Results 1 to 9 of 9
  1. #1
    Join Date
    Jan 2008
    Posts
    77

    want to ban spammers? 8 easy steps

    1. Install CSF
    2. Install Iptables if it's not installed (apt-get install iptables on redhat/centos)
    3. In WHM under "# ConfigServer Security&Firewall" click on firewall deny ips
    4. Open a 2nd window, Goto Main >> Server Status >> Apache Status
    5. Check if there are any spammers with lots of connections to a specific file, that's how I got a lot of the IP's.
    6. Goto http://ws.arin.net/whois/?queryinput=99.225.243.201
    7. Enter the IP you found at "Server Status" and enter it at ws.arin.net to get the proper CIDR which you can easily add to your CSF deny hosts file (which is open in another window)
    8. Get a tea and watch the server status closely

    Code:
    #McColo Corporation
    208.66.192.0/22
    
    #RIPE Network Coordination Centre
    80.0.0.0/8
    81.0.0.0/8
    82.0.0.0/8
    83.0.0.0/8
    84.0.0.0/8
    85.0.0.0/8
    86.0.0.0/8
    87.0.0.0/8
    88.0.0.0/8
    89.0.0.0/8
    90.0.0.0/8
    91.0.0.0/8
    193.0.0.0/8
    194.0.0.0/8
    195.0.0.0/8
    212.0.0.0/8
    213.0.0.0/8
    217.0.0.0/8
    217.174.203.41
    218.0.0.0/8
    
    #Latin American and Caribbean IP address Regional Registry
    190.0.0.0/8
    200.0.0.0/8
    201.0.0.0/8
    
    #Asia Pacific Network Information Centre
    59.0.0.0/8 
    116.0.0.0/8 
    118.0.0.0/8
    202.0.0.0/7
    203.0.0.0/7
    210.0.0.0/7
    212.0.0.0/8
    221.0.0.0/8
    222.0.0.0/8
    
    #Japan Network Information Center
    133.0.0.0/8
    
    #African Network Information Center
    196.0.0.0/8
    
    #Alexa Internet
    209.237.237.0/24
    209.237.238.0/24
    
    #SevenTwentyfour Incorporated
    209.167.50.16/28
    
    
    
    
    #Spammers on my server 
    
    
    
    #Comcast Cable Communications Holdings, Inc (24.61.11.145)
     24.60.0.0/14 
    
    #Hurricane Electric
    64.62.128.0/17
    
    # CABLE ONE
    67.60.0.0/15
    
    
    # Charter Communications
    71.80.0.0/12
    
    
    # Road Runner HoldCo LLC
    75.176.0.0/12 
    
    #Verizon Internet Services Inc.
    71.96.0.0/11
    
    
    # Bell Canada 76.68.229.78
    76.64.0.0/13
    
    
    #Shaw Communications Inc.
    24.80.0.0/13
    64.59.128.0/18 
    
    
    #Road Runner HoldCo LLC 69.203.88.48
    69.200.0.0/13 
    
    #AT&T Internet Services  69.224.0.0/12 
    69.224.0.0/12 
    
    
    #Rogers Cable Communications Inc. (99.248.186.142)
     99.224.0.0/11
    
    
    #Others
    24.200.0.0/14 
    76.192.0.0/10
    70.48.0.0/13
    Since I'm also new to this I have a question:

    Do I have to order the IP's inside that file to get them all working? I noticed that rogers cable communications are not blocked O.o
    And do you recommend to add the whole subnet if there is a IP spamming your server. E.g. if IP 99.248.186.142 is a spammer, is it safe to add their CIDR "99.224.0.0/11" ?
    RLTT.com is for SALE Realtime Technologies is the way to go !

  2. #2
    Join Date
    Nov 2005
    Posts
    54
    Blocking whole netranges is like killing ants with a flamethrower.

    You will be better of by adding some checks to your MTA instead.
    or putting a www.freespamfilter.org box infront of it. Let the RBL´s do the work work you. -thats what they are here for.

  3. #3
    Join Date
    Jan 2008
    Posts
    77
    Quote Originally Posted by husaren View Post
    Blocking whole netranges is like killing ants with a flamethrower.

    You will be better of by adding some checks to your MTA instead.
    or putting a www.freespamfilter.org box infront of it. Let the RBL´s do the work work you. -thats what they are here for.
    Excuse me but what is a MTA and how does that spamfilter work in particular ? And what does RBL stand for D:

    Thanks for clarifying, probably heard the full terms before just dont know the acronyms.
    RLTT.com is for SALE Realtime Technologies is the way to go !

  4. #4
    Join Date
    Nov 2005
    Posts
    54
    Quote Originally Posted by sOliver View Post
    Excuse me but what is a MTA and how does that spamfilter work in particular ? And what does RBL stand for D:

    Thanks for clarifying, probably heard the full terms before just dont know the acronyms.
    http://www.google.com/search?hl=da&q...%B8gning&meta=
    http://www.google.com/search?hl=da&q...%B8gning&meta=

  5. #5
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    RBL = real-time black list.

    Basically, they maintain a list of IPs and such, that are likely to be involved in sending spam. You can configure your mail server to check these lists each time an e-mail comes in, and see if the sender's address is known for spam. If so, the message gets deleted automatically (in my experience.... this may be a configurable behaviour).

    At my lcwsoft.com account, I rarely get spam anymore after configuring WHM to use the real-time blocking lists and spamAssassin with a required score of 5.

    The only ones that get through are offers for Dove soap and such, and they look really legit.

    Doing this presents no problems as long as a sender (someone e-mailing you) doesn't have their IP on one of the RBL's
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  6. #6
    Join Date
    Jan 2008
    Posts
    77
    Quote Originally Posted by larwilliams View Post
    RBL = real-time black list.

    Basically, they maintain a list of IPs and such, that are likely to be involved in sending spam. You can configure your mail server to check these lists each time an e-mail comes in, and see if the sender's address is known for spam. If so, the message gets deleted automatically (in my experience.... this may be a configurable behaviour).

    At my lcwsoft.com account, I rarely get spam anymore after configuring WHM to use the real-time blocking lists and spamAssassin with a required score of 5.

    The only ones that get through are offers for Dove soap and such, and they look really legit.

    Doing this presents no problems as long as a sender (someone e-mailing you) doesn't have their IP on one of the RBL's
    Thanks for you answers you two.
    Maybe I'm missing a point here but I don't talk about mail spam.
    I even deactivated all mail services on my server.

    I'm talking about spammer who are trying to access specific files or to ddos another site.
    CSF has a built-in spammer list to block some IP's, I guess I can use that RBL to get some more ips for my deny.hosts file thou.
    RLTT.com is for SALE Realtime Technologies is the way to go !

  7. #7
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    My bad. Spammer is a term used to describe unsolicted e-mail sending.

    I think you are referring to someone (or group of computers) that make say 400 connections to your site at once, in an attempt to disrupt service??

    That is called a DoS (Denial of Service) attack. Please advise if this sound right so far...
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  8. #8
    Join Date
    Jan 2008
    Posts
    77
    Quote Originally Posted by larwilliams View Post
    My bad. Spammer is a term used to describe unsolicted e-mail sending.

    I think you are referring to someone (or group of computers) that make say 400 connections to your site at once, in an attempt to disrupt service??

    That is called a DoS (Denial of Service) attack. Please advise if this sound right so far...
    Yes I'm referring to DoS attacks but with just a few connections.
    I think the attackers will drop sooner or later since I completely removed the file they were looking for.
    I don't want to ban a whole subnet but there are too many to ban them manually. Already got spamhaus rules in effect but that's not enough imo.
    RLTT.com is for SALE Realtime Technologies is the way to go !

  9. #9
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    If you install ConfigServer Firewall (assuming you use WHM and cPanel), simply:

    1) Take it out of "test mode" (in WHM, under "ConfigServer...", then "Firewall Configuration" set "TESTING" to 0)
    2) Set "Firewall Security Level" to "High".

    It will block IPs automatically.
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •