Computer Tips -Tech Info

Tag: IP

AT&T rbl block inquiry site

First, I guess I should give a primer, what’s an RBL? RBL stands for Realtime Black List (or Realtime Block List depending on who you talk to.) The idea is there are machines that either 1) have no business DIRECTLY trying to deliver a mail message to a legitimate mail server or 2) are known to spew out junk mail, or viruses or other bad content. So, many service providers make use of blacklists to decline messages from suspect machines. In some cases these lists are cultivated in house, in other cases people make use of various publicly available lists online.

But…

(more…)

January 21, 2008
Bellsouth/ AT&T mail problems

I would dare say there are more than a couple people “out there” right now that are puzzled as to WHY some of their mail is bouncing back to them as being rejected. Right now I’m talking about Bellsouth / AT&T mail users…. it appears that this week AT&T is in the process of transitioning it’s outbound mail relays to a new address block. 207.115.11.51 – 207.115.11.56 – the names of these machines are fmailhost01.isp.att.net – fmailhost06.isp.att.net …. Yesterday I noticed 4/5/6 had been moved – today 3 has been moved over and I noticed only because a test message that I RUN through a (formerly) bellsouth system bounced back and made it through…. The problem is the address space that AT&T is making use of used to be in the dial up block of their service and SEVERAL online blacklists have not been notified of the change. It is not possible for an end user to FIX this problem, AT&T technicians need to contact http://www.au.sorbs.net/ (SORBS) Among other locations to help their customers. The only thing techs in control of individual mailservers can do is whitelist the new AT&T addresses. (Well you could disable whitelisting altogether, but that would probably be a big HELLO SPAM).

It may be even murkier a situation – they may using BOTH sets of IP addresses (old and new) for the time being… here are two log entries that would seem to confirm that…

Jul 25 16:47:09 xxxxx postfix/smtpd[7812]: disconnect from fmailhost03.isp.att.net[207.115.11.53]
Jul 25 16:47:09 xxxxx postfix/smtpd[7812]: connect from fmailhost03.isp.att.net[204.127.217.103]

Strange… They may have some scheme to help work around this – because the connect from the 204. address immediately followed a DNS block of the connect from the 207 range address.

July 25, 2007
Why? (Why couldn’t AT&T make sure their mail servers weren’t using old dialup IPs that are blacklisted….)

Why do I always wind up being the one to discover problems? …. Today in checking mail I found a mail that had bounced back from one of my clients that uses bellsouth… Now bellsouth has recently been bought by AT&T and it appeared as though the mail had been rejected because the mailserver trying to deliver it was in an email blacklist. *(What – a bellsouth mailserver in a blacklist?) Well, we’ve gone through this before with some of the passive blacklists where people might relay junk through their isp, but… on searching the AT&T outbound mailserver 207.115.11.54 was in the dial up block lists at sorbs and nomorefun…. (as was 207.115.11.55) These seem to be the new fmailhost04.isp.att.net and fmailhost05.isp.att.net outbound mail machines.

(more…)

July 24, 2007
More postfix spam blocking and Whitelisting….

I almost forgot to pass along a link to a more comprehensive detailing of postfix’s anti-uce controls…. here. Also, in the last article I briefly mentioned whitelisting. IF you intend to have several blacklists active it will pay to learn how to whitelist before you HAVE to. To do so, I simply created a text file at /etc/postfix/whitelist and int hat file you enter IP address or hostname followed by OK…. like this….

1.2.3.4 OK
goodmachine.com OK

But… of course, there’s a bit more.

(more…)

January 22, 2007
More postfix spam blocking….

Postfix has a NUMBER of tools for rejecting unwanted messages before they get in the door and waste your CPU time on deciding “hey this mail is spam”. Up until recently I’ve mostly used the relays.ordb.org check (which in the last couple months has now gone defunct.) When we started noticing problems with ordb.org’s responsiveness I planned to investigate other blacklisting options and found several. Obviously there are advantages and disadvantages to blacklisting. The first disadvantage is you have turned over control of blocking mail senders to an outside authority and you should familiarize yourself with THEIR policies for listing (and delisting) a server.

(more…)

January 22, 2007
Watching out for MORE fake video codecs

sunbelt blog has yet MORE fake codec sites to watch out for. All are bad and should be AVOIDED… details after the jump….

(more…)

October 18, 2006
More rogue security software

Wolves in sheeps clothing…. from Sunbelt blog…. Watch out for pestcapture and “friends” (using dlls from spysheriff). Thanks to sunbelt for keeping their eyes open on the threat of wolves in sheepdogs clothing…. It’s so frustrating having to explain to someone that the software they downloaded to solve their problems has become part of the problem…..

(more…)

October 3, 2006
Strange net problems with a Netgear FS608 switch

This was weird and now that the switch is replaced I haven’t been able to duplicate it, but let me explain. There was a netgear fs608 (8 port unmanaged) switch plugged into a linksys router (model number not noted.) The cable was straight (although the fs608 has support for link through straight or crossover cables.) This setup worked well for quite some time. 4 computers and a printer hooked up. 3 pcs with fixed address and 1 with DHCP for their IP address. Well, I had a call that two pcs were unable to connect to the network and when I got there and looked… sure enough 169.**** ip addresses from Microsoft’s “auto configure” pool.

(more…)

August 22, 2006
Nasty Javascript attack possibilities

There were demonstrations of some nasty javascript attacks at Black Hat as well (as if the wireless driver issues wasn’t a big enough problem…) Javascript is a powerful language and can be used for many things, but in these demonstrations, it was used to track recently visited sites (by the browser victim) and identify the IP address of the victim on the internal LAN AND to alter firewall settings. From the way I read the article at the Security Fix – this is changing HARDWARE firewall settings.

(more…)

August 4, 2006
Denyhosts as an added defence to ssh server

A couple days ago I had a brief article on the vandals banging away at the door of my ssh server. Like I said, I’ve, at times, been fairly smug abou the futility of their actions, but…. the persistance concerns me. Let me be more specific, I keep a fairly tight ssh server setup (don’t allow version 1, only have specific users allowed, use privilige seperation, deny root login, and keep it updated whenever there is a problem with a running version.) But, when you see a single IP making THOUSANDS of attempts to log in, you start thinking…. what if they were to hit on the right username and try a thousand combinations of passwords with that username. Hmmmm… disturbing. So, I wound up setting up denyhosts and thought I’d share a bit more about it here.

(more…)

July 5, 2006