Spam

Sometimes, I stumble on interesting documents that I want to share with the world.  This random Focus On The Family document deals with domains they don't want their people e-mailing because of 'delivery issues' in the past.  Archived here just in case the original disappears.  Interesting how they claim its for 'legislative compliance'.

As head of The Abusive Hosts Block List, I'm always amused when a public official spams me.

I'm no longer a resident of NJ, and I certainly did not give any congress member or republican (for that matter) permission to e-mail me.

As one of those people who isn't lucky enough to have health insurance (beyond what Medicare covers, which is some but not all of the medical bills I have, such as medications), it angers me when I see members of our govt doing their best to sabatoge the efforts of our President to make sure everyone in this country gets the medical coverage they need.

Yes, I added them to the AHBL for spamming.  It's important to hold our public officials to the same standards that the rest of us have to follow.

Although the AHBL is no longer the huge and popular list it used to be, we still have many faithful and large users.  We run two different DNS daemons to handle queries, depending on what type of query is being done.  Queries against ahbl.org itself are handled by our BIND9 Linux server.  Queries for the various DNSbl lists are handled by rbldnsd, a piece of software specifically designed for serving up DNSbl queries.

Last time I checked, we were handling around 25-30 million DNS queries daily just on the BIND9 server alone.  I would have thought that our poor little Cisco 2621XM would be crying, but it's perfectly happy.

Over the past few weeks, there has been a spam run directed at the SOSDG's role accounts. We've used the chance to greatly improve our spam detection methods and blocking patterns. I did notice through much of this, that there is an interesting pattern seen on some of the IPs with reverse DNS:

208.66.70.241 => roa.roadpurple.com 208.66.70.242 => roc.rockpurple.com 208.66.70.243 => purp.purpleyard.com 208.66.70.244 => purpl.purplemice.com 208.66.70.245 => fas.fastpurple.net 208.66.70.246 => may.mayotwo.com 208.66.70.247 => sou.sourmayo.com 208.66.70.248 => abo.aboutmayo.com 208.66.70.249 => fir.firemustard.com 208.66.70.250 => get.getmustard.net 208.66.70.251 => big.bigmustard.net

In that chunk, we see the first part is the first 3-5 characters of the domain name pasted in front of the domain name.

208.75.188.70 => forces.finderforces.net 208.75.188.71 => fun.finderfun.com 208.75.188.72 => pent.finderfun.net 208.75.188.73 => type.findertypes.com 208.75.188.74 => find.findertypes.net 208.75.188.75 => keep.keeperfinds.com 208.75.188.76 => keeper.keeperfinds.net 208.75.188.77 => rate.ratingfinds.com 208.75.188.78 => rating.ratingfinds.net 208.75.188.79 => run.runningfinds.com 208.75.188.80 => running.runningfinds.net 208.75.188.81 => ship.shipfinds.com 208.75.188.82 => finds.shipfinds.net

Above, we see the spammer uses a variation of that, sometimes using part of the domain first word, sometimes the last... Sometimes part of the last only.

As much as the idiot spammers may think this helps them avoid filters, in reality, its just flagging the domains for us to find easier.

Okay, so i've gotten completely sick of those stupid referrer spams. Lately I've been seeing more and more spams with embedded comma characters with multiple sites in the referrer field. So, with a little bit of work, I figured, why not write a mod_rewrite apache rule to block them.



Pretty simple, and works with a properly configured .htaccess file.

So, a lot of people have asked me over the past year or so how I manage to prevent getting so much spam from China without needing to outright block all of China's IP space either in iptables/firewall or DNSbl lists.

Well, I'm about to give you our secret.

The Chinese govt dislikes us (the SOSDG) - alot. We tend to host sites that their govt does not want its people seeing (Falun Gong anyone?).

So, what does any great opressive govt do to sites that are on its banned list? They filter out all of our IP space in their network so their users can't get to our servers.

This does have an interesting side effect though - the filter blocks more then just HTTP traffic (port 80 tcp). SMTP connections are blocked as well. Spammers in China can no longer reach our servers at all.

So, if you want to cut back on spam from China without having to implement blocklists or filters your customers may not appreciate, host a site that pisses the Chinese govt off on your mail servers. I've seen them block new IP ranges hosting Falun Gong sites in under 12 hours.

Easy because it requires no major changes on your end. Fun because you get to irritate everyone's favorite oppressive country and waste their time.

So, it seems Richard Scumville finally discovered my blog (~6 months after the fact). So, what you think of it, Dick? Going to write a 4 page diatrabe about how me writing a blog is a sign of me being scared?

Mwahaha.

/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:44 -0500] "GET /bruns/ HTTP/1.1" 200 9569 "http://www.google.com/search?q=marc+wigle&hl=en&lr=&start=20&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:44 -0500] "GET /bruns/templates/default/img/somerights20.gif HTTP/1.1" 200 1836 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:44 -0500] "GET /bruns/serendipity.css HTTP/1.1" 200 1739 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/background.png HTTP/1.1" 200 674 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/plugin/pngbehavior.htc HTTP/1.1" 200 1013 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/emoticons/smile.png HTTP/1.1" 200 556 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/back.png HTTP/1.1" 200 468 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/s9y_banner_small.png HTTP/1.1" 200 4101 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
/var/log/httpd/blog.sosdg.org-access_log:24.174.169.194 - - [11/Oct/2005:09:45:45 -0500] "GET /bruns/templates/default/img/forward.png HTTP/1.1" 200 477 "http://blog.sosdg.org/bruns/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"