Oops, maybe IPFILE also accepts CIDR ranges. If it works for you, then
so be it.
Matt
Scott Fisher wrote:
-Matt,
Can you clarify this? "If you use a custom filter in Declude and not
the IPFILE type of filter, you can list full CIDR ranges."
I have CIDR ranges in my IPFile:
12.107.178.192/27 12.107.178.192/27 evivaclub.com updtd 02-18-05
----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, December 14, 2005 10:23 AM
Subject: Re: [Declude.JunkMail] Senderbase
John,
If you use a custom filter in Declude and not the IPFILE type of
filter, you can list full CIDR ranges.
With Senderbase and researching spammers, it is often useful to have
a window open to arin.net to check the IP allocations. In this case
the spam block is just a part of a larger block from CWIE, LLC who
happens to be a legit provider and you don't want to tag their entire
block. Using a tool like Angry IP Scanner, you can do reverse DNS
lookups and ping tests on the entire class C and find the extent of
the spammer's space. In this case it stretches roughly from
8.10.58.64 to 8.10.58.89. I then take the lowest IP and use
DNSStuff.com's CIDR range lookup and I enter that IP. 8.10.58.64 will
return 8.10.58.64/27 as the closest match which contains 8.10.58.64
through 8.10.58.95. Most providers will allocate according to CIDR
ranges, so you are safe to assume that this is it. Then using a
custom Declude filter, you would code that up like so:
# savesign.com
REMOTEIP 10 CIDR 8.10.58.64/27
If you start to grow this list, you should consider converting it to
an IP4R DNS zone, but that will take a bit of programming to do.
Matt
John Carter wrote:
Sorry if 99% of you already know this, but give me a minute.
Sometime ago
someone here mentioned Senderbase. If you haven't used
www.senderbase.org
to help lookup IP's, domains, network owners, etc, it is worth
trying out.
(I'm sure there are other good lookup sites.) It has been helpful
verifying
bad boys and getting CIDR's. However today I "discovered" a neat
feature.
After clicking on the network owner, it most often shows a list of
"closely
associated domains" and "addresses used to send mail" (network ex:
http://www.senderbase.org/search?searchBy=organization&searchString=GENUITY)
Clicking one of the domains will generally also produce an address list
specific to the domain. (domain ex.:
http://www.senderbase.org/search?searchBy=domain&searchString=savesign.com).
Along with the address list is an export function which will produce
a text
file usable for a Declude ipfile, especially if you want to target
specific
IP's. (See below. I used Plain Text-Windows & include hostnames.)
Well, if you knew this, you were ahead of the game; if not, Merry
Christmas.
John C
Sample IP text listing
# Results from IronPort's SenderBase -- Addresses recently used, domain
'savesign.com'
# Exported: December 14, 2005
8.10.58.77 # ss77.savesign.com
8.10.58.84 # ss84.savesign.com
8.10.58.73 # ss73.savesign.com
8.10.58.70 # ss70.savesign.com
8.10.58.74 # ss74.savesign.com
8.10.58.75 # ss75.savesign.com
8.10.58.80 # ss80.savesign.com
8.10.58.72 # ss72.savesign.com
8.10.58.87 # ss87.savesign.com
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
