Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


rDNS - Spam
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

rDNS - Spam

Hi,

Do any providers implement anti-abuse measures when receiving a rDNS request? The last handful of requests for rDNS have all been made by spammers.

Thanks guys! :)

Thanked by 1sz1hosting
«1

Comments

  • AnthonySmithAnthonySmith Member, Patron Provider

    you mean such as looking up the domain to see if it is on any blacklists?

    Thanked by 2rsk sambling
  • rskrsk Member, Patron Provider
    edited July 2014

    @AnthonySmith said:
    you mean such as looking up the domain to see if it is on any blacklists?

    +1 and check fraudrecord :-)

    Thanked by 1sambling
  • If they send spam just terminate the vps and move on, + report to fraudrecord

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    Nodewatch. They'll ramp up their script, get suspended, just run ls -al on their /var/log for the container and you'll see everything symlinked to /dev/null....terminate.

    Thanked by 1vimalware
  • rm_rm_ IPv6 Advocate, Veteran

    Jar said: just run ls -al on their /var/log for the container

    Any way to achieve your goal without "just" invading the privacy of the customer right away by peeking into their private data? (and yes, what I have symlinked to where is not your fucking business). Gosh, so happy I never buy OpenVZ anymore.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    @rm_ said:
    Any way to achieve your goal without "just" invading the privacy of the customer right away by peeking into their private data? (and yes, what I have symlinked to where is not your fucking business). Gosh, so happy I never buy OpenVZ anymore.

    Yeah signup and open 400 SMTP connections immediately and I'll show you where you can stick your privacy. It's called looking out for your actual clients. No. You can either tcpdump and spy on the packets or you can be smart and notice the signs right away.

    • Logs in via solusvm console to shield bash history

    • Symlinks logs to /dev/null

    • Opens a shit load of SMTP connections.

    If you want to start doing all of those things without spamming just to throw a hissy fit about something that literally no non-spammer is doing be my guest but otherwise grow up and realize that adults have to run their businesses and look out for their clients that actually intend to use their services and IP ranges. This is people's livelihood not a damn toy.

    Keep in mind I'm not even an OpenVZ provider.

  • rm_rm_ IPv6 Advocate, Veteran
    edited July 2014

    Jar said: open 400 SMTP connections

    That's monitoring network. Monitoring network is fine. But getting into people's private data should be the LAST resort, not the first thing you do.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    @rm_ said:
    That's monitoring network. Monitoring network is fine. Getting into people's private data should be the LAST resort, not the first thing you do.

    You store your credit cards or passwords as file names or Symlinks in /var/log? Come on you're just bitching just to do it.

  • blergh_blergh_ Member
    edited July 2014

    It's not a pretty fix to "invade" on users privacy, but seeing as most of the providers run rented gear they won't really have a decent solution in terms of monitoring traffic/specific protocol-spikes etc. I suppose it'd make sense to use something like nodewatch as it "just works" rather than fiddling with some iptables/pf-setup that may reveal more info than what you need/want.

    What you could do is simply limit outgoing mail to say, 40 an hour per VM/IP, which should be more than enough for normal usage.

    The provider i work for does not enforce any real limitations, but rather tries to do decent background-checks as well as actively monitor our ranges for any rbl-changes.

  • We verify if forward records exist only.

    Though, it's rather easy (Or so I've been told by people who do auditing for us) to spot people with a history of spamming thanks to tools like FraudRecord these days.

  • MaouniqueMaounique Host Rep, Veteran
    edited July 2014

    Kinda hard when rdns is automatic, however we have alerts for flows from all the DC so, when someone is doing SMTP traffic/connections over a certain threshold, I get an email, if new customer, there is the door, if old one, blackhole until he can clean it up.
    That and checking blocklists, so far worked well, we have very low spam rate.

    Thanked by 1marrco
  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    I always laugh when it's as simple as they request DNS (especially if it's automatic and they still ask) and then their signup domain is a dead giveaway. I remember so many at Catalyst that just didn't even look like they were trying, just hoping for dumb support techs.

  • Any way to put a layer between your client area to check the subdomain against a dictionary file list before it's submitted? Most spammers use random noun/verb/adjective garbage then a newly registered domain name

  • @Jar said:
    Nodewatch. They'll ramp up their script, get suspended, just run ls -al on their /var/log for the container and you'll see everything symlinked to /dev/null....terminate.

    We do, of course, use NodeWatch to prevent abuse but these "clients" can send rather a lot of emails and stay under the radar before NW will pick them up. I really liked the look of FraudRecord so that's something that'll be used in the future. Thanks for all the help here guys! :D

  • Master_BoMaster_Bo Member
    edited July 2014

    @Jar said:
    Logs in via solusvm console to shield bash history
    Symlinks logs to /dev/null

    I always, when possible

    • set history settings to discard all history after I log off
    • purge system logs periodically (including login history)
    • use encrypted swap, /tmp and the like

    (strange thing is I do not use VPSes for activity prohibited in ToS/AUP). Is the mentioned list enough reason to nullify my privacy?

    The solution would be to use known blacklists of such spam herders and deny service if dubious IPs are noted in any of user' transaction.

    Note: if hoster reserves right (explicitly, in ToS) to disregard my privacy and inspect my data without valid reason (i.e., without informing me of possibly dubious activity from my VMs, etc), I will most probably won't choose such a hoster at all.

    Thanked by 3rm_ Mark_R geekalot
  • MaouniqueMaounique Host Rep, Veteran

    Problem is most dont mention anything about that. I put it clearly in a plain english version of the tos/aup, it is not really possible to keep out all the time, you do watch processes and when you see b26 or others, have to see who's VM is that and notify them, at times you see other things.
    Reasonable watch and action should be on the menu in a shared environment, if not it will most likely not work, there is no perfect privacy in a shared environment, at least the traffic can and should be monitored for DDoS, spam, congestion, etc.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    @Master_Bo said:
    Note: if hoster reserves right (explicitly, in ToS) to disregard my privacy and inspect my data without valid reason (i.e., without informing me of possibly dubious activity from my VMs, etc), I will most probably won't choose such a hoster at all.

    Do you open 400+ SMTP connections as soon as you sign up?

    Seriously, come on. I said what I said and you and one other person decided to cherry pick it to cry about it. There something the three of us should be discussing in private in the way of a problem with me or are you both just incapable of reading?

    You don't erase evidence of a federal law violation on your network and rinse your hands of it like it didn't happen. When you know how to identity a spammer with a technique that invades no ones privacy and involves noticing things that all work TOGETHER, not as INDIVIDUAL PIECES, you use said technique because you're not an idiot and you have a business to protect. As I clearly stated, THE FIRST PART OF IT IS OPENING A TON OF SMTP CONNECTIONS IMMEDIATELY UPON SIGNUP. Read, people, it's good for you.

    Thanked by 1marrco
  • @Maounique said:
    Problem is most dont mention anything about that.

    Exactly. In real world servers can't be 101% free from access by third parties. But stating the cases in ToS/AUP and notifying owner at least post factum is good idea.

  • @Jar said:
    Seriously, come on.

    Seriously, calm down. I have said the details in my longer response above. If server can be accessed without court order, such cases should be explicitly stated in ToS/AUP/other legally binding documents. That's all.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    @Master_Bo said:
    Seriously, calm down. I have said the details in my longer response above. If server can be accessed without court order, such cases should be explicitly stated in ToS/AUP/other legally binding documents. That's all.

    I don't need a court order to terminate a spammer and YOUR FILE NAMES IN /var/log ARE NOT PRIVATE. They're standard and I could list them without ever looking. Do you think I don't know what Linux is? Have you devised a way to store private information in these file names? Do you expect me to believe that there is someone out there who has and then meets the other criteria? Be a reasonable human being for just one second.

    Thanked by 1marrco
  • Master_BoMaster_Bo Member
    edited July 2014

    @Jar said:
    I don't need a court order to terminate a spammer

    I suppose yopu have that written in ToS/AUP, correct? Along with spam definition.

    and YOUR FILE NAMES IN /var/log ARE NOT PRIVATE.

    O'RLY?

    They're standard and I could list them without ever looking.

    If you really think so, I don't think I should use your services. Would you be so kind to tell me whether ~/.bashrc is still private? And what if I encrypt /var/log entirely and take measures to destroy its contents if intrusion is detected -- will that be ToS/AUP violation?

    Do you think I don't know what Linux is? Have you devised a way to store private information in these file names? Do you expect me to believe that there is someone out there who has and then meets the other criteria? Be a reasonable human being for just one second.

    Seriously, I think you should at least to re-read definition of privacy. The log files can contain information that I can decide not to disclose to anyone.

    If you think there are areas of server you may inspect without customer's permit (and without them violating rules), your customers are in big trouble. No offense meant.

    Thanked by 3rm_ Mark_R geekalot
  • rm_rm_ IPv6 Advocate, Veteran
    edited July 2014

    Jar said: You store your credit cards or passwords as file names or Symlinks in /var/log?

    Whether I do or not, is none of your business. Actually, the very fact that I (may) choose not to do so, is also my private information. Anyway, I don't see what are you arguing about. Personally I will happily keep on not buying any OpenVZ ever, and nosy OpenVZ providers with no concept of customer privacy (and their clueless customers) will happily proceed with their lives as well.

    Thanked by 2Maounique Mark_R
  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    I sincerely apologize to everyone who is a legitimate client of my nonexistent services (with relevance, at least) that does the following in order:

    1. Opens 400+ SMTP connections immediately after SIGNUP.

    2. Symlinks file names in /var/log to their credit card numbers or personal information.

    Your privacy has been compromised by me and I am sincerely apologetic for this tragedy. Please proceed to the nearest whining station to collect your 35 cents.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    @rm_ said:
    Whether I do or not, is none of your business. Actually, the very fact that I (may) choose not to do so, is also my private information. Anyway, I don't see what are you arguing about. Personally I will happily keep on not buying any OpenVZ ever, and nosy OpenVZ providers with no concept of customer privacy (and their clueless customers) will happily proceed with their lives as well.

    Lol is it lonely on your soap box? Captain privacy beats the bad guy once again! Good looking out for nobody but some theoretical idiot as always!

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    @Master_Bo said:
    O'RLY?

    Yeah. I bet there's a file named "messages" or "auth.log" in there.

    OMG I JUST VIOLATED YOUR PRIVACY.

    Grow up.

  • @Jar said:
    Grow up.

    You mean you really don't understand why accessing files (without user's permit) in /var/log can be violation of privacy?

    OK, I try to explain one last time.

    Contents of any files on my VPS/dedicated server can contain information I do not wish to be accessed by anyone else. That includes auth.log and messages files in /var/log.

    Thanked by 1Mark_R
  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    So you admit that you store private information in the file names? Should service providers now also be required to notify you that the "first name" field in billing is not encrypted should you choose to use the profile information section as a managed version of LastPass?

    Should the highway patrol notify you that the side of the highway you are on is one way every 6 seconds or you are now free to drive the wrong way until you see the next sign?

    You are expected to be a human being and act like one, I expect my providers to do the same. If you want dead impersonal automation please never click a link in my signature. Because I assure you that if I ever start running a vps service again, I will protect my clients with my knowledge and my personal application of real world context, not be a robot.

    You find me someone who has personal information I don't already know in those file names and I'll admit I'm wrong. You start putting it there on all your services to spite me even though I'm not a provider and you'll not only be the first ever to do so, you'll be at a whole new level of dumb.

    The absurdity of your complaint against no one for something that no one does is incredible. I mean really, bravo for managing to actually pull off a complaint against a hypothetical scenario that literally has 0 impact on you, ever.

  • MaouniqueMaounique Host Rep, Veteran
    edited July 2014

    Jar said: So you admit that you store private information in the file names?

    No, I think he says:
    1. You have no business looking at file names nor where are they linked unless you already know there was a ToS/AUP violation not in order to discover one. I see a blacklisting after high SMTP activity automatically recorded, I go and check if there was intention involved or simply a hacking IF I have a doubt. Usually, if it happens minutes after provisioning, there is no doubt, also if there is an old customer with years of good behaviour.
    2. The way a customer names or links his files is his business, not yours. He can also take any measures to encrypt or hide anything he sees fit, whether from you or potential intruders due to some 0day or whatever exploit of the host node/provider.
    3. You do not wish to respect the privacy of customers and think that is not a right, fine, but put it clearly in your ToS/AUP so only people which "have nothing to hide" will host with you.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2014

    I don't have a TOS or AUP for my non existent VPS services and literally no ones privacy is being violated in any way.

    Just as I know that no one is using their VPS as an ash tray for their cigarettes, so do I know the contents of your /var/log. Fear me, for I have violated your privacy on both of these counts.

    I also know that you all have blood flowing through your body. Seriously my violation of your privacy just doesn't end...

    I can't wait to run a VPS service again and reference this thread in the strangest policy twist ever "if you spam I'm going to ls your /var/log, this policy demanded by the LET likes-to-complain-about-nothing-squad."

  • Mark_RMark_R Member
    edited July 2014

    @Jar

    Didn't you work for catalysthost.com? Did you use the same methods to detect potential spammers as you mentioned here?

Sign In or Register to comment.