Messing with chinese spammers

When you see this in /var/log/mail.log, you know the chinese are out to get you:

Aug 10 14:15:05 manstein postfix/smtpd[7858]: connect from static-186-155-242-140.static.etb.net.co[186.155.242.140]
Aug 10 14:15:08 manstein postfix/smtpd[7858]: warning: static-186-155-242-140.static.etb.net.co[186.155.242.140]: SASL LOGIN authentication failed: authentication failure
Aug 10 14:15:08 manstein postfix/smtpd[7858]: lost connection after AUTH from static-186-155-242-140.static.etb.net.co[186.155.242.140]
Aug 10 14:15:08 manstein postfix/smtpd[7858]: disconnect from static-186-155-242-140.static.etb.net.co[186.155.242.140]

If, like me your first instinct is to block the entire IP range/AS in the firewall range and then secondly you remember that you have a TODO about tinkering with the Mikrotik, adding a dynamic address list of spammers (and SSH bots etc.), you get tired in a hurry.

Luckily, if the bandwidth consumed is small, you can “just” null-route the bastards:

sudo route add 123.56.236.175 gw 127.0.0.1 lo

or if you’re really annoyed:

~$ whois 123.56.236.175
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
% Information related to '123.56.0.0 - 123.57.255.255'
inetnum:        123.56.0.0 - 123.57.255.255
.....
% Information related to '123.56.0.0/15 AS37963'

and

sudo route add -net 123.56.0.0/15 gw 127.0.0.1 lo

Boom – the entire AS is gone, and hopefully the emails about your AliExpress purchases are originating in another net…

 

This entry was posted in Networking, Routing, SMTP and tagged . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.