ASN-blocklist
In regards to this thread: redacted
I have built a PHP applet that pulls data from bgp.he.net once a week and builds a block list for a few different ASNs. The block lists currently come in the form of:
Nginx deny conf file.
htaccess
iptables commands and all in a text format.
ipset commands and all in a text format.
RAW IP list.
Currently the ASNs that are being processed are:
$asns[] = 'AS29073'; // ecatel
$asns[] = 'AS15003'; //Nobis Tech
$asns[] = 'AS40676'; // psychz
$asns[] = 'AS21788'; //burst
$asns[] = 'AS57043'; //hostkey
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
You can check it out here: https://cdn.content-network.net/tools/asn-blocklist/
I am looking for suggestions on file formats / configs that you would like to have built for as well. I need an example file and what the best way of building it would be. I.e. best practices.
I am also looking for suggested ASNs that should be watched and the reason why they should be blocked. Like Mass Spam, SSH brute Forces, et cetera.
Anyways, let me know how you like it!
Mun
Comments
What's your ASN so I can block you?! (note this is a joke, no babies have been hurt in this joke... I think)
AS314159265359
@Mun are you trying to create hosting ips list ?
Something like this http://www.blocked.com/ ?
Not at all, their is a group of individuals whom are requesting a way to block ColoCrossing do to its high SPAM mail volume. What I am doing is building a list of their IPS and a few others and making them into a few formats for people to use.
I have thought about building a block in the past, but never seemed needed or wanted.
Mun
I see, it's better to have a proper name something like "colocrossing asn blocklist" rather "asn blocklist".
So your going to use LET to advertise a way to try to block CC, including LET. Brilliant.
now am laughing
No as ASN != colocrossing. Their is multiple and many different whole networks in the ASN block list.
If you just want colocrossing use : https://cdn.content-network.net/tools/cc-blocklist/
Honestly, that isn't my problem. The reason for the request was because people were tired of the amount of email spam coming from CC ip space. I mean 64% of your IP space is blocked on Spamhaus so you have problems.
However, that being said, I do not suggest just throwing on block lists because you can.
You can "cry a bit" like what Aldryic did and then @Mun will remove ColoCrossing from his list.
Give me a reason I should add Frantech and I will. Though I honestly added it as a joke.
It's not about how bad is provider, it's about you - listening to them (providers) and removing on request.
It's OK, nobody takes @Mun serious
Might want to add quadranet and query foundry to the list, both have been in the top five for months at sender base for spam.
Will do.
If you give me a reason right now why you would want frantech on their I will add them back and I will hold it there.
Love you too. C=
Current list:
$asns[] = 'AS29073'; // ecatel
$asns[] = 'AS15003'; //Nobis Tech
$asns[] = 'AS40676'; // psychz
$asns[] = 'AS21788'; //burst
$asns[] = 'AS57043'; //hostkey
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
$asns[] = 'AS17676'; // Softbank.co.jp
$asns[] = 'AS4134'; // Chinanet-hb
$asns[] = 'AS4808'; // Unicom
$asns[] = 'AS10013'; // DTI.ad.jp
$asns[] = 'AS23818'; // Jet.ne.jp
$asns[] = 'AS33028'; // vexxhost.com
$asns[] = 'AS4725'; // Softbank
$asns[] = 'AS29761'; // quadranet
$asns[] = 'AS62638'; // Query Foundry
LET is hosted over CloudFlare so a block would have no affect.
There's a nice list @Cakey has compiled here - http://lowendtalk.com/discussion/comment/623171/#Comment_623171
-
All those are currently (given my best attempts) in there.
What have those ASNs done, are they just a list of bad ASNs?
They're ASNs that offer VPS / dedicated / co-location.
Ugh, I'm not sure I want to add all those..... Anyone other then @black think I should?
I think you should look through them and add the ones you want. It's easier than trying to think of which ASNs to ban imo.
We need to blacklist every IP that has the chance to send e-mail or attacks or anything malicious
YES!
If you aren't going to add them because of them hosting vps, dedicated and colocation then you might as well remove a lot of AS's in your list.
Is their a point to adding them? I not just purely after VPS, Dedicated Servers, and colo's as many of the ASNs on my list are residential.
If you see a point to them being added I will though.
i hear there's spam coming from 127.184.27.162
I've been getting some from 192.168.22.29
127.0.0.1 spamming? That is colocrossing UP right?
That's using downwards of 6 7 too many bits.