[lug] Blocking spam by blocking partial IP

John Hernandez John.Hernandez at noaa.gov
Mon May 9 10:53:57 MDT 2005 

APNIC has a nice DB search web page that allows recursive queries.

http://www.apnic.net/apnic-bin/whois.pl?search=222.0.0.0%2F8

Try the "All more specific" option.  They limit responses to 300
records, so you may need to split this into several queries of /12 or
perhaps smaller.

Hugh Brown wrote:
> I haven't found a nice way to do it other than manually.  I go to
> apnic.net and use their whois.
> 
> I typed in 222.0.0.0 and got told:
> 
> inetnum:      222.0.0.0 - 222.15.255.255
> netname:      KDDI
> descr:        KDDI CORPORATION
> descr:        Tokyo, Japan
> country:      JP
> 
> So, next I type in 222.16.0.0 and get:
> 
> inetnum:      222.16.0.0 - 222.16.7.255
> netname:      SCUTDEB-CN
> descr: 	      ~{9cV];*DO=LS}?F<<7"U9SPO^9+K>MxBg=LS}Q'T:~}
> descr: 	      HNJK NETWORK EDUCATION COLLEGE
> descr: 	      GuangZhou, Guangdong 510641, China
> country:      CN
> 
> So, then I would type in 222.16.8.0 and ....
> 
> Obviously this doesn't scale well and is asking for help via your favorite
> scripting language.
> 
> Hugh
> 
> On Mon, 9 May 2005, Bill Thoen wrote:
> 
> 
>>I have been getting about 200 spams a day, and finally decided to simply
>>block the two worst offenders by putting their partial IP's in my
>>/etc/mail/access file like so:
>>
>>218.1   REJECT
>>222     REJECT
>>
>>This worked great. Last night's log showed lots and lots of messages
>>from these turkeys that got turned back at the door.
>>
>>However, I'm a bit concerned about blocking everything from IPs that start
>>with 222. When I check with whois, I can't get any details on who is
>>assigned to any of the subnets under 222. I don't mind blockng anybody
>>from China or Korea, but I don't want to block Japanese or Australian
>>email.
>>
>>Is there any way to discover any more details on the 222 IP other than
>>it's managed by APNIC?
>>
>>- Bill Thoen
>>
>>
>>
>>_______________________________________________
>>Web Page:  http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>
>>
>>
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 

-- 

 |  John Hernandez - NOAA Boulder NOC - 303-497-6392
 |  Mailstop R/OM62. 325 Broadway, Boulder, CO 80305
 |  PGP Public Key ID: 586A7E23

More information about the LUG mailing list