It looks like there are lot of NZ based Zombies sending very large amounts of Spam ( much of it in German) to some ISPs. This has really been going hard over the last hour. I'm seeing adsl accounts at xtra, iprolink and ihug, xtra dialups etc etc. As a related issue, how do people feel about a whitelist RBL of NZ mail servers, It looks like it's not good to just whitelist NZ IPs -- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT.
At 13:46 10/06/2004, you wrote:
It looks like there are lot of NZ based Zombies sending very large amounts of Spam ( much of it in German) to some ISPs.
This has really been going hard over the last hour.
Yep, we're seeing it too. Very sudden, and very large amounts of it, and difficult to recognise reliably to block :( (Anyone found a good way of recognising it in SpamAssassin ?) I hadn't noticed that some of the zombies were in NZ but looks like you're right. The content of the messages seem to trace back to the following page in German: http://www.deutschland-bewegung.de/weiter/zuwanderung.html translated by google: http://translate.google.com/translate?sourceid=navclient&hl=en&u=http%3A%2F%2Fwww%2Edeutschland%2Dbewegung%2Ede%2Fweiter%2Fzuwanderung%2Ehtml *sigh* As if the whole world wants to read THAT stuff... Regards, Simon Byrnand iGRIN Internet
On Thu, 2004-06-10 at 13:46, Simon Lyall wrote:
It looks like there are lot of NZ based Zombies sending very large amounts of Spam ( much of it in German) to some ISPs.
This has really been going hard over the last hour.
I'm seeing adsl accounts at xtra, iprolink and ihug, xtra dialups etc etc.
And they are using NZ from addresses, we have had several complaint about the university sending large amounts of spam... Yeah, right!
As a related issue, how do people feel about a whitelist RBL of NZ mail servers, It looks like it's not good to just whitelist NZ IPs
Hmmm.... not sure if it would help much, you still need some way to decide if the other stuff is spam since there is no straight forward way for a mailer to decide if a source IP is in NZ or not. -- Russell Fulton, Computer and Network Security Officer. The University of Auckland, New Zealand.
I haven't read all the posts as yet, however I will post my findings. Strangely enough, I received 86 bounce backs this morning from an email address that was made redundant more than 4 years ago. All the messages were being targeted at *@austrade.gov.au and had this German gibberish in them. I didn't receive one bounce back going to any other domains or coming from any other email address. Barry -----Original Message----- From: Simon Lyall [mailto:simon(a)darkmere.gen.nz] Sent: Thursday, 10 June 2004 1:47 p.m. To: nznog Subject: [nznog] Zombies It looks like there are lot of NZ based Zombies sending very large amounts of Spam ( much of it in German) to some ISPs. This has really been going hard over the last hour. I'm seeing adsl accounts at xtra, iprolink and ihug, xtra dialups etc etc. As a related issue, how do people feel about a whitelist RBL of NZ mail servers, It looks like it's not good to just whitelist NZ IPs -- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On Thu, 10 Jun 2004, Simon Lyall wrote:
As a related issue, how do people feel about a whitelist RBL of NZ mail servers, It looks like it's not good to just whitelist NZ IPs
Since I've got a little time now I'll clarify this since there seems to be a little bit of Interest. Depending on what mailing list software people use it's possible to whitelist, blacklist or give positive or negative scores (eg in Spamassassin) to groups of Networks and IPs. On a per country basis you might wish to give a positive (more likely to send spam) to Chinese networks and a negative (less likely to send spam) to New Zealand IPs. You can you the zones "cn.rbl.cluecentral.net" and "nz..rbl.cluecentral.net" for this or other lists. However as has become obvious in the last week some NZ IPs are a lot more likely to send Spam than others. I'm therefore thinking about setting up a listing of IPs (available as a list and/or as a DNSBL/DNSBLs) that would further break down NZ IPs space. This would aid people in filtering and specifically in Whitelisting "trusted" Servers. I'm thinking of the following Classes of Networks/IPs: 1. Trusted Servers (ie Trademe, Qantas) serving controlled populations 2. Servers Handling traffic from untrusted customers (ie most IP's Servers). 3. Dynamic IPs allocated by ISPs to customers. 4. Very untrustworthy IPs allocated by ISPs to Cyber Cafes and the like. If possible I'd like the IPs owners (users/whatever) to contribute the data but I'd [1] probably accept data from elsewhere if the range's owner didn't send it to me. How do people feel about the idea? Specifically: a. Do you think it's a good idea? If not why not? b. Would you use it? c. Do you think you would contributed your IPs to it? d. Are you interested in helping run the list? Replies to me and I'll summarize to the list might be best. [1] This sort of implies I'm running it but that might not be the case. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
Since there seems to be a it of interest in the proposal below to have some DNSBL lists "trusted" of NZ Mail Servers I've setup a beta test to see how it goes. The details are on http://dns.nzl.net/ but basically I'm setting up two lists for now. One will be ISP's mail servers and the other will be non-commercial mailing list servers. Currently both have minimal content apart from 127.0.0.2 test entries and ihug's mail servers in the ISP list so I'd very much appreciate any entries to flesh them out a little. If you are going to use these lists for more than a couple hundred queries a day please let me know first, one of the DNS servers is on the a fairly slow connection so I'd probably prefer a zone transfer rather than answering 100,000 queries per day (alternatively I might get a backup DNS server for dns.nzl.net or two). This is a beta that I'm going to run for a month or two and then review so I'd prefer if anyone who is using it lets me know so if I decide to kill it I can notify you in advance. On Mon, 14 Jun 2004, Simon Lyall wrote:
On Thu, 10 Jun 2004, Simon Lyall wrote:
As a related issue, how do people feel about a whitelist RBL of NZ mail servers, It looks like it's not good to just whitelist NZ IPs
Since I've got a little time now I'll clarify this since there seems to be a little bit of Interest.
Depending on what mailing list software people use it's possible to whitelist, blacklist or give positive or negative scores (eg in Spamassassin) to groups of Networks and IPs.
On a per country basis you might wish to give a positive (more likely to send spam) to Chinese networks and a negative (less likely to send spam) to New Zealand IPs. You can you the zones "cn.rbl.cluecentral.net" and "nz..rbl.cluecentral.net" for this or other lists.
However as has become obvious in the last week some NZ IPs are a lot more likely to send Spam than others. I'm therefore thinking about setting up a listing of IPs (available as a list and/or as a DNSBL/DNSBLs) that would further break down NZ IPs space. This would aid people in filtering and specifically in Whitelisting "trusted" Servers.
I'm thinking of the following Classes of Networks/IPs:
1. Trusted Servers (ie Trademe, Qantas) serving controlled populations 2. Servers Handling traffic from untrusted customers (ie most IP's Servers). 3. Dynamic IPs allocated by ISPs to customers. 4. Very untrustworthy IPs allocated by ISPs to Cyber Cafes and the like.
If possible I'd like the IPs owners (users/whatever) to contribute the data but I'd [1] probably accept data from elsewhere if the range's owner didn't send it to me.
How do people feel about the idea? Specifically:
a. Do you think it's a good idea? If not why not? b. Would you use it? c. Do you think you would contributed your IPs to it? d. Are you interested in helping run the list?
Replies to me and I'll summarize to the list might be best.
[1] This sort of implies I'm running it but that might not be the case.
-- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT.
participants (4)
-
Barry Murphy -
Russell Fulton -
Simon Byrnand -
Simon Lyall