (>10)
score TMU 5.0

As rightly noted, the same link is counted twice, for text and html bodies when they are present. However, my corpus has more of the odd type, where the text and the html parts are different: if you switch from text to html you read a different message for the same email. Those who fill their emails with lots of useless pics get the spam rating they deserve, so I intentionally count all links.

I feel more than generous with 5+5 links, but if you want more, or less, you can easily change to fit your local policy.
Re: New type of SPAM aggression [ In reply to ]
Note that the "too many uris" thing has nothing to do with the Russian gremlin who, in the meantime, has disabled the part of the rbl that explains why the IP was listed. Before the change, the service stated that the IP fell into their spamtrap, whatever that is. The fact remains that we have never sent mail to the gremlin, and we have now blocked their IP at the firewall, so if they want to play, they can go play elsewhere.
Re: New type of SPAM aggression [ In reply to ]
On Tue, 12 Feb 2019 16:38:47 +0000
Rupert Gallagher wrote:

> Let see if the mail arrives with the correct escaping this time.
>
> body __HAS_URI /(http|https):\/\//
> tflags __HAS_URI multiple
> meta TMU ( _HAS_URI > 10 )
> describe TMU Too many URIs (>10)
> score TMU 5.0
>

> Those who fill their emails with lots of useless pics get the spam
> rating they deserve, so I intentionally count all links.


You stopped doing that when you switched from full to body.
Re: New type of SPAM aggression [ In reply to ]
On Tue, 12 Feb 2019, Rupert Gallagher wrote:

> Let see if the mail arrives with the correct escaping this time.
>
> body __HAS_URI /(http|https):\/\//
> tflags __HAS_URI multiple
> meta TMU ( _HAS_URI > 10 )
> describe TMU Too many URIs (>10)
> score TMU 5.0

How about:

uri __HAS_URI /^http/i
tflags __HAS_URI multiple, maxhits=11
etc.


> As rightly noted, the same link is counted twice, for text and html bodies when they are present. However, my corpus has more of the odd type, where the text and the html parts are different: if you switch from text to html you read a different message for the same email. Those who fill their emails with lots of useless pics get the spam rating they deserve, so I intentionally count all links.
>
> I feel more than generous with 5+5 links, but if you want more, or less, you can easily change to fit your local policy.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
Today: Abraham Lincoln's and Charles Darwin's 210th Birthdays
Re: New type of SPAM aggression [ In reply to ]
On Tue, 12 Feb 2019, Rupert Gallagher wrote:

> and we have now blocked their IP at the firewall,

A suggestion: it may hurt them more if you TCP tarpit them instead of just
blocking them. That's what I do.

Perhaps a little stale, and overkill for manual punishment, but it
documents the tools:

http://www.impsec.org/~jhardin/antispam/spammer-firewall

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
Today: Abraham Lincoln's and Charles Darwin's 210th Birthdays
Re: New type of SPAM aggression [ In reply to ]
On Tue, 12 Feb 2019 16:49:27 +0000
Rupert Gallagher wrote:

Before the change, the
> service stated that the IP fell into their spamtrap, whatever that
> is.

Seriously?


> The fact remains that we have never sent mail to the gremlin,

How can you possibly know that you haven't sent anything to the
spamtrap?
Re: New type of SPAM aggression [ In reply to ]
Ah, ok...

On Tue, Feb 12, 2019 at 18:04, RW <rwmaillists@googlemail.com> wrote:

> On Tue, 12 Feb 2019 16:38:47 +0000
> Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe TMU Too many URIs (>10)
>> score TMU 5.0
>>
>
>> Those who fill their emails with lots of useless pics get the spam
>> rating they deserve, so I intentionally count all links.
>
> You stopped doing that when you switched from full to body.
Re: New type of SPAM aggression [ In reply to ]
I like it!

On Tue, Feb 12, 2019 at 18:15, John Hardin <jhardin@impsec.org> wrote:

> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> Let see if the mail arrives with the correct escaping this time.
>>
>> body __HAS_URI /(http|https):///
>> tflags __HAS_URI multiple
>> meta TMU ( _HAS_URI > 10 )
>> describe TMU Too many URIs (>10)
>> score TMU 5.0
>
> How about:
>
> uri __HAS_URI /^http/i
> tflags __HAS_URI multiple, maxhits=11
> etc.
>
>> As rightly noted, the same link is counted twice, for text and html bodies when they are present. However, my corpus has more of the odd type, where the text and the html parts are different: if you switch from text to html you read a different message for the same email. Those who fill their emails with lots of useless pics get the spam rating they deserve, so I intentionally count all links.
>>
>> I feel more than generous with 5+5 links, but if you want more, or less, you can easily change to fit your local policy.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> The world has enough Mouse Clicking System Engineers.
> -- Dave Pooser
> -----------------------------------------------------------------------
> Today: Abraham Lincoln's and Charles Darwin's 210th Birthdays
Re: New type of SPAM aggression [ In reply to ]
Ehhh.... not available on bsd with pf, or so it was the last time I checked. Good for you as you have it! It is a fantastic piece of aikido.

On Tue, Feb 12, 2019 at 18:19, John Hardin <jhardin@impsec.org> wrote:

> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>
>> and we have now blocked their IP at the firewall,
>
> A suggestion: it may hurt them more if you TCP tarpit them instead of just
> blocking them. That's what I do.
>
> Perhaps a little stale, and overkill for manual punishment, but it
> documents the tools:
>
> http://www.impsec.org/~jhardin/antispam/spammer-firewall
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> The world has enough Mouse Clicking System Engineers.
> -- Dave Pooser
> -----------------------------------------------------------------------
> Today: Abraham Lincoln's and Charles Darwin's 210th Birthdays
Re: New type of SPAM aggression [ In reply to ]
On Tue, Feb 12, 2019 at 18:34, RW <rwmaillists@googlemail.com> wrote:

> On Tue, 12 Feb 2019 16:49:27 +0000
> Rupert Gallagher wrote:
>
> Before the change, the
>> service stated that the IP fell into their spamtrap, whatever that
>> is.
>
> Seriously?
>
>> The fact remains that we have never sent mail to the gremlin,
>
> How can you possibly know that you haven't sent anything to the
> spamtrap?

Logs!
Re: New type of SPAM aggression [ In reply to ]
On Tue, 12 Feb 2019, Rupert Gallagher wrote:

> Ehhh.... not available on bsd with pf, or so it was the last time I checked.

Bummer.

> Good for you as you have it! It is a fantastic piece of aikido.
>
> On Tue, Feb 12, 2019 at 18:19, John Hardin <jhardin@impsec.org> wrote:
>
>> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>>
>>> and we have now blocked their IP at the firewall,
>>
>> A suggestion: it may hurt them more if you TCP tarpit them instead of just
>> blocking them. That's what I do.
>>
>> Perhaps a little stale, and overkill for manual punishment, but it
>> documents the tools:
>>
>> http://www.impsec.org/~jhardin/antispam/spammer-firewall

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: Abraham Lincoln's and Charles Darwin's 210th Birthdays
Re: New type of SPAM aggression [ In reply to ]
On 12 Feb 2019, at 15:04, Rupert Gallagher wrote:

> Ehhh.... not available on bsd with pf, or so it was the last time I
> checked.

A good 'tarpit' tool that IS available for *BSD (originating on OpenBSD)
is 'spamd' which unfortunately shares a name with the daemon aspect of
SA. There's a port for FreeBSD and pf.conf(5) documents its integration
with pf.

> Good for you as you have it! It is a fantastic piece of aikido.
>
> On Tue, Feb 12, 2019 at 18:19, John Hardin <jhardin@impsec.org> wrote:
>
>> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>>
>>> and we have now blocked their IP at the firewall,
>>
>> A suggestion: it may hurt them more if you TCP tarpit them instead of
>> just
>> blocking them. That's what I do.
[...]
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

1 2  View All