These are currently on our auto-generated virus blacklist (using Vispan): 217.95.137.103 pD95F8967.dip.t-dialin.net 217.95.141.136 pD95F8D88.dip.t-dialin.net 217.95.141.29 pD95F8D1D.dip.t-dialin.net 217.95.143.13 pD95F8F0D.dip.t-dialin.net 80.142.160.12 p508EA00C.dip.t-dialin.net 80.142.182.235 p508EB6EB.dip.t-dialin.net 80.142.182.63 p508EB63F.dip.t-dialin.net 80.142.188.77 p508EBC4D.dip.t-dialin.net
Time to start lobbying this ISP to start virus and spam filtering on their SMTP relay (because the above boxes got infected somehow, presumably via incoming mails relayed by t-dialin.net). It's very tempting to blacklist all Ips used by t-dialin.net :-) Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: 26 May 2004 15:06 > To: Bruno Broedner; Matt Kettler; > [EMAIL PROTECTED] > Subject: Re: RBL check is done on the wrong host listed in received > > At 09:04 AM 5/26/04 +0200, Bruno Broedner wrote: > > >> See the notes at DSBL: > http://dsbl.org/listing?80.142.228.8 They > > report > > >> it as a verified singlehop relay. > > >> > > > >Since the 80.142.228.8 is definitely a dialup-host from a big german > >ISP for customers with dynamic IPs it should not be listed > as singlehop in the RBLs. > >I am sure, the spammer is up-and-away from that IP. But that > is more an > >RBL-issue than a issue of SA. > > Why is it that should dialup nodes be exempt? > > In this case, that IP had an open relay running on it long > enough for it to be abused, reported, and then verified. > > The idea of exempting dialup nodes has come up before, but > I'm sorry, I for one disagree. > > A verified spam-source IP is a verified spam-source IP. Until > the ISP identifies and corrects the problem and reports back > to the RBLs, I think it's quite reasonable to list each IP > address that has been verified as a spam source. After all, > until it's fixed you know this open relay is going to keep > dialing in. It's going to keep getting IP addresses from a > single dialup pool, which means it WILL come back to that IP. > > If the node really is a dialup, perhaps t-dialin.net should > consider restricting inbound tcp/25, or policing their networks. > > In any event, the ISP can request a removal. The fact that > the IP is still in the RBL indicates that t-dialin hasn't > been addressing the issue. > >
