Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : want to ban spammers? 8 easy steps

[sOliver]

1. Install CSF
2. Install Iptables if it's not installed (apt-get install iptables on redhat/centos)
3. In WHM under "# ConfigServer Security&Firewall" click on firewall deny ips
4. Open a 2nd window, Goto Main >> Server Status >> Apache Status
5. Check if there are any spammers with lots of connections to a specific file, that's how I got a lot of the IP's.
6. Goto http://ws.arin.net/whois/?queryinput=99.225.243.201
7. Enter the IP you found at "Server Status" and enter it at ws.arin.net to get the proper CIDR which you can easily add to your CSF deny hosts file (which is open in another window)
8. Get a tea and watch the server status closely

Code:

#McColo Corporation
208.66.192.0/22

#RIPE Network Coordination Centre
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
90.0.0.0/8
91.0.0.0/8
193.0.0.0/8
194.0.0.0/8
195.0.0.0/8
212.0.0.0/8
213.0.0.0/8
217.0.0.0/8
217.174.203.41
218.0.0.0/8

#Latin American and Caribbean IP address Regional Registry
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8

#Asia Pacific Network Information Centre
59.0.0.0/8 
116.0.0.0/8 
118.0.0.0/8
202.0.0.0/7
203.0.0.0/7
210.0.0.0/7
212.0.0.0/8
221.0.0.0/8
222.0.0.0/8

#Japan Network Information Center
133.0.0.0/8

#African Network Information Center
196.0.0.0/8

#Alexa Internet
209.237.237.0/24
209.237.238.0/24

#SevenTwentyfour Incorporated
209.167.50.16/28




#Spammers on my server 



#Comcast Cable Communications Holdings, Inc (24.61.11.145)
 24.60.0.0/14 

#Hurricane Electric
64.62.128.0/17

# CABLE ONE
67.60.0.0/15


# Charter Communications
71.80.0.0/12


# Road Runner HoldCo LLC
75.176.0.0/12 

#Verizon Internet Services Inc.
71.96.0.0/11


# Bell Canada 76.68.229.78
76.64.0.0/13


#Shaw Communications Inc.
24.80.0.0/13
64.59.128.0/18 


#Road Runner HoldCo LLC 69.203.88.48
69.200.0.0/13 

#AT&T Internet Services  69.224.0.0/12 
69.224.0.0/12 


#Rogers Cable Communications Inc. (99.248.186.142)
 99.224.0.0/11


#Others
24.200.0.0/14 
76.192.0.0/10
70.48.0.0/13

Since I'm also new to this I have a question:

Do I have to order the IP's inside that file to get them all working? I noticed that rogers cable communications are not blocked O.o
And do you recommend to add the whole subnet if there is a IP spamming your server. E.g. if IP 99.248.186.142 is a spammer, is it safe to add their CIDR "99.224.0.0/11" ?

[husaren]

Blocking whole netranges is like killing ants with a flamethrower.

You will be better of by adding some checks to your MTA instead.
or putting a www.freespamfilter.org box infront of it. Let the RBL´s do the work work you. -thats what they are here for.

[sOliver]

Quote:

Originally Posted by husaren

Blocking whole netranges is like killing ants with a flamethrower.

You will be better of by adding some checks to your MTA instead.
or putting a www.freespamfilter.org box infront of it. Let the RBL´s do the work work you. -thats what they are here for.

Excuse me but what is a MTA and how does that spamfilter work in particular ? And what does RBL stand for D:

Thanks for clarifying, probably heard the full terms before just dont know the acronyms.

[husaren]

Quote:

Originally Posted by sOliver

Excuse me but what is a MTA and how does that spamfilter work in particular ? And what does RBL stand for D:

Thanks for clarifying, probably heard the full terms before just dont know the acronyms.

http://www.google.com/search?hl=da&q...%B8gning&meta=
http://www.google.com/search?hl=da&q...%B8gning&meta=

[larwilliams]

RBL = real-time black list.

Basically, they maintain a list of IPs and such, that are likely to be involved in sending spam. You can configure your mail server to check these lists each time an e-mail comes in, and see if the sender's address is known for spam. If so, the message gets deleted automatically (in my experience.... this may be a configurable behaviour).

At my lcwsoft.com account, I rarely get spam anymore after configuring WHM to use the real-time blocking lists and spamAssassin with a required score of 5.

The only ones that get through are offers for Dove soap and such, and they look really legit.

Doing this presents no problems as long as a sender (someone e-mailing you) doesn't have their IP on one of the RBL's

[sOliver]

Quote:

Originally Posted by larwilliams

RBL = real-time black list.

Basically, they maintain a list of IPs and such, that are likely to be involved in sending spam. You can configure your mail server to check these lists each time an e-mail comes in, and see if the sender's address is known for spam. If so, the message gets deleted automatically (in my experience.... this may be a configurable behaviour).

At my lcwsoft.com account, I rarely get spam anymore after configuring WHM to use the real-time blocking lists and spamAssassin with a required score of 5.

The only ones that get through are offers for Dove soap and such, and they look really legit.

Doing this presents no problems as long as a sender (someone e-mailing you) doesn't have their IP on one of the RBL's

Thanks for you answers you two.
Maybe I'm missing a point here but I don't talk about mail spam.
I even deactivated all mail services on my server.

I'm talking about spammer who are trying to access specific files or to ddos another site.
CSF has a built-in spammer list to block some IP's, I guess I can use that RBL to get some more ips for my deny.hosts file thou.

[larwilliams]

My bad. Spammer is a term used to describe unsolicted e-mail sending.

I think you are referring to someone (or group of computers) that make say 400 connections to your site at once, in an attempt to disrupt service??

That is called a DoS (Denial of Service) attack. Please advise if this sound right so far...

[sOliver]

Quote:

Originally Posted by larwilliams

My bad. Spammer is a term used to describe unsolicted e-mail sending.

I think you are referring to someone (or group of computers) that make say 400 connections to your site at once, in an attempt to disrupt service??

That is called a DoS (Denial of Service) attack. Please advise if this sound right so far...

Yes I'm referring to DoS attacks but with just a few connections.
I think the attackers will drop sooner or later since I completely removed the file they were looking for.
I don't want to ban a whole subnet but there are too many to ban them manually. Already got spamhaus rules in effect but that's not enough imo.

[larwilliams]

If you install ConfigServer Firewall (assuming you use WHM and cPanel), simply:

1) Take it out of "test mode" (in WHM, under "ConfigServer...", then "Firewall Configuration" set "TESTING" to 0)
2) Set "Firewall Security Level" to "High".

It will block IPs automatically.