add something in IP tables to ignore the host
then you will save some data as well.
Dean
Howard Lowndes wrote:
Just further on this particular IP address, it is currently accounting
for about 40% of my email rejections and, surprise, surprise, it's a
Winders box that is wide open:
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
512/tcp open exec
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1030/tcp open iad1
3389/tcp open ms-term-serv
5900/tcp open vnc
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows 2000 SP4 or Windows XP SP1
It's this sort of sheer configuration stupidity that really pisses me
off about Winders users.
Howard Lowndes wrote:
Rev Simon Rumble wrote:
This one time, at band camp, Howard Lowndes wrote:
The vast majority are coming from 64.62.172.120
# whois 64.62.172.120
[Querying whois.arin.net]
[whois.arin.net]
Hurricane Electric HURRICANE-4 (NET-64-62-128-0-1)
64.62.128.0 - 64.62.255.255
FastServers, Inc. HURRICANE-CE0030-980L (NET-64-62-172-0-1)
64.62.172.0 - 64.62.172.255
Easy on the trigger finger there before you go shitcanning the whole
block. HE is an ENORMOUS hosting provider. It's highly likely those
are individual compromised hosts, either through shitty PHP scripts
or running Windows.
I'm not canning any block of addresses, just those individual
addresses without PTRs. I've no doubt that its just one crapped
machine and since it's SMTP traffic it's almost certainly going to be
a Winfart machine.
A note to abuse@ _might_ get you somewhere.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
