Hi there, On Thu, 30 Aug 2007, Jack T Mudge III wrote:
> On Wednesday 29 August 2007 03:56, G.W. Haywood wrote: > > Most offenders > > are blocked permanently, at the last count we're blocking about 27,750 > > ranges. ?Our scripts could handle the 'repeat' messages if they needed > > to, but they don't. ?The script kiddies don't get five tries, we block > > them after the first. :) > > Forgive me, but as I understand IP and the whole DHCP concept and whatnot, IP > addresses ARE reused after some time. I rarely have the same internet address > for more than a month -- and if I randomly ended up with one of your blocked > addresses, wouldn't I be an innocent victim? You're forgiven. :) Most people on dynamic IPs don't have the same address for more than a day! Yes, you'll be an innocent victim of the spammers, but normally only if you try to send mail directly to our mailservers. In which case we don't want it, thank you, because in that case your computer has probably been compromised. (You wouldn't want to be making other kinds of connections to our mailservers, would you? :) Your computer should use your service provider's mailservers to send your mail to our mailservers. If you run a mailserver it should be on a static IP and it, along with your DNS data, should be properly configured. One problem is that computers in these botnets are programmed to seem at least superficially to be real mailservers, which they aren't, and if we let them they'd fill our logs with so much garbage that the real information would be totally obliterated. Another problem is that we pay for the bandwidth, 95% of which would be consumed by criminals if we let them do it. > Given the dynamic nature of the internet in general, doesn't it make more > sense to block for, maybe 2 months, tops? No. Most dynamic ranges are huge blocks owned by the likes of NTL, Wanadoo, Verizon, Bellsouth, Covad, Roadrunner... There are 207 ISPs in our blacklist at present. One of the problems is that if you block a single dynamic IP, then a few minutes later that same compromised PC just comes back again trying from a different IP in the same ISP's blocks of dynamic addresses. So we block the whole lot as soon as we can. <rant> The ISPs could all _easily_ stop the huge botnets using their services sending spam email to millions of people every second. But they don't bother - some of them even ignore the police (*) when they're notified of fraudsters using their networks - so I and other overloaded admins like me have to deal with all this crap instead. </rant> > This isn't meant to downcast your job or anything, I'd just like to know the > reasoning behind permanent versus temporary blocks (I use temporary, and it's > always done well for me). I understand. The reason is experience. The fact is that any dynamic IP is eventually going to be a source of crap so we block every last one we can find. There are databases of dynamic IPs from the likes of SBL, we use them too but I'm afraid they're far from complete. Incidentally we also block _all_ connections (not just mail) from most of Africa, Arab countries, Bangladesh, Canada, China, Denmark, Eastern Europe, France, India, Israel, Italy, Portugal, Russia, South America, Spain, Taiwan, Turkey... > fail2ban blocks for 10 minutes; 10 minutes has thus far been enough to stop > all but the most determined script kiddies, who are then blocked again (and > again until they stop). Ten minutes is a little short in my experience, but yes the bulk of the problems is dealt with by a temporary block. Unfortunately there are hard-core cases which temporary blocks will not deal with, hence the permanent blocks. I have logs showing PCs which have been trying to send crap to us for many months from many different IPs. Sending mail to the the abuse department at Telstra, for example, is in my experience a complete waste of time. One of their customers has been trying to send mail to us every ten minutes since May. > Even using a 450mhz pentium II for my router/firewall, it's not even > a noticeable load on the system. The load on the system isn't the issue. It's the load on the system administrator. I actually look at my logs, and if they're so full of crap that I can't see the things I need to see, I may as well not bother. Then I might miss something important. A potential sale, maybe. -- 73, Ged. (*) I contact the police about serious fraud attempts. My experience is that the police are as frustrated with irresponsible ISPs as I am.
