Another source other than KRNIC?

Do you have an expectation of receiving any normal mail from that block? Korea has been assigned 211.32.0.0 to 211.63.255.255. in 37 blocks by APNIC. If not, simply block the entire range. If yes, either block smaller chunks, or block all but cut holes for the legitimate mail.

Have you tried asking Pubnet? (Yeah, I know, but I'm trying to be politically correct.)

[ ISP IPv4 Admin Contact Information ] Name : IP Administrator Phone : +82-2-3674-5890 E-Mail : snipped-for-privacy@pubnet.ne.kr

The APNIC delegation files don't even agree even with the results of a whois query.

[compton ~]$ grep ' 211.5[0-9]' IP.ADDR/stats/APNIC | grep KR | cut -d' '

-f1,2,3 | column KR 211.50.0.0 255.255.0.0 KR 211.53.0.0 255.255.0.0 KR 211.51.0.0 255.255.0.0 KR 211.54.0.0 255.254.0.0 KR 211.52.0.0 255.255.0.0 KR 211.56.0.0 255.252.0.0 [compton ~]$

whois at APNIC returns 211.54.0.0 - 211.59.255.255 being allocated to KRNIC as a single block, which really isn't much help. The 211.54/15 and 211.56/14 blocks were both allocated to KRNIC on the same day, so I don't know why they would be separately listed in the delegation file. It's not a CIDR issue.

Agreed - APNIC delegated it to KRNIC, and ARIN has nothing to do with it. (ARIN only has one legacy assignment to Korea - the rest having been transferred to APNIC.) DNS Stuff (and similar sites) are merely reporting the information they get from the RIRs.

I suspect if we understood Korean, it would be possible to frame a more appropriate query to KRNIC - but other than that, nothing official.

Same question - are you expecting any legitimate mail from China? APNIC has allocated 899 blocks to China totalling 73,519,360 addresses. Ignoring the

202.0.0.0/7 block (with 387 assignments to China - all but 21 smaller than a /18), this can be cut to only 99 rules (or less if you want to second guess APNIC). For that, see a country blacklist service. China has a national whois web page
formatting link
and there is probably a standard whois server, but the information hasn't been useful to me.

One point I have seen is that China seems to ignore the IANA requirements for reverse DNS, so you might consider setting your mail server to reject _at_the_SMTP_"EHLO/HELO"_ stage (and NOT afterwards) any host that doesn't match forward and reverse DNS records. I also noticed this with Korea to a _slightly_ lesser extent. This had a significant effect in reducing spam.

Old guy

Reply to
Moe Trin
Loading thread data ...

I am getting some spam in here from 211.57.x.x IP addresses.

I have determined that Pubnet is the assigned owner of 211.57.0.0 - 211.57.3.63 spread over a number of sub ranges i.e. 211.57.0.0 - 211.57.0.127 etc etc.

If I enter addresses above 211.57.3.63 - i.e. 211.57.3.64 KRNIC reverts to single IP addresses. I expect that Pubnet has the 211.57.0.0 - 211.57.255.255 address range but to confirm this via KRNIC's WHOIS service will be very tedious if I have to do this by single IP addresses.

APNIC, ARIN, DNS Stuff etc all point to KRNIC so they are no help.

Is there another resource on the net I can use that will give me the full range assigned to Pubnet?

I would also like to get the full set of IP address ranges assigned to Chinanet and CNCGroup. Knowing this would save me a heap of time.

I appreciate any assistance that you can give me with this.

Reply to
JC

I'm not sure how much good it would do, as some people are 'sensitive' to criticism - constructive or otherwise - from "outsiders".

You're not alone. I've seen inconsistencies between the RIR zonefiles and queries quite often. Usually it doesn't matter, but occasionally it takes mail to a contact address to straighten things out.

You can often ask with different queries - an example being ARIN querying by Organization Code, etc. I haven't tried this at KRNIC (or any NIR/LIR).

You can get the zone files from the FTP servers at the five RIRs

but the zone files don't list that.

My _guess_ is that the information exists at the RIR (or more likely at the NIR or LIR level), but is incomplete (for example, abuse addresses are rarely available - try whois.abuse.net instead), or not public.

If you are talking about receipt of spam (your original post), there are a large number of blocklists available, as well as simple techniques such as refusing mail _connections_ to hosts with DNS problems (A != PTR, missing PTR, "generic names" that don't reflect a mail function), false or misleading 'ELHO/HELO' names, and so on.

If you are talking about windoze messenger spam, unless you can have your upstream block UDP to ports 1025 - 1035 (or so), the only solution is to drop UDP to those ports. Over a seven day period a week ago, as a test I logged the UDP spam headers - much of it from CNCGROUP Heilongjiang Province Network. This was averaging 1000 messages a day, or about 450K of wasted bandwidth per day. Nearly all of the crap was fake windoze error messages indicating a configuration problem (seeing them _would_ indicate this), and directing the victim to some wankers web site (usually hosted at hosting services well known for supporting spammers, in FL.us, WA.us, TX.us, or CA.us). The domain names in the spams were freshly registered (often less than 36 hours old), probably to avoid name recognition blocking. (What I'd love to be able to do is block based on the domain registrar who registered the domains - some of them seem to covet spammer business.)

Two of the three ISPs I use from home block the standard windoze "Hello Sailor" ports, but the third shows the usual noise of people looking for windoze shares, etc. This should be silently dropped at all routers. A more annoying problem for me is the constant probing for open SMTP servers, and any SSH servers (ports 25 and 22 respectively). This appears to be zombies - and are usually coming from home (cable/DSL) networks around the world. If you are listed as an MX box - restricting access as above is best. If not an MX box, or if only expecting mail from defined areas, restricting access by IP address blocks (this also applies emphatically to port 22) is very helpful.

I don't admin the corporate firewalls (heck, I don't even have access), but at home, it's a block and ignore situation. Occasionally, I'll turn on logging to see what's out there, but the firewall is working, so who cares. I know the policy at work is similar.

Old guy

Reply to
Moe Trin

With that kind of number of hits, it's probably connected with something over a T1 - that is attractive to spammers and zombie controllers.

Absolutely agree here.

Much of what I've seen in abuse reporting seems to result in a negative reaction, rather than any action being made to correct the abuse. Korea became a prime target when they decided to put the Internet into every school - maybe every classroom. At least initially, they made no effort to install things in a secure manner, and the result was rooted boxes sending tons of spam every minute. My understanding is that Korean business finally noted that large chunks of Korean IP space was being blocked, and THAT was impacting their bottom lines. They were able to get the word out, and the security improved somewhat.

Agree

I don't know this to be true - certainly anyone spending a few minutes reading the abuse newsgroups knows about the problem, and the sure cure of blocking Chinese IP space, but _I_ haven't seen any reduction in the amount of abuse from there, and if anything they are happy to receive the spammers money for "bullet-proof" hosting services.

Old guy

Reply to
Moe Trin

In article , JC wrote: :What I am trying to do is cut down, and keep cut down, the number of net abuse :attempts on my IP address. It is now running at around 100 per day which is :well down from the 800 - 1,000 it was when I first started sending reports, in :the form of firewall log extracts, back to the ISPs listing the attempts.

I don't think that effort is worthwhile over the long term. Our site gets over 100,000 abuse attempts per day -- and our site is not an "attractive nuisance".

If one supposed that each distinct attempt involved an average of 100 entries (the real average is far far lower), then that would still be 1000 reports per day to generate. If we could review the data and make a decision and dispatch a report every 10 seconds, that would still be 2 3/4 hours of intensive review... every day. And that's provided that one had well-automated tools that extracted the data and formatted it and looked up the abuse address...

I doubt that there -is- a really useful registry of abuse addresses for Korea, and I'd be really amazed if there is a useful registry of abuse addresses for China (other than one that came down to reporting all the abuse to the political authorities in China for prosecution under China's laws that more or less provide for the death penalty for internet "crimes" including shaming the image of China.)

Reply to
Walter Roberson

Good idea. I have sent them an email and await their response.

One hopes that this is organised correctly but I do have my doubts.

The WHOIS service only appears to give the option of entering an IP address. APNIC and RIME both have the -L flag which gives the parent details but this doesn't seem to be an option with KRNIC.

Is there a site on the net from which I can download a copy of the assignments - I need ISP name, IP address range and abuse email address for each range?

I looked on the APNIC site but couldn't find such a list.

What I am trying to do is cut down, and keep cut down, the number of net abuse attempts on my IP address. It is now running at around 100 per day which is well down from the 800 - 1,000 it was when I first started sending reports, in the form of firewall log extracts, back to the ISPs listing the attempts.

Reply to
JC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.