Slashdot Mirror

How does one find what IP ranges Russia and China use?

China:
http://blackholes.us/zones/countries/cn.txt

Russia:
http://blackholes.us/zones/countries/ru.txt

For iptables:
#wget http://blackholes.us/zones/countries/cn.txt
#wget http://blackholes.us/zones/countries/ru.txt
#for IPRANGE in `cat cn.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
#for IPRANGE in `cat ru.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done

How does one find what IP ranges Russia and China use?

China:
http://blackholes.us/zones/countries/cn.txt

Russia:
http://blackholes.us/zones/countries/ru.txt

For iptables:
#wget http://blackholes.us/zones/countries/cn.txt
#wget http://blackholes.us/zones/countries/ru.txt
#for IPRANGE in `cat cn.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
#for IPRANGE in `cat ru.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done

How does one find what IP ranges Russia and China use?

China:
http://blackholes.us/zones/countries/cn.txt

Russia:
http://blackholes.us/zones/countries/ru.txt

For iptables:
#wget http://blackholes.us/zones/countries/cn.txt
#wget http://blackholes.us/zones/countries/ru.txt
#for IPRANGE in `cat cn.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
#for IPRANGE in `cat ru.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done

How does one find what IP ranges Russia and China use?

China:
http://blackholes.us/zones/countries/cn.txt

Russia:
http://blackholes.us/zones/countries/ru.txt

For iptables:
#wget http://blackholes.us/zones/countries/cn.txt
#wget http://blackholes.us/zones/countries/ru.txt
#for IPRANGE in `cat cn.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done
#for IPRANGE in `cat ru.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -j DROP; done

Comcast admins, just in case your reading you probably don't know anything abour your own network so here are some prepared lists so that you can block all your outgoing mail (many of us already do).

http://blackholes.us/zones/isp/comcast.txt
http://blackholes.us/zones/isp/comcast.dnsbl
http://blackholes.us/zones/isp/comcast.classful

Hope that helps. email me to let me know how it goes for you OK?

Comcast admins, just in case your reading you probably don't know anything abour your own network so here are some prepared lists so that you can block all your outgoing mail (many of us already do).

http://blackholes.us/zones/isp/comcast.txt
http://blackholes.us/zones/isp/comcast.dnsbl
http://blackholes.us/zones/isp/comcast.classful

Hope that helps. email me to let me know how it goes for you OK?

Comcast admins, just in case your reading you probably don't know anything abour your own network so here are some prepared lists so that you can block all your outgoing mail (many of us already do).

http://blackholes.us/zones/isp/comcast.txt
http://blackholes.us/zones/isp/comcast.dnsbl
http://blackholes.us/zones/isp/comcast.classful

Hope that helps. email me to let me know how it goes for you OK?

http://blackholes.us/zones/country/taiwan.txt

For iptables, dropping all mailserver connections attempts it will be:

#wget http://blackholes.us/zones/country/taiwan.txt
#for IPRANGE in `cat taiwan.txt | awk '{print $2}'`; do iptables -I INPUT -s $IPRANGE -p TCP --dport 25 -j DROP; done

For Sendmail, add this to your sendmail.mc file, and re-create sendmail.cf with it:

FEATURE(`dnsbl', `taiwan.blackholes.us', `"E-mail from " $&{client_addr} " refused - Taiwan"')dnl

While at it, you might also want to consider adding China and Korea to the same list.

So is this why I keep getting port scans from those chinese IPs?

No, it's cause you did use this yet:

wget http://blackholes.us/zones/country/china.txt
for IPRANGE in `cat china.txt | awk '{print $2}'`; do
iptables -I INPUT -s $IPRANGE -p TCP --syn -j DROP
iptables -I INPUT -s $IPRANGE -p UDP ! --sport 53 -j DROP
done

Actually, there are a few pages that wil gelp you find blocks from rogue countries. But first on to the ethical questions--

I'm the admin for a company with around 70 employees, we maintain our own website, and mail systems. We had been getting pounded with spam and a lot of ssh attempts.

Before taking any action, we found that China (predominately) and Korea were the source of most of our break-in attempts and spam sources. Given that we do _some_ international business, but not there, that was an easy call. Other countries soon followed. Our criteria has been that if there is any chance that someone will travel to a particular country or if the country has useful information to be had via someone with email, we don't block. I know it sounds judgmental, but it has cut our spam/scams down by about 75%. I would prefer to block all cable access to mail, but that would potentially hurt our road warriors with SMTP-AUTH. The slippery slope comes in when you say "Screw anyone on Wannadoo or BTI or Time Warner, etc. running a mail server." I know I quit running a mail server at home just because my stuff was blocked. Our compromise is that spam sources are individually blocked (rather than by range) in places where we travel or may do business.

Further if you have a good firewall scheme you don't have to block web access. You can block the ports that give you trouble and still allow http access if you need the Chinese comsumer market to see your site. I have found that an invaluable tool to use in conjuntion with iptables is IPSet.
It allows for very quick processing of ranges or hashes of individual addresses.

If you want info on blocking countries (sorry if I offend anyone) look here:

http://okean.com/asianspamblocks.html

and http://blackholes.us/ (when it's up...)

Personally, I find blocking unwanted guests akin to allowing only people on your chat list to talk to you...

Yes, it may be the internet equivilant of a grated community, but when your surrounding environs are attacking you in some way you should protect yourself.

Dropping China and Korea by iptables (you will still be able to access their servers if you didn't give up on sending complaints there):

# iptables -N BUBBLENET
# wget -N http://blackholes.us/zones/country/china.txt
# for IPRANGE in `cat china.txt | awk '{print $2}'`; do iptables -A BUBBLENET -s $IPRANGE -p TCP --syn -j DROP; iptables -A BUBBLENET -s $IPRANGE -p UDP ! --sport 53 -j DROP; done
# wget -N http://blackholes.us/zones/country/korea.txt
# for IPRANGE in `cat korea.txt | awk '{print $2}'`; do iptables -A BUBBLENET -s $IPRANGE -p TCP --syn -j DROP; iptables -A BUBBLENET -s $IPRANGE -p UDP ! --sport 53 -j DROP; done
# iptables -A BUBBLENET -j RETURN
# iptables -I INPUT -j BUBBLENET

Dropping China and Korea by iptables (you will still be able to access their servers if you didn't give up on sending complaints there):

# iptables -N BUBBLENET
# wget -N http://blackholes.us/zones/country/china.txt
# for IPRANGE in `cat china.txt | awk '{print $2}'`; do iptables -A BUBBLENET -s $IPRANGE -p TCP --syn -j DROP; iptables -A BUBBLENET -s $IPRANGE -p UDP ! --sport 53 -j DROP; done
# wget -N http://blackholes.us/zones/country/korea.txt
# for IPRANGE in `cat korea.txt | awk '{print $2}'`; do iptables -A BUBBLENET -s $IPRANGE -p TCP --syn -j DROP; iptables -A BUBBLENET -s $IPRANGE -p UDP ! --sport 53 -j DROP; done
# iptables -A BUBBLENET -j RETURN
# iptables -I INPUT -j BUBBLENET

You can do even better and protect yourself from all other attack vectors from China, like cracking, dictionary attacks, not just spam. All you need to do is to help China with their "Great Firewall of China" project, by firewalling them on your side. This will do the trick on *nix machines with iptables:

# wget -N http://blackholes.us/zones/country/china.txt
# iptables -N CHINAWALL
# for CHINARANGE in `cat china.txt | awk '{print $2}'`; do iptables -A CHINAWALL -s $CHINARANGE -p TCP --syn -j DROP; iptables -A CHINAWALL -s $CHINARANGE -p UDP ! --sport 53 -j DROP; done
# iptables -A CHINAWALL -j RETURN
# iptables -I INPUT -j CHINAWALL
# /etc/rc.d/init.d/iptables save

You still can initiate connections if you want to deal with China-hosted spam (like WHOISing, sending complaints), but no connections from that side will be allowed, at all. Will reduce your mailserver and security logs a great deal, too.

http://blackholes.us/

You can block by the major providers - e.g. hurricane electric, internap, etc.

Or the entire US - not recommended for anything other than toy sites - http://countries.nerd.dk/

Please rsync if you're going to hammer the server.

In many (most? all?) cases they're not being slanderous or libellous. They're just saying "we block email from these IP addresses, you can too if you want."

In the case of sites like blackholes.us, they just say "these are the IP blocks for this country or major ISP, use this information as you see fit."

All I'm saying is that it'd be fairly difficult to prosecute a slander/libel (sorry, not sure of the distinction) case against blacklist maintainer(s). Especially in the USA. That's probably why you haven't seen too many people suggesting it.

Lots of individuals (and the small companies that they do IT for) have whole ISPs in private blocklists. I block Shaw Cable because of all the spam. Heck, lots of people block whole countries. You can cut down on a lot of spam if you don't know anyone in Brazil and China

Credit card fraud.

Put it this way - you're just not going to be getting that many legitimate orders for high-end laptops from, say, Indonesia... at least compared to the blizzard of orders using stolen credit card numbers. It's much simpler and more cost-effective for the merchant to say "Nope, we just won't accept orders from $COUNTRIES."

Of course, feel free to substitute "Indonesia" for just about any close-to-third-world country with an internet connection and little or no government control of internet fraud (not that I'm really criticising of course, I'm sure such governments have much more important things to spend resources on).

It's a very close parallel to the spam situation. If 90% of your spam originates in China and you have zero legitimate emails originating from China, then it's a no-brainer to just cut off the country. Same for intrusion attempts (as mentioned by another poster).

It's not saying that all Chinese or all Indonesians or all Ukranians or all Verio subscribers are spammers or fraudsters or crackers - just saying that, for a whole range of reasons, the overwhelming majority of those connecting to your server are spammers/fraudsters/crackers. So from that viewpoint.... *snip* ;-).

I have partial blocks in 202. because some of those IPs are in Australia and New Zealand and not spammy.

Quite right, which is one great reason not to use wholesale blocks without understanding them. I'm more of a fan of using some of the blackholes.us country-based lists to block China, etc than full IP blocks is someone wants to block certain countries.

I'm looking for a way to blackhole the entirety of China.

Every single hacking attempt on my server originates from a Chinese IP. This is also true of every single spam connection attempt as well.

Now there are probably some of you reading this saying "But where do you draw the line? Oh the slipperly slope!" If you are one of these people I have this to say: give me a break.

Without getting into the "slippery slope" argument, blackholes.us maintains a pretty detailed list of Chinese IP space. They also have other country IP lists for origination points of high amounts hacking and fraud like Nigeria, Russia and Brazil.

They steal bandwidth. They steal disk space. They steal our time, and time costs dearly. You can't replace it.

Stop spam and spammers at the TCP/IP connection level.

Directory of IP Based Blacklists

Geographic IP lists

Use an aggressive antispam solution to filter spam out. I wrote one and use it regularly to check my email on my terms and not that of other solutions that use more complicated rule-based or statistical methods to fight spam.

Please keep this in mind should my approach be ridiculed (it has been in the past) by people enarmored by statistical approaches that are not as effective as they used to be.

blackholes has ranges for some ISPs, but not Savvis. There is one for
c&w

You can use some of their lists to block a lot of spam. If you don't know anyone in China or Korea, you can block those segments.

If you just block MCI/UUNET, you'll probably have half the spam licked right there. You can get the list or find a DNSBL from blackholes.us.

Try http://www.blackholes.us

They have lists of IP ranges assigned by country and ISP.

Seriously, how are you gonna stop a country?

blackholes.us maintains lists of address blocks known to belong to certain countries. Add china.blackholes.us (for instance) to the list of RBLs your SMTP server checks and most mail from China will be cut off.

(Note that I said "most," not "all"...a fair bit of the spam that still gets through is from IP addresses that I've traced back to China that aren't listed at blackholes.us. I'm beginning to wonder if I should set up a private RBL to which I can add the netblocks in China, Brazil (another big spam source that's not mentioned in the article), etc. that still get through.)

It's not hard at all to block these cable/DSL/dialup hosts from sending you mail. Here's what I use:

1) A filter that looks for hostname patterns that look like consumer internet connections (DSL/cable/dialup):

[note: these are in Exim lookup-table syntax]

\N^(dsl|cable|adsl|dialup|docsis|pool|ppp|client |c lient2).*$\N
\N^.*\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3} .*$\N
\N^c\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\..*$ \N
\N^[sShH]\d{3,}.*\.[a-z][a-z]\.shawcable.net$\ N
\N^.*\d+\.charter-stl.*$\N

2) Next, you block known spam-source countries. Some may take offense to this but the company I work for only sells products to people in the US, so these filters aren't a problem. To accomplish this, I set up djb's rbldns server on one of my machines. Currently, I'm blocking netblocks from Brazil, China, Korea, Malaysia, Nigeria, Russia, Singapore, Taiwan, Thailand, and Turkey. These netblocks come courtesy of blackholes.us.

3) Anything that is not caught by those first two local options is run against the DNSBL list at SORBS. We choose to use their combined blackhole list but you could just as easily go with their anti-dialup/dsl/cable IP list.


If an e-mail makes it through all of that, it gets run through SpamAssassin and blackholed if the score is >= 7.0 and marked if the score is >= 4.0.
We're also doing a bit of tarpitting. Every time we get a connection from a blacklisted IP, we tarpit them for two minutes before spitting out a 550 error code.

Despite this, we still get some spam and dictionary attacks. The spam gets filtered by the client and the dictionary guesses are blackholed by the local delivery server, which is configured not to send bounces.

Chris

have at it

Yes, read this website.

I beg to differ. Comscat block list at the above link. Use it. I do.

Some have said that 'blanket measures' (such as listing entire countries as spam and abuse sources) taken by the AHBL are wrong, and that only the "bad" ISPs (those harboring spammers) should be targeted for such listing.

I would point out that the "bad" ISP, in this case, IS being targeted. The fact that it is Spain's national ISP is secondary to the fact that Telefonica.es (and its broadband/dialup counterpart, rima-tde.net) is a huge and (apparently) unceasing source of spam, port probes, and other network abuse.

Speaking as a mail server owner/operator, I rank Spain as only a few steps below China, Korea, and other Pacific Rim ISPs as spammer havens and nests of virus-compromised 'spammer zombies.' I've lost count of how many times I've seen spam attempts from IP ranges controlled by Telefonica, Rima, and their clones hit our filters. The abuse flowing from them is responsible for at least 10-15% of the accumulated weekly entries in our reject logs.

I would also like to point out a few other things. First off: NONE of the DNSBLs, such as AHBL, SPEWS, or Steve Linford's Spamhaus actively block ANYone.

What DNSBLs do is publish AN OPINION, in the form of their listings of IP addresses or address ranges, as to which parts of the Internet are supportive of spammers and network abuse. It is up to EACH INDIVIDUAL SYSADMIN, or anyone else who connects to the Internet, to choose whether to believe that opinion by configuring (or not) their equipment to check incoming mail-transfer requests against said DNSBL.

Let me say it again: DNSBLs, BY THEMSELVES, DO NOT BLOCK E-MAIL OR ANY OTHER TRAFFIC! SYSADMINS DO.

Yes, SysAdmins. Those like myself, who are fed up with the unending abuse of our private property by spammers, abuse that is supported by unethical or uncaring ISPs who, apparently, don't give an aerial intercourse through a toroidal pastry what their users do as long as said user's check doesn't bounce.

I'm currenly using the DNSBLs compiled and mainted by Spamhaus, and several from Blackholes.us to help protect our tiny little corner of the 'net from spammers. No one compelled, ordered, cajoled, coerced, bullied, or hassled me into using any of them. I chose to do so because of the positive things said about them by other SysAdmins, and because my own experiments revealed an 80%+ drop in our spam load received once I implemented their use by our servers.

Am I blocking entire countries? Yes, several. China, Korea, Taiwan, Hong Kong, south America (the 200/8 subnet, to be exact), pretty much every IP range controlled by LACNIC, most of France, and the .ru top-level domain (just to name a few) have all made it into my local 'Deny' lists, all because I never seem to get anything but spam and other abuse from all of them.

My servers, my bandwidth, my rules. And it's just exactly that simple for anyone else who connects to the 'net, no matter if they're an AOL user, trying to protect their single E-mail box, or the CTO of a worldwide conglomerate with 100,000+ E-mail boxes to worry about.

Telefonica got themselves into this mess by ignoring spam complaints. They have no one but themselves to blame if other admins choose to drop packets from them, no matter if they're doing it with their own local list or with the AHBL's help.

If the AHBL thinks listing the entirety of Telefonica will get their attention, and perhaps give them some badly-needed motivation to clean up their act, great!

One other thing. Slashdot posed the question at the beginning of this article "...or has something gone terribly wrong?"

Yes, it has. Spammers are still being allowed to abuse a resource that anyone, from a three-year old kid to a century-old adult, should be able to enjoy WITHOUT THE THREAT of losing their inbox to spam.

That sure seems "terribly wrong" to me.

The spam may originate from spammers in the USA the actual junk is relayed through chinese trojanned machines all around the world. Mind you, if you look at the list of top relay domains roadrunner and comcast are right up there.

Anyway, if you want to block whols isps or countries check out blackholes.us who offer blanket cull-all blacklists for any mail coming from the sources you choose.

I guess paying off SCO warrants a blackhole entry as well:
EV1

A few other countries that can use this are found here.

You can also use this patch :
http://docsnyder.de/nospam/sa_check_blackhat_isps. patch.gz

(from the author) :
Since spammers often host their spamvertised sites at spamfriendly ISPs (e. g. Chinanet), I've been doing some tests with "hat-checking" spamvertised URLs.
After resolving the URL hostname, the resulting IPs get RBL-checked against *.blackholes.us to find if they belong to a known spamfriendly ISP. If yes, the spam score will rise.

and you can use http://www.blackholes.us for the country/ISP zones.

Spam revenues are probably one of the largest sources of hard currency for the PRC, based on the amount I receive that originates from or points to Chinese IPs. Fortunately, blackholes.us includes a nice blacklist that includes Korea, as well.

I even emailed Carl Hutzler, Director of Anti-spam at AOL, and he hasn't returned my emails or my calls. The same goes for the hundreds of thousands of spams we get from *.verizon.net, comcast.net, voyager.net, compaq.com, and others. Clearly people inside the business infrastructure have infected systems propagating spam on the weekends, using the corporate bandwidth to do it.

At this point, this is what I do:

1. Sendmail as my MTA, blocks a significant amount of spam, before receiving it, with some custom antispam rulesets I've cooked up.
2. I also have triple-RBL set up in the MTA (ordb.org, mail-abuse.org, and so on).
3. blackholes.us is set to block known-spammers from Argentina, Brazil, China, HongKong, Japan, Korea, Russia and Taiwan.
4. virtusertable in the MTA chain blocks attempts at some common internal system accounts.
5. SpamAssassin is tuned down to 3.5, and catches a significant portion of the emails that make it past the above measures.
6. AV is done through procmailrc, with some custom heuristics in the recipes (contact me if you want these)
7. Anything that SA catches, is tagged and put into /var/spool/mail/SPAM
   1. I manually go through that SPAM folder, and report every entry there to the 'abuse@address' for the resolved provider (not the forged provider in the From: line, of course)
   2. For hosts that do not resolve, they are permanently blocked at the firewall.
   3. For providers that do not support the 'abuse@address' address, they are permanently blocked at the firewall.
8. I then go through the mail logs themselves, and catch the brute-force attempts at sending mail to the dozen-or-so domains I host, and block them at the firewall.

So far, the more I block, the faster the spam comes in, and the more I block, ad nauseum.

Here is today's counts. At 5:30am, this was 164 hosts, and now it is 109 more than that.

iptables-save | grep "dport 25" | wc -l
273

Spam is definately getting worse, as more and more machines are hijacked for the purposes of propagating it, with these trojans.

The more I block, the more incoming spam we get.

You can make it even simpler. Don't accept mail from likely abuse sources, from dynamic IP addresses, or from known abusers. Those three blocklists get rid of an enormous amount of my spam.

Taken along with a few select country blocklists (I use China, Taiwan, Hong Kong, Korea, Brazil, and Argentina), you can go from a flood to a trickle in no time. China is a Very Special Case -- they're completely filtered at the borders now. If they ever clean up their act, they may get to pass packets again, but I'm not holding my breath. In the meantime, they can enjoy their shrinking view of the Internet.

I don't know anyone from Argentina, Brazil, China, Hong Kong, Malaysia, etc., so I blackhole their addresses (along with ISP's dynamic IPs). This can sometimes cause problems, but as far as a home solution, it's great.

I block the addresses at my firewall so I automatically eliminate most of my spam as well as most port scans and scripted exploits (since a lot of them are foreign/rooted systems).

I wouldn't do this at a large company, but you can probably get away with it at a small domestic U.S. business that doesn't need international communication through the Internet.

A while ago, I made a SpamAssassin patch which resolves any URL found within an email and tests the resulting IP addresses against blacklists which are otherwise used to block unwanted email. A lot of Chinese bulletproof servers' IP addresses are listed on the Spamhaus Block List (SBL) and/or SPEWS as well as on certain *.blackholes.us lists.

From what I have gathered, the SPEWS philosophy isn't just indifference to collateral damage (ie, 'civilian casualties'); they actively do this damage in order to try to force ISPs into changing their habits. And they are extremely difficult to both reach and reason with; you can post on a newsgroup and hope someone pays attention to your pleas.

Unfortunately, SPEWS does not speak up for themselves, so a certain set of fanatics on newsgroups have taken to speaking up in SPEWS' place and offering listees their flawed interpretation of what SPEWS does and is. You will find absolutely nothing in SPEWS' own documentation -- including the FAQ -- asserting any of the following myths.

"SPEWS wants to cause 'collateral damage'."
The popularization of the term "collateral damage" is entirely due to a minority of militaristic posters on the newsgroup news.admin.net-abuse.email. These folks like to fantasize that fighting spam is a "war" rather than simply good systems administration. Even though SPEWS doesn't speak in their terms or play their game, they want to enlist it on their side in the war, trump it up as a scary weapon that ISPs should fear. The fact of the matter is that SPEWS does not intend to cause collateral blocking, and in fact does not serve well the purposes of those who want to do collateral blocking of spammy ISPs. That is what the blackholes.us lists are for -- blocking all the netblocks of an ISP you think is a spam source. Less than 1% of mail blocked by using SPEWS is non-spam mail, so if you wanted to block a lot of non-spam mail from spammy ISPs, SPEWS would not help you do that very well.

"If you're listed in SPEWS, complain in a newsgroup."
This is based on some semiliterate person's misreading of the SPEWS FAQ. The FAQ nowhere suggests that complaining on a newsgroup will get you delisted. Rather, it offers pointers to a couple of newsgroups as places to discuss spam and blocklisting in general. When people come to the newsgroups and post "del1st m33" they get treated about as you'd expect someone who wanders into a conversation mumbling about how mistreated they are gets treated -- with distate and suspicion. Abuse newsgroups are not your fucking tech support. They are for systems administrators and other concerned parties to discuss abuse problems -- not for you to whine about how SPEWS doesn't want to receive your mail. You know how bad an idea it is to whine at your own site's BOFH? It's hundreds of times worse to whine at dozens of BOFHen who have no obligation to you, who have every reason to flame you into a crisp and block all your netblocks with a message like 550 goatse wanker.

"SPEWS accuses us of being spammers."
There are many DNSBLs out there that are "spam-source" DNSBLs. That is, they list the IP addresses of hosts that have transmitted spam to a spamtrap address or honeypot system, or that have been reported by their users as sending spam. Not every DNSBL is a spam-source DNSBL. There are a lot of types of DNSBL that have nothing directly to do with whether an IP address has sent spam. For instance, the Blitzed Open Proxy Monitor DNSBL started as a way for IRC operators to keep track of open proxies that were an abuse risk for IRC servers -- nothing to do with spam whatsoever. SPEWS, likewise, is not a spam-source DNSBL. It is a predictive DNSBL, hence the words "early warning" in its name. Its goal is like a "spam hurricane watch" -- it isn't just to tell you where the hurricane is today, but also where it will be tomorrow. It's a fact of the world that netblocks that willingly harbor some spammers tend to get more spammers, and so it's reasonable if one wishes to predict where the spam will come from tomorrow, to say that it will come from the same wider netblocks that the spammers ar

This is a perfect example of why you should never just arbitrarily block email because it comes from an IP on a list. Instead, programs like SpamAssassin are useful because they use blocklists as a factor, one among many, in determining whether to treat a message as "spam".

The problem with just using SpamAssassin is that it's very CPU-intensive. And when the spam's already got onto your mailserver, has already cost you in storage space and bandwidth.

SpamAssassin is good as a second (or third) line of defense, but an RBL is much cheaper from the CPU/bandwidth/storage perspective - hence one or more RBLs is preferable as a first line of defense.

The cool thing about RBLs is the wide selection. Are you happy to block confirmed open relays? No worries. Do you want to block all of South Korea, as you never recieve legit mail from there? No worries. Do you want to block known and thoroughly reprehensible spam gangs that have been booted off three or more ISPs? No worries.

And of course there's a variety of other blocklists, all with their own published criteria and standards. No one says which ones you have to use. No one says you have to use any of them.

But the major point is, if you're a target of a blocklist, there's a reason for it (assuming the list admins didn't make a mistake, which does happen very occasionally). And there are always ways you can deal with the listing, ranging from ignoring it to smarthosting email to changing your mailserver IP.

SPEWS are absolutely consistent with their listing criteria, and always have been. If you're not a spammer and you've been included in a netblock listed by SPEWS in Level 1, it is always after your ISP has been repeatedly warned and they've done nothing about the problem spammer.

A SPEWS listing always starts with individual IPs. Beyond that point, it's the ISP's problem.

I read the first line of the first header of this article and saw interbusiness.it. My advice: block or drop everything from interbusiness.it!

The 52 listings at Spamhouse tells enough about the hat colour of this company. Who want's to block interbuisiness.it complete, got to blackholes.us. Here you find all the netblocks tha belong to notorious Spam-Countries (China, Taiwan...) or Spam-ISPs (verio.net, interbusiness.it...).

This page is my mailserver's best firend :-)

NoSuchGuy

To get kicked from Verio, you have to burn down a network center or something like this. About 500 mails from users to abuse@verio.net for one spamvertized website netmails.com and no action taken ==> They do nothing against spam. They tolerate spam.

Check for yourself: Verio's Listing .

I use blackholes.us to block (port 25) entire countries (cn, kr, tw) and ISPs (Verio, interbusiness.it...) that do not qualify (in my standards) for connecting to my mailserver.

NSG

I would be happy to "just hit delete"! Let me get my baseball bat and you can be "delete".

Suddenly, sure, you've got no bulk e-mail coming from within the United States - but you've got even more pouring in from China, Taiwan, South America, and any other country without anti-spam laws.

This would be an excellent outcome. You see: I don't know anyone in China, Taiwan, South America and many other countries without anti-spam laws. Should your scenario come true I would reduce my spam to zero by blackholing such countries entirely until they grow a clue. As things stand it's a little tough to blackhole all of "Florida".

You can get zone files here

Generally it's easier to trust other people and use their lists, for example CIHost (the spamming scum who send emails to role addresses spamming their service, then complain when they get blocked) blocks are listed at http://blackholes.us, as are some countries.

Make sure you get them all: complete network range

blackholes.us has a bunch of RBL lists that let you cut off incoming mail from whatever countries you want. I've found the China, Hong Kong, and Brazil lists particularly useful. (I also have incoming mail checked against relays.osirusoft.com and bl.spamcop.net...when I temporarily disabled those a few days ago, I must've gotten half-a-dozen "here's how to make your johnson bigger" messages in one hour. Normally, that crap doesn't get through.)

We have 1 & 2, but spam continues to be a problem. Why do you think everybody is complaining about the respective rest of the world as the primary spam source? Spam is rarely sent from the recipient's country. "Local" spam is under control. We also have sanctions against ISPs from which spam originates: There are lists of known spam-friendly ISPs (and their IP blocks). Other DNS blocking lists address faster moving targets. Those are collective punishments against every customer of the listed ISPs. There are even people who block entire countries. You aren't thinking about "out of band" sanctions, are you?