Category Archives: spam

damn right they’re blocked! 🤬

i got the following notification from my anti-cracker service:

A user with IP addr 2001:41d0:305:1000::1250 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username '[login]' to try to sign in.
The duration of the lockout is 2 months.
User IP: 2001:41d0:305:1000::1250
User hostname: hr914433990.reseller.mis.ovh.net
User location: France

i’ve been seeing these login attempts using “[login]” for some time now — and why, in the name of all that’s holy, would ANYONE use, or allow another person to use “[login]” as a username, is beyond my limited imagination, but that’s not the main reason this notification caught my eye…

it’s because of the user hostname, which is a reseller host at ovh.net 🙄

i’ve been dealing with spam and cracking attempts from OVH for AT LEAST ten years. unfortunately, it’s nothing new… but this is the first time they’ve tried to get around my blocks by using an IPv6 address.

and it wasn’t OVH directly, it was a reseller, but the fact is still plain that OVH STILL enables spammers and crackers to work with impunity from their networks.

FUCK OVH! 🤬😠👎👎‼

and add 2001:41d0::/32 to my block list! 🙄

Rule #3

Rule #3 states “Spammers are stooOOpid.”

if you need an example of rule #3, i have one for you:

the spammer sent mail from a computer called… get this…

UCEBOX.CO.ZA

😝😂🤣🤪🤦😠🤬

for those of you who still don’t “get” it, not only is the computer in south africa, home to all things shady and illegal, but “UCE” stands for “Unsolicited Commercial Email”… in other words, “spam”.

it’s as though they’re saying, “fuck yeah, we’re so gawd-damned proud of the illegal spam we send, that we’re going to name our computer after it, and nobody will care, even if they do notice!”

people should have to take an intelligence test before being allowed into the human race.

seriously.

spam update

i have now, officially, blocked IP address ranges in the following countries:

afghanistan
albania
angola
argentina
aruba
australia
austria
bangladesh
belarus
belgium
bhutan
bolivia
bosnia & herzegovina
brazil
british virgin islands
bulgaria
cambodia
canada
chile
china
colombia
congo
cote d’ivoire
croatia
czech republic
denmark
ecuador
egypt
el salvador
estonia
finland
france
georgia
germany
ghana
greece
guatemala
honduras
hong kong
hungary
iceland
india
indonesia
iran
iraq
ireland
israel
italy
japan
jordan
kazakhstan
kenya
kyrgyzstan
latvia
lithuania
luxembourg
macao
malaysia
mexico
moldova
monaco
mongolia
morocco
myanmar
netherlands
new zealand
nigeria
norway
pakistan
panama
paraguay
peru
philippines
poland
romania
russia
serbia
seychelles
singapore
slovakia
south africa
south korea
spain
sweden
switzerland
taiwan
tajikistan
tanzania
thailand
Trinidad & tobago
turkey
UK
ukraine
uruguay
USA
uzbekistan
vietnam

the big winners are china, russia, and india, and the runners up are spain, uzbekistan and kazakhstan…

and the good ol’ united states of ‘merica makes an appearance, as well.

before i started blocking whole swaths of IP addresses, the CPU usage on my server was between 75% and 100%, pretty much always. since i started blocking IP address ranges, my CPU usage is between 2% and 5%… which means that my web sites respond more quickly.

a side benefit is that, often, the same IP address ranges that are used by spammers, are also used by crackers, skript-kiddies, and other miscreants, so by absolutely blocking them (using both the IP Blocker and the Global Email Filters) i kill two birds with one stone. 😉

the down side is that i’ve been catching a few false positives, which are messages from people within north america, but, through no fault of their own, sent their messages at EXACTLY the right time, so that the date in their message ID gets caught by the rule that’s supposed to catch IP addresses… 😖

but, honestly, there have been fewer than 10 false positives in the last 6 months (they tend to come in spurts: i’ve caught 3 today, but haven’t seen one for months), whereas, if left unfettered, i would have received, easily, 100 times that many spam messages PER DAY, so, in all, i’m almost ready to make my list available to anybody else who wants to cut down on the people who send you spam… 😉

new regex stuff!

logical operators! thanks ian! 😉

+ () [] - |

(stuff that remains the same)+(stuff that changes) – otherwise known as “capture groups”

[89] = 8 or 9

[0-4] = 0, 1, 2, 3, or 4

| = logical OR

so…

\D(85\.157\.47\.)+(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])\D

means “capture everything in 85.157.47.128/25”

which, up until now, has meant “make a separate rule for every IP address between 85.157.47.128 and 85.157.47.255” — 128 SEPARATE RULES, which takes A LONG time, and slows down processing speed.

this is a BIG step forward!

WOO!!! 😎👍

ETA 200205: even more WOO!!! because ian directed me to a RegEx Numeric Range Generator, which means that i don’t have to figure them all out myself! WOO!!! 😎👍