Hello, I did notice a lot of spam is originating from IPs from a certain ASN. We are talking about ASN 213035 AS-SERVERION Serverion B.V., NL Every time when I lookup the whois details of an offending IP, it lists an address in The Netherlands. The address is "Krammer 8, 3232HE Brielle". Complaining doesn't help. Did that before. Only receiving more spam. So, I did investigate this a bit further and did notice this ASN has quite some /24 nets. I did list those below (end of this post). The spam originating from this ASN for this weekend so far are the following: Code: 195.133.38.4 # Spam - Des Capital B.V. 195.133.38.6 # Spam - Des Capital B.V. 195.133.38.10 # Spam - Des Capital B.V. 195.133.38.15 # Spam - Des Capital B.V. 195.133.38.14 # Spam - Des Capital B.V. 195.133.38.13 # Spam - Des Capital B.V. I did notice the PTR records for those IPs look "funny"... Code: $ dig +short -x 195.133.38.6 cinemaprize.co. $ dig +short -x 195.133.38.10 infinitesock.co. $ dig +short -x 195.133.38.15 doubledespise.co. $ dig +short -x 195.133.38.14 lilymember.co. $ dig +short -x 195.133.38.13 permanentclaim.co. I am following this for over a year - and did recently remove all blocks to see if the spam keeps originating from the same IPs - and it does. I would like to find out all the PTR records and save those to a csv. My goal is to look through the list and keep the "funny" looking PTR records + IPs. Next I would like to block all the corresponding IP addresses. When I complain I won't have a response. When I look around on forums and so on, the outcome so far is that this organisation could facilitates a spam heaven. I think best is to block the offending IPs. Examples of complaints and so on: https://www.spam.org/complaint?uid=C-195-133-16-81-8SQHFG35DS https://www.trustpilot.com/review/serverion.com Any suggestion how to block these IPs? Or is there a better solution to this problem? Thank you. Code: ASN 213035 AS-SERVERION Serverion B.V., NL 161.123.155.0/24 185.121.123.0/24 31.210.21.0/24 194.31.96.0/24 136.144.41.0/24 5.10.247.0/24 45.136.141.0/24 62.197.142.0/24 45.141.236.0/24 45.143.6.0/24 193.111.117.0/24 194.99.46.0/24 194.5.146.0/24 194.87.246.0/24 220.158.198.0/24 37.0.10.0/24 195.133.18.0/24 163.123.143.0/24 45.85.90.0/24 185.126.34.0/24 62.197.139.0/24 115.167.6.0/24 194.87.24.0/24 195.133.80.0/24 107.182.129.0/24 220.158.196.0/24 185.121.120.0/24 212.193.31.0/24 85.202.171.0/24 107.182.131.0/24 138.128.145.0/24 161.123.26.0/24 194.85.249.0/24 37.0.13.0/24 45.143.4.0/24 45.155.164.0/23 194.31.97.0/24 146.19.212.0/24 103.99.54.0/24 31.210.20.0/24 194.87.27.0/24 85.202.170.0/24 212.192.240.0/24 115.167.2.0/24 194.59.217.0/24 5.10.244.0/24 193.111.116.0/24 194.87.86.0/24 194.59.219.0/24 45.152.151.0/24 185.121.121.0/24 154.52.64.0/20 194.31.98.0/24 220.158.197.0/24 45.141.239.0/24 194.99.44.0/24 194.87.204.0/24 45.136.140.0/24 162.12.205.0/24 62.197.136.0/24 195.133.35.0/24 194.87.75.0/24 85.202.169.0/24 163.123.140.0/24 45.144.225.0/24 223.29.236.0/24 212.193.28.0/24 209.182.101.0/24 162.12.204.0/24 192.124.172.0/24 195.133.17.0/24 195.133.41.0/24 193.239.164.0/24 195.133.42.0/24 62.197.137.0/24 91.198.123.0/24 212.192.220.0/24 192.231.100.0/24 220.158.199.0/24 185.28.37.0/24 5.10.241.0/24 194.87.26.0/24 209.182.102.0/24 77.83.37.0/24 163.123.141.0/24 62.197.143.0/24 212.193.30.0/24 194.87.128.0/24 193.239.147.0/24 115.167.4.0/24 212.192.242.0/24 212.192.31.0/24 37.0.9.0/24 195.133.38.0/24 115.167.0.0/24 146.19.135.0/24 194.87.228.0/22 62.197.138.0/24 161.123.140.0/24 37.0.14.0/24 194.59.218.0/24 2a10:1440::/29 62.197.141.0/24 194.5.149.0/24 195.133.19.0/24 209.182.100.0/24 45.144.227.0/24 185.227.35.0/24 45.143.7.0/24 185.102.171.0/24 194.87.209.0/24 45.133.1.0/24 45.144.226.0/24 194.87.84.0/24 194.87.87.0/24 45.152.150.0/24 5.10.250.0/24 185.102.170.0/24 212.192.243.0/24 37.0.11.0/24 194.87.25.0/24 195.133.16.0/24 212.192.241.0/24 203.159.80.0/24 162.12.207.0/24 193.142.22.0/24 45.141.237.0/24 85.158.146.0/24 194.87.208.0/24 45.141.238.0/24 45.85.190.0/24 185.28.39.0/24 45.146.186.0/24 85.202.168.0/24 31.210.23.0/24 194.87.85.0/24 45.142.3.0/24 195.133.43.0/24 194.5.148.0/24 194.99.47.0/24 45.15.40.0/24 2a07:5c0::/29 194.5.147.0/24 162.12.206.0/24 46.23.109.0/24 194.87.219.0/24 62.197.140.0/24 37.0.12.0/24 193.239.165.0/24 37.0.8.0/24 41.216.181.0/24 195.133.40.0/24 194.85.251.0/24 80.94.91.0/24 5.10.253.0/24
I would block them in the MTA (postfix?); you can do so with a cidr map or even setup an rbl if you would rather manage those in DNS (convenient for sharing or for distribution among many servers).
I am blocking some IPs with ufw at the moment. I think I'll just check all IP's for PTR records - and will only block the IPs with a strange hostname. I expect some IP's to be sending spam and not all of them.
This will do what you want... The code after origin is the ASN number. Code: #!/bin/sh ## unified layer for i in $(whois -h whois.radb.net -- '-i origin 46606' | grep "^route:" | cut -d ":" -f2 | sed -e 's/^[ \t]*//' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | cut -d ":" -f2 | sed 's/$//') ; do iptables -I INPUT -s "$i" -j DROP done
Thanks. But no, this doesn't do what I want. This will block all the nets from the given ASN. I am looking into blocking only the IP addresses that have a "strange" of suspicious PTRs. I will have to query every IP to check if it has a PTR. If it has a PTR, I will have to sift out all suspicious names. Eg "dig +short -x 195.133.38.13" which returns "permanentclaim.co.". If alle the IPs are suspicious, then I could block all the subnets.
I did find a nice command which can do a bulk reverse DNS query: prips The next step is to find out if there's a legitimate website hosted on the given IP / FQDN and if there's proof for sending spam (and/or other detrimental behaviour). I did learn about this command here: https://unix.stackexchange.com/a/643901 Code: $ prips 161.123.155.0/24 | xargs -I{} dig @1.1.1.1 +noall +answer -x {} 2.155.123.161.in-addr.arpa. 60 IN PTR audiorushart.com. 3.155.123.161.in-addr.arpa. 60 IN PTR negate-protocol.audiorushart.com. 4.155.123.161.in-addr.arpa. 60 IN PTR good-hm1479.audiorushart.com. 5.155.123.161.in-addr.arpa. 60 IN PTR pentnt-regsvr32.audiorushart.com. 6.155.123.161.in-addr.arpa. 60 IN PTR ymon2-5on.audiorushart.com. 11.155.123.161.in-addr.arpa. 60 IN PTR ai3l.trxkits.com. 12.155.123.161.in-addr.arpa. 60 IN PTR u0nz.trxkits.com. 13.155.123.161.in-addr.arpa. 60 IN PTR nv6y.trxkits.com. 14.155.123.161.in-addr.arpa. 60 IN PTR sr6h.trxkits.com. 18.155.123.161.in-addr.arpa. 60 IN PTR healthtary.com. 19.155.123.161.in-addr.arpa. 60 IN PTR expondist-setlocal.healthtary.com. 21.155.123.161.in-addr.arpa. 60 IN PTR pds-f42-intel.healthtary.com. 22.155.123.161.in-addr.arpa. 60 IN PTR bullet-mail-159.healthtary.com. 26.155.123.161.in-addr.arpa. 60 IN PTR findnetwork.info. 27.155.123.161.in-addr.arpa. 60 IN PTR findzone.info. 28.155.123.161.in-addr.arpa. 60 IN PTR thefreq.info. 30.155.123.161.in-addr.arpa. 60 IN PTR moneyclip.info. 35.155.123.161.in-addr.arpa. 60 IN PTR lovaking.com. 37.155.123.161.in-addr.arpa. 60 IN PTR artnesic.com. 38.155.123.161.in-addr.arpa. 60 IN PTR thanten.com. 42.155.123.161.in-addr.arpa. 60 IN PTR deducational.com. 44.155.123.161.in-addr.arpa. 60 IN PTR glath.deducational.com. 46.155.123.161.in-addr.arpa. 60 IN PTR frogz.deducational.com. 50.155.123.161.in-addr.arpa. 60 IN PTR gapingborg.com. 51.155.123.161.in-addr.arpa. 60 IN PTR process-mail-in.gapingborg.com. 52.155.123.161.in-addr.arpa. 60 IN PTR starkt.targests.com. 53.155.123.161.in-addr.arpa. 60 IN PTR debonair-home.gapingborg.com. 54.155.123.161.in-addr.arpa. 60 IN PTR chsecas-reikeit.gapingborg.com. 58.155.123.161.in-addr.arpa. 60 IN PTR pearanddiabetes.com. 59.155.123.161.in-addr.arpa. 60 IN PTR powers.pearanddiabetes.com. 60.155.123.161.in-addr.arpa. 60 IN PTR winters-bauer.pearanddiabetes.com. 61.155.123.161.in-addr.arpa. 60 IN PTR moore.pearanddiabetes.com. 62.155.123.161.in-addr.arpa. 60 IN PTR stanley-carrillo.pearanddiabetes.com. 66.155.123.161.in-addr.arpa. 60 IN PTR mail.muskitaart.nl. 67.155.123.161.in-addr.arpa. 60 IN PTR mail.wordfit.nl. 68.155.123.161.in-addr.arpa. 60 IN PTR mail.mannenblog.com. 69.155.123.161.in-addr.arpa. 60 IN PTR mail.autoblogster.nl. 70.155.123.161.in-addr.arpa. 60 IN PTR mail.luxewonen.com. 74.155.123.161.in-addr.arpa. 60 IN PTR sidekickpath.com. 75.155.123.161.in-addr.arpa. 60 IN PTR wires-enews-pr.sidekickpath.com. 76.155.123.161.in-addr.arpa. 60 IN PTR criteria-smart.sidekickpath.com. 77.155.123.161.in-addr.arpa. 60 IN PTR tier9-atribup.sidekickpath.com. 78.155.123.161.in-addr.arpa. 60 IN PTR homunculus.sidekickpath.com. 90.155.123.161.in-addr.arpa. 60 IN PTR swissother.net. 91.155.123.161.in-addr.arpa. 60 IN PTR operative.swissother.net. 92.155.123.161.in-addr.arpa. 60 IN PTR sgml-year.swissother.net. 93.155.123.161.in-addr.arpa. 60 IN PTR air413.swissother.net. 94.155.123.161.in-addr.arpa. 60 IN PTR sdbasic-spekrhd.swissother.net. 98.155.123.161.in-addr.arpa. 60 IN PTR cycles-variables-enews.blizzardkit.com. 99.155.123.161.in-addr.arpa. 60 IN PTR long-enews-vm2.blizzardkit.com. 100.155.123.161.in-addr.arpa. 60 IN PTR blizzardkit.com. 101.155.123.161.in-addr.arpa. 60 IN PTR china.blizzardkit.com. 102.155.123.161.in-addr.arpa. 60 IN PTR train-wedding.blizzardkit.com. 106.155.123.161.in-addr.arpa. 60 IN PTR blessclick.com. 107.155.123.161.in-addr.arpa. 60 IN PTR k7ie.blessclick.com. 108.155.123.161.in-addr.arpa. 60 IN PTR duhk.blessclick.com. 109.155.123.161.in-addr.arpa. 60 IN PTR mk50.blessclick.com. 110.155.123.161.in-addr.arpa. 60 IN PTR fp0n.blessclick.com. 114.155.123.161.in-addr.arpa. 60 IN PTR collabcluster.shop. 115.155.123.161.in-addr.arpa. 60 IN PTR bitsells.shop. 116.155.123.161.in-addr.arpa. 60 IN PTR thunderlemon.shop. 117.155.123.161.in-addr.arpa. 60 IN PTR launchtop.shop. 118.155.123.161.in-addr.arpa. 60 IN PTR heryear.shop.
