MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
May
Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
2004
Months
Jan Feb Mar
Apr MayJun
Jul Aug Sep
Oct Nov Dec


Mon, May 10, 2004 8:36 pm

Bogon Block

I received an email today advertising "FDA approved druugs". This spam message was filled with misspellings, e.g. "Special Offeer for limiteed time only", "Saave upt to 70% now", and "Clickk heree to saave 70%+", a technique spammers use in an effort to bypass spam filters which look for common phrases often found in spam. When I checked the originating IP address in the email headers, I saw an IP address of 77.119.208.80. I checked that address in a number of block lists without finding it listed. However, when I tried dr. Jorgen Mash's DNS database list checker, I found the address listed as a "bogon".

A bogon is an IP address that should not normally be routed on the Internet. Some address blocks, e.g. the private address block 192.168.xxx.xxx, are not normally routed on the Internet, because they are reserved for special uses. The Bogon IPs webpage provides a means to check on whether a particular address is a bogon. The List of all Bogon IPs in Netrange format shows that the range 71.0.0.0 - 79.255.255.255 contains unallocated or reserved address space. And the Internet Assigned Numbers Authority, which is the organization that allocates IP address space, lists addresses beginning with 77 as reserved addresses. So I should not be seeing this address as a source IP address for an email address. The fact that it is listed as the origination point for the message indicates it is likely from a system being used for dubious purposes, such as the transmission of spam.

The Completewhois Project provides a DNS block list bogons.dnsiplists.completewhois.com that can be used with sendmail to automatically block email from bogons. They also provide other subsets of the complete block list, which are listed on their Using IP Lists page.

I added their block list to those I have sendmail check each incoming message against by taking the following steps:

  1. I added the following line beneath the FEATURE(`blacklist_recipients')dnl line in /etc/mail/sendmail.mc:

    FEATURE(`dnsbl', `bogons.dnsiplists.completewhois.com', `"550 Mail from " $`'&{client_addr} " refused see http://www.completewhois.com/bogons/"')dnl

  2. I then issued the command below

    m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

  3. I then stopped and restarted sendmail with the command below

    /etc/init.d/sendmail restart

References:

  1. Bogon IPs
  2. Internet Protocol V4 Address Space

[/network/email/spam] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo