Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


ASN-blocklist
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ASN-blocklist

MunMun Member
edited August 2014 in General

In regards to this thread: redacted

I have built a PHP applet that pulls data from bgp.he.net once a week and builds a block list for a few different ASNs. The block lists currently come in the form of:

Nginx deny conf file.
htaccess
iptables commands and all in a text format.
ipset commands and all in a text format.
RAW IP list.

Currently the ASNs that are being processed are:

$asns[] = 'AS29073'; // ecatel
$asns[] = 'AS15003'; //Nobis Tech
$asns[] = 'AS40676'; // psychz
$asns[] = 'AS21788'; //burst
$asns[] = 'AS57043'; //hostkey
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI

You can check it out here: https://cdn.content-network.net/tools/asn-blocklist/

I am looking for suggestions on file formats / configs that you would like to have built for as well. I need an example file and what the best way of building it would be. I.e. best practices.

I am also looking for suggested ASNs that should be watched and the reason why they should be blocked. Like Mass Spam, SSH brute Forces, et cetera.

Anyways, let me know how you like it!

Mun

«1

Comments

  • SkylarMSkylarM Member
    edited August 2014

    What's your ASN so I can block you?! (note this is a joke, no babies have been hurt in this joke... I think)

  • MunMun Member

    AS314159265359

  • @Mun are you trying to create hosting ips list ?

    Something like this http://www.blocked.com/ ?

  • MunMun Member

    @alexvolk said:
    Mun are you trying to create hosting ips list ?

    Something like this http://www.blocked.com/ ?

    Not at all, their is a group of individuals whom are requesting a way to block ColoCrossing do to its high SPAM mail volume. What I am doing is building a list of their IPS and a few others and making them into a few formats for people to use.

    I have thought about building a block in the past, but never seemed needed or wanted.

    Mun

    Thanked by 1Licensecart
  • alexvolkalexvolk Member
    edited August 2014

    @Mun said:
    a way to block ColoCrossing do to its high SPAM

    I see, it's better to have a proper name something like "colocrossing asn blocklist" rather "asn blocklist".

  • So your going to use LET to advertise a way to try to block CC, including LET. Brilliant.

  • @SysAdmin said:
    So your going to use LET to advertise a way to try to block CC, including LET. Brilliant.

    now am laughing

  • MunMun Member

    alexvolk said: I see, it's better to have a proper name something like "colocrossing asn blocklist" rather "asn blocklist".

    No as ASN != colocrossing. Their is multiple and many different whole networks in the ASN block list.

    If you just want colocrossing use : https://cdn.content-network.net/tools/cc-blocklist/

    @SysAdmin said:
    So your going to use LET to advertise a way to try to block CC, including LET. Brilliant.

    Honestly, that isn't my problem. The reason for the request was because people were tired of the amount of email spam coming from CC ip space. I mean 64% of your IP space is blocked on Spamhaus so you have problems.

    However, that being said, I do not suggest just throwing on block lists because you can.

  • @SysAdmin said:
    So your going to use LET to advertise a way to try to block CC, including LET. Brilliant.

    You can "cry a bit" like what Aldryic did and then @Mun will remove ColoCrossing from his list.

  • MunMun Member

    @alexvolk said:
    You can "cry a bit" like what Aldryic did and then Mun will remove ColoCrossing from his list.

    Give me a reason I should add Frantech and I will. Though I honestly added it as a joke.

  • @Mun said:
    Give me a reason I should add Frantech and I will. Though I honestly added it as a joke.

    It's not about how bad is provider, it's about you - listening to them (providers) and removing on request.

  • SysAdmin said: So your going to use LET to advertise a way to try to block CC, including LET. Brilliant.

    It's OK, nobody takes @Mun serious

  • jbilohjbiloh Administrator, Veteran
    edited August 2014

    Might want to add quadranet and query foundry to the list, both have been in the top five for months at sender base for spam.

  • MunMun Member

    @jbiloh said:
    Might want to add quadranet and query foundry to the list, both have been in the top five for months at sender base for spam.

    Will do.

    @alexvolk said:
    It's not about how bad is provider, it's about you - listening to them (providers) and removing on request.

    If you give me a reason right now why you would want frantech on their I will add them back and I will hold it there.

    @Spencer said:

    Love you too. C=

  • MunMun Member

    Current list:


    $asns[] = 'AS29073'; // ecatel
    $asns[] = 'AS15003'; //Nobis Tech
    $asns[] = 'AS40676'; // psychz
    $asns[] = 'AS21788'; //burst
    $asns[] = 'AS57043'; //hostkey
    $asns[] = 'AS54290'; // Hostwinds
    $asns[] = 'AS33387'; //datashack
    $asns[] = 'AS36352'; // Colocrossing
    $asns[] = 'AS16276'; // OVH
    $asns[] = 'AS32097'; // WSI
    $asns[] = 'AS17676'; // Softbank.co.jp
    $asns[] = 'AS4134'; // Chinanet-hb
    $asns[] = 'AS4808'; // Unicom
    $asns[] = 'AS10013'; // DTI.ad.jp
    $asns[] = 'AS23818'; // Jet.ne.jp
    $asns[] = 'AS33028'; // vexxhost.com
    $asns[] = 'AS4725'; // Softbank
    $asns[] = 'AS29761'; // quadranet
    $asns[] = 'AS62638'; // Query Foundry

  • SysAdmin said: So your going to use LET to advertise a way to try to block CC, including LET. Brilliant.

    LET is hosted over CloudFlare so a block would have no affect.

  • SpencerSpencer Member
    edited August 2014

    -

  • MunMun Member

    @Spencer said:
    mun here are some more to block! http://www.spamhaus.org/statistics/networks/

    All those are currently (given my best attempts) in there.

    @black said:
    There's a nice list Cakey has compiled here - http://lowendtalk.com/discussion/comment/623171/#Comment_623171

    What have those ASNs done, are they just a list of bad ASNs?

  • @Mun said:
    What have those ASNs done, are they just a list of bad ASNs?

    They're ASNs that offer VPS / dedicated / co-location.

  • MunMun Member

    @black said:
    They're ASNs that offer VPS / dedicated / co-location.

    Ugh, I'm not sure I want to add all those..... Anyone other then @black think I should?

  • @Mun said:
    Ugh, I'm not sure I want to add all those..... Anyone other then black think I should?

    I think you should look through them and add the ones you want. It's easier than trying to think of which ASNs to ban imo.

    Thanked by 1Kris
  • We need to blacklist every IP that has the chance to send e-mail or attacks or anything malicious

    Thanked by 2ihatetonyy Dylan
  • Jack said: Every /8 then?

    YES!

  • Awmusic12635Awmusic12635 Member, Host Rep

    Mun said: Ugh, I'm not sure I want to add all those..... Anyone other then @black think I should?

    If you aren't going to add them because of them hosting vps, dedicated and colocation then you might as well remove a lot of AS's in your list.

  • MunMun Member

    @Fliphost said:
    If you aren't going to add them because of them hosting vps, dedicated and colocation then you might as well remove a lot of AS's in your list.

    Is their a point to adding them? I not just purely after VPS, Dedicated Servers, and colo's as many of the ASNs on my list are residential.

    If you see a point to them being added I will though.

  • i hear there's spam coming from 127.184.27.162

  • matthewvzmatthewvz Member, Host Rep

    @Hello71 said:
    i hear there's spam coming from 127.184.27.162

    I've been getting some from 192.168.22.29

  • shovenoseshovenose Member, Host Rep

    127.0.0.1 spamming? That is colocrossing UP right? ;)

  • RalliasRallias Member
    edited August 2014

    Mun said: AS314159265359

    That's using downwards of 6 7 too many bits.

Sign In or Register to comment.