Does anyone have software to convert an IPFile to an DNS zone? My IPFile has
poped over 100 kb...
----- Original Message -----
From: "Matt" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Wednesday, December 14, 2005 10:23 AM
Subject: Re: [Declude.JunkMail] Senderbase
John,
If you use a custom filter in Declude and not the IPFILE type of filter,
you can list full CIDR ranges.
With Senderbase and researching spammers, it is often useful to have a
window open to arin.net to check the IP allocations. In this case the
spam block is just a part of a larger block from CWIE, LLC who happens to
be a legit provider and you don't want to tag their entire block. Using a
tool like Angry IP Scanner, you can do reverse DNS lookups and ping tests
on the entire class C and find the extent of the spammer's space. In this
case it stretches roughly from 8.10.58.64 to 8.10.58.89. I then take the
lowest IP and use DNSStuff.com's CIDR range lookup and I enter that IP.
8.10.58.64 will return 8.10.58.64/27 as the closest match which contains
8.10.58.64 through 8.10.58.95. Most providers will allocate according to
CIDR ranges, so you are safe to assume that this is it. Then using a
custom Declude filter, you would code that up like so:
# savesign.com
REMOTEIP 10 CIDR 8.10.58.64/27
If you start to grow this list, you should consider converting it to an
IP4R DNS zone, but that will take a bit of programming to do.
Matt
John Carter wrote:
Sorry if 99% of you already know this, but give me a minute. Sometime ago
someone here mentioned Senderbase. If you haven't used www.senderbase.org
to help lookup IP's, domains, network owners, etc, it is worth trying out.
(I'm sure there are other good lookup sites.) It has been helpful
verifying
bad boys and getting CIDR's. However today I "discovered" a neat feature.
After clicking on the network owner, it most often shows a list of
"closely
associated domains" and "addresses used to send mail" (network ex:
http://www.senderbase.org/search?searchBy=organization&searchString=GENUITY)
Clicking one of the domains will generally also produce an address list
specific to the domain. (domain ex.:
http://www.senderbase.org/search?searchBy=domain&searchString=savesign.com).
Along with the address list is an export function which will produce a
text
file usable for a Declude ipfile, especially if you want to target
specific
IP's. (See below. I used Plain Text-Windows & include hostnames.)
Well, if you knew this, you were ahead of the game; if not, Merry
Christmas.
John C
Sample IP text listing
# Results from IronPort's SenderBase -- Addresses recently used, domain
'savesign.com'
# Exported: December 14, 2005
8.10.58.77 # ss77.savesign.com
8.10.58.84 # ss84.savesign.com
8.10.58.73 # ss73.savesign.com
8.10.58.70 # ss70.savesign.com
8.10.58.74 # ss74.savesign.com
8.10.58.75 # ss75.savesign.com
8.10.58.80 # ss80.savesign.com
8.10.58.72 # ss72.savesign.com
8.10.58.87 # ss87.savesign.com
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.