i got home from my circus class this afternoon, and discovered approximately 1000 IDENTICAL spam messages in my spam recepticle. over the course of the next half an hour or so, i deleted approximately 500 more IDENTICAL spam messages…

so i decided to do some research. what i came up with is that EVERY ONE of those spam messages had been sent from an IP address in the range of 37.32.0.0/16, in iran.

so i blocked it.

and NO MORE SPAM from that range of IP addresses. not a single one! 👍

THIS is why i do it! 😈

Re:[## 78615541 ##] ABUSE VIOLATION: Give your feedback, get a $75 8J+NqPCfjag

Zoho Campaigns has a zero tolerance policy towards spam, and we do everything we can to curtail it. Thank you for sharing the email header. We have taken punitive action against the user as per our terms of use.

i don’t get these notices often, because of various “spam policies” held by the offending parties, but, occasionally, i get solid validation that the spammer i reported has been flattened by the mallet.

it feels good.

i got the following notification from my anti-cracker service:

A user with IP addr 2001:41d0:305:1000::1250 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username '[login]' to try to sign in.
The duration of the lockout is 2 months.
User IP: 2001:41d0:305:1000::1250
User hostname: hr914433990.reseller.mis.ovh.net
User location: France

i’ve been seeing these login attempts using “[login]” for some time now — and why, in the name of all that’s holy, would ANYONE use, or allow another person to use “[login]” as a username, is beyond my limited imagination, but that’s not the main reason this notification caught my eye…

it’s because of the user hostname, which is a reseller host at ovh.net 🙄

i’ve been dealing with spam and cracking attempts from OVH for AT LEAST ten years. unfortunately, it’s nothing new… but this is the first time they’ve tried to get around my blocks by using an IPv6 address.

and it wasn’t OVH directly, it was a reseller, but the fact is still plain that OVH STILL enables spammers and crackers to work with impunity from their networks.

FUCK OVH! 🤬😠👎👎‼

and add 2001:41d0::/32 to my block list! 🙄

RE: ABUSE VIOLATION: Spende für Sie;
Date: Monday 200525 06:50PM
From: [email protected]
To: ‘salamandir’
Hello,

The client has been notified and their IP has been nullrouted.

Thank you.

Aaron Nijsse
DediOutlet Network Services

i have now, officially, blocked IP address ranges in the following countries:

afghanistan
albania
angola
argentina
aruba
australia
austria
bangladesh
belarus
belgium
bhutan
bolivia
bosnia & herzegovina
brazil
british virgin islands
bulgaria
cambodia
canada
chile
china
colombia
congo
cote d’ivoire
croatia
czech republic
denmark
ecuador
egypt
el salvador
estonia
finland
france
georgia
germany
ghana
greece
guatemala
honduras
hong kong
hungary
iceland
india
indonesia
iran
iraq
ireland
israel
italy
japan
jordan
kazakhstan
kenya
kyrgyzstan
latvia
lithuania
luxembourg
macao
malaysia
mexico
moldova
monaco
mongolia
morocco
myanmar
netherlands
new zealand
nigeria
norway
pakistan
panama
paraguay
peru
philippines
poland
romania
russia
serbia
seychelles
singapore
slovakia
south africa
south korea
spain
sweden
switzerland
taiwan
tajikistan
tanzania
thailand
Trinidad & tobago
turkey
UK
ukraine
uruguay
USA
uzbekistan
vietnam

the big winners are china, russia, and india, and the runners up are spain, uzbekistan and kazakhstan…

and the good ol’ united states of ‘merica makes an appearance, as well.

before i started blocking whole swaths of IP addresses, the CPU usage on my server was between 75% and 100%, pretty much always. since i started blocking IP address ranges, my CPU usage is between 2% and 5%… which means that my web sites respond more quickly.

a side benefit is that, often, the same IP address ranges that are used by spammers, are also used by crackers, skript-kiddies, and other miscreants, so by absolutely blocking them (using both the IP Blocker and the Global Email Filters) i kill two birds with one stone. 😉

the down side is that i’ve been catching a few false positives, which are messages from people within north america, but, through no fault of their own, sent their messages at EXACTLY the right time, so that the date in their message ID gets caught by the rule that’s supposed to catch IP addresses… 😖

but, honestly, there have been fewer than 10 false positives in the last 6 months (they tend to come in spurts: i’ve caught 3 today, but haven’t seen one for months), whereas, if left unfettered, i would have received, easily, 100 times that many spam messages PER DAY, so, in all, i’m almost ready to make my list available to anybody else who wants to cut down on the people who send you spam… 😉

i now have three /8 blocks in my email filters.

25.0.0.0/8 in the UK, 53.0.0.0/8 in germany, and 133.0.0.0/8 in japan.

the “standard” email filters, built on “and/or” and “contains/does not contain”, break down when you’re dealing with 16.75 MILLION addresses.

they break down because you can’t just filter on 25. which appears in the middle and end of IP addresses, in message ID numbers, and, occaisionally, in the body of the message.

the result is A LOT of false positives: email which i can’t forward to the correct recipient, because it will get filtered AGAIN…

which is quite annoying. 😒

so, with the help of my friend robert, i built a regular expression to handle it:

\D25\.\d{1,3}\.\d{1,3}\.\d{1,3}\D

finds non-digit character followed by “25.”, followed by three repititions of one to three digits, interspersed by periods, followed by another non-digit character.

technically, this regex could be adapted to accomodate any IP address, which means that, theoretically, i have a whole new, easier, and faster method of processing spam. 😈

the next step is to learn how to search for a specific range of digits… 😈

ETA 191127 i discovered that you can’t specify a range of digits with a regex. for that, you need a script, which is too much work. also, i determined that i DON’T need the white space character at the beginning and end of the regular expression, because, sometimes, the IP address is surrounded by parentheses, square brackets, or both.

ETA 191128 i changed it from white space character — \s — to non-digit character — \D — because some IP addresses are surrounded by parentheses or square brackets, but some are surrounded by white space characters. the only thing \D doesn’t capture is an empty string, so the IP address can’t be the first thing in the line of text.

and, even with the \D, this regex, modified to capture 27.16.0.0/12 in china, captures 2.2019.11.27.23.41.02, which is part of the message ID on a LEGITIMATE message. 😖😒😠🤬

this is why i’m rerouting these messages, rather than summarily deleting them, which is my inclination… summarily deleting what i think is spam has come back to bite me in the ass often enough that i don’t do it any longer. 😒

great swaths of the internet from the following countries have been permanently banned from viewing my web sites and sending me email, due to ongoing, egregious spamming activity:

albania
angola
argentina
aruba
australia
bangladesh
belarus
belgium
bosnia
brazil
british virgin islands
bulgaria
canada
chile
china
colombia
congo
denmark
denmark
egypt
finland
france
germany
guatemala
herzegovina
hong kong
iceland
india
indonesia
ireland
israel
italy
japan
kenya
latvia
lithuania
macau
malasia
mexico
moldova
netherlands
nigeria
norway
pakistan
panama
philippines
poland
romania
russia
serbia
seychelles
singapore
slovakia
south africa
spain
sweden
switzerland
taiwan
thailand
turkey
UK
ukraine
uruguay
viet nam

and more than a few from the united states, for good measure. 😒

spam is bad. stop spam on internet.

i’ve recently taken to blocking great swaths of IP addresses in foreign countries, which only send me spam.

she has HUGE… tracts of land…

i have undertaken this policy because using a utility that automatically blocks IP addresses from foreign countries costs money (😒) and using a utility would only work on hybridelephant dot com, and nowhere else.

so, i learned about CIDR, learned how to identify host countries based on IP addresses, and learned how to block IP addresses based on CIDR numbers…

now, instead of blocking a single IP address — which is pointless, because spammers know that a single IP address only works until the spamees figure it out and block it, so they move on to the next one — i block entire swaths of IP addresses: the most common are the /24 range, which blocks 256 (2⁸) IP addresses, and the /16 range, which blocks 65,536 (2¹⁶) addresses.

and i can block spam from those IP addresses on ALL of my domains, not just hybridelephant dot com. 😉

which brings me to the point of this post: i recently blocked the third IN A SERIES of IP addresses from bangladesh: now i have 185.222.56.0/24, 185.222.57.0/24, AND 185.222.58.0/24 blocked.

which, technically, means that i could block 185.222.56.0/23 and 185.222.58.0/24 with the same effect, because 185.222.56.0/24 plus 185.222.57.0/24 equals 185.222.56.0/23

i love that i am able to do this.

i also love that i am able to understand this as much as i do… which is not very much, but enough that i have been successful in reducing the amount of spam i get by a SIGNIFICANT amount, and not affected my legitimate mail in the slightest degree. 😈

as of 190729, the following IP addresses, and top-level domains are BLOCKED from my web sites, for egregious spamming behaviour:

5.104.108.0/24 – germany
5.188.210.0/24 – russia
5.226.136.0/21 – UK
23.19.0.0/19 – russia
23.82.128.0/22 – VIRGINIA, USA
31.13.191.0/24 – sweden
37.120.135.0/24 – italy
37.120.159.0/24 – UK
45.12.176.0/22 – india
45.81.0.0/22 – UK
51.15.0.0/18 – france/belgium
51.38.157.0/26 – poland
51.89.30.128/26 – denmark
77.81.105.0/24 – romania
77.81.106.0/24 – romania
80.211.253.0/24 – aruba/italy
85.25.236.0/22 – germany
85.204.49.0/24 – romania
85.204.50.0/24 – romania
85.206.165.8/29 – lithuania/canada
85.254.72.0/24 – latvia
86.109.170.0/24 – spain
88.201.208.0/20 – russia
88.247.0.0/18 – turkey
88.247.64.0/20 – turkey
89.36.224.0/25 – romania
89.44.138.0/23 – romania
89.238.128.0/18 – UK
92.101.192.0/22 – russia
93.125.99.0/24 – belarus/canada
95.37.128.0/17 – russia
95.216.0.0/15 – finland
103.39.132.0/22 – india
103.62.92.0/22 – india
103.76.22.0/23 – indonesia
103.113.3.0/24 – indonesia
103.138.238.0/24 – india
104.245.144.0/22 – canada
105.174.0.0/15 – angola
109.93.128.0/17 – serbia
109.158.0.0/16 – UK
109.175.96.0/19 – bosnia and herzegovina
109.245.80.0/21 – serbia
118.107.180.0/24 – hong kong
133.0.0.0/8 – japan (this represents 16,777,216 individual IP addresses, the largest block allocated by the IANA 🤬)
134.90.149.176/29 – norway
139.99.0.0/17 – singapore
142.59.228.0/22 – canada
150.95.104.0/21 – vietnam
151.106.10.154/31 – china/france
151.106.12.240/28 – romania
157.157.87.0/24 – iceland
168.196.0.0/22 – argentina
176.9.0.0/16 – bulgaria
177.36.246.0/24 brazil
178.17.160.0/21 – moldova
178.17.168.0/21 – moldova
178.162.208.0/21 – germany
178.162.220.0/22 – germany
178.175.128.0/18 – moldova
181.214.60.0/22 – brazil
181.215.96.0/19 – brazil (london, columbia, chicago)
182.50.128.0/19 – singapore
182.52.0.0/15 – japan/thailand
182.56.0.0/14 – india
183.80.144.0/20 – vietnam
183.89.0.0/16 – thailand
185.9.147.0/24 – russia
185.93.3.0/24 – UK
185.94.189.128/27 – romania
185.103.110.0/24 – finland
185.125.32.0/22 – turkey
185.128.27.0/24 – italy
185.156.173.0/24 – france
185.206.224.0/24 – denmark
185.220.101.0/25 – germany
185.222.58.0/24 – bangladesh
185.230.127.0/24 – germany
185.234.0.0/22 – ireland/UK
188.209.52.0/24 – macau
193.56.28.0/24 – UK
193.201.224.0/22 – ukraine
195.181.166.0/24 – UK
199.249.230.0/24 – TEXAS, USA
200.40.96.0/24 – uruguay
201.138.46.0/24 – mexico
203.113.160.0/19 – vietnam

.bid – auctions
.br – brazil
.casa – “house”
.cf – central african republic
.club – groups, organizations, assemblies, communities, general
.cn – china
.date – online dating
.direct – general
.do – dominican republic
.download – technology
.es – spain
.faith – religion and churches
.fun
.gq – equatorial guinea
.hk – hong kong
.host – network companies
.icu – entrepreneurs and business owners
.life
.live
.loan – banks and lenders
.md – moldova
.moda – “fashion”
.mp – northern mariana islands (and anyone using mailchi.mp)
.ms – montserrat
.ooo
.online
.party – nightclubs and social gatherings
.pro – professions/professionals
.racing – racing
.review – public reviews
.ru – russia
.site
.space – as a creative space
.store – stores
.stream
.top
.trade – businesses
.webcam – web cam shows and video sharing
.website
.win – games, micro$oft windoesn’t
.world
.xyz
.za – south africa

if you recognise your IP address, or if you are one of the unfortunates whose web sites have one of the preceding TLDs, i’m sorry, but it had to be done… maybe if you contacted your ISP and complained, they might do something about it. 😒

last year i switched away from my then-new host provider after a very short period of time because it turned out that they were a spam-haven.

before i switched, it got so bad that i set up a monitor at MXToolbox to check whether or not my IP address had been listed at any blacklists.

the host provider was incensed at this, and swore up and down that they had robust anti-spam policies that were enforced with an iron fist, but i switched away from them shortly afterwards, anyway.

today i got a notice from the monitor. apparently 69.162.87.36 is running an open relay and has a poor reputation…

so much for “robust anti-spam policies enforced with an iron fist”. 🤣🤣🤣🤣🤣

the following is a list of the TLD names that i have blocked from sending email to any email address at Hybrid Elephant:

.bid
.br – Brazil
.cf – Central African Republic
.club
.cn – China
.date
.direct
.do – Dominican Republic
.download
.es – Spain
.faith
.fun
.gq – Equatorial Guinea
.hk – Hong Kong
.host
.icu
.live
.loan
.ooo
.online
.party
.pro
.racing
.review
.ru – Russia
.space
.store
.stream
.top
.trade
.webcam
.win
.world
.xyz
.za – South Africa

if you are from any of these TLDs, you might as well give up on the idea of sending email to me.

related post

the past few weeks (maybe as much as a couple months) i have been getting anywhere from 4 to 24 “porn spam scam” emails per day — you know the ones, where the guy claims to be a “hacker” who has “taken over” your computer, is emailing you “from your own email address”, doesn’t speak english too well, and demands some random amount in bitcoin to prevent him from revealing your “pornographic indiscretions” to “everyone on your contact list” (😒) — and i have been reporting EVERY! SINGLE! ONE! to their upstream provider, and to the bitcoin abuse web site… but for the past couple of days, i have noticed that the constant stream has dropped off considerably: two days ago, i received two messages, yesterday i only received one, and, so far, today, i haven’t received any.

i also noticed that, a few days ago, i started seeing specific SpamAssassin rules that are targeted towards the porn-spam-scam racket (bitcoin address recognition and “from:” address spoofing are the two big ones), but considering the massive influx of porn-spam-scam messages over the past couple of months, i would have expected a much more gradual drop-off.

i never get tired of this… 😎

[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <[email protected]>
To: you know who
Date: 180520 12:37 am
Spam Status: Spamassassin
Hello,

Thank you for your report.

While the gaushmedical.us domain name is registered with Namecheap, it is hosted with another company. That is why we cannot check the logs for the domain and confirm if it is involved in sending unsolicited emails.

However, it seems the domain name is blacklisted by SURBL. Since we consider SURBL to be a trusted organization, we opened a case regarding the domain name. Please allow about 48 hours for our further investigation.

Thank you for letting us know about the issue.

---

[#RNZ-396-23469]: ABUSE VIOLATION: RE: PAYMENT INVOICE
From: Namecheap Legal & Abuse Team <[email protected]>
To: you know who
Date: 180521 08:19 pm
Spam Status: Spamassassin
Hello,

Please be informed that as a result of the investigation, the domain gaushmedical.us was suspended. It was null-routed and locked in our system, so the spamming activity should end once the propagation is over.

Thank you for letting us know about the issue.

---

whois gaushmedical.us
Domain Name: gaushmedical.us
Registry Domain ID: DC3FBD2D4DC1743DE92E082A91D15BEDE-NSR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2018-05-22T03:18:40Z
Creation Date: 2018-05-15T06:56:45Z
Registry Expiry Date: 2019-05-15T06:56:45Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C29C72D760FD14C7FAD8D886E1C016E55-NSR
Registrant Name: New Oru
Registrant Organization:
Registrant Street: Hertzstr. 4
Registrant Street:
Registrant Street:
Registrant City: Heidelberg
Registrant State/Province: Heidelberg
Registrant Postal Code: 69126
Registrant Country: DE
Registrant Phone: +49.8635999192
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Registry Admin ID: CBBCDFB2B18654CFC972C6274C0858A93-NSR
Admin Name: New Oru
Admin Organization:
Admin Street: Hertzstr. 4
Admin Street:
Admin Street:
Admin City: Heidelberg
Admin State/Province: Heidelberg
Admin Postal Code: 69126
Admin Country: DE
Admin Phone: +49.8635999192
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID: C3200FE79814B420EB1FA838AEBEF9060-NSR
Tech Name: New Oru
Tech Organization:
Tech Street: Hertzstr. 4
Tech Street:
Tech Street:
Tech City: Heidelberg
Tech State/Province: Heidelberg
Tech Postal Code: 69126
Tech Country: DE
Tech Phone: +49.8635999192
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: blockedduetospam.pleasecontactsupport.com
Name Server: dummysecondary.pleasecontactsupport.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-05-22T04:57:32Z <<<

😂

dear OVH,

i have been reporting, and blocking spam from your network for at least 5 years. i have at least 500 different addresses that you have used to hide behind, so that when the spam-reporting gets too extreme, you just start a new, incomprehensible email address… yes, i’m talking about [email protected] and [email protected] and [email protected] and [email protected] and EVERY FUCKING thing in between…

through my moderate poking around, i have discovered that most of these addresses are for Florent Demuynck, Stephane LeSimple, Falco Schmutz, Grillion Alexis, Tarik Benammar, Edouard Vanbelle, Benjamin Ficheland, Laurent Allard, and others (some of whom may or may not still be employees of OVH), and/or their boss, Octave Klaba.

today, for the first time, i have actually blocked someone from OVH for trying to login to this blog… YES, MY BLOG has been probed by 158.69.223.8.

this is a warning: if i EVER catch you or any of your minions poking around my web again, i will block you so fast that it’ll make your head spin.

i’m on to you OVH. don’t push me, or you’ll feel my mallet! 😠

i am digging my way out from under an inundation of spam messages which arrived between around 1:00 am and around 4:00 pm yesterday. all told there were around 10,000 messages, but they were arriving in 10 to 12 message batches, about 500 every five minutes or so, and only started to decrease around 3:30.

but, at the same time, i sent two LARTs to the spammer’s upstream provider, yesterday, and today i got confirmation(!) that they had disabled their Luser’s email capabilities. i realise that they may just be blowing me off, and the gap will very quickly be filled with another spammer, but it’s good to know that my mallet is still quick and strong… 😎