# ASN-Blocklist



## Mun (Aug 2, 2014)

In regards to this thread: 

I have built a PHP applet that pulls data from bgp.he.net once a week and builds a block list for a few different ASNs. The block lists currently come in the form of:

Nginx deny conf file.

htaccess

iptables commands and all in a text format.

ipset commands and all in a text format.

RAW IP list.

Currently the ASNs that are being processed are:


$asns[] = 'AS6079'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
You can check it out here: https://cdn.content-network.net/tools/asn-blocklist/


https://cdn.content-network.net/tools/asn-blocklist/
I am looking for suggestions on file formats / configs that you would like to have built for as well. I need an example file and what the best way of building it would be. I.e. best practices.

I am also looking for suggested ASNs that should be watched and the reason why they should be blocked. Like Mass Spam, SSH brute Forces, et cetera.

Anyways, let me know how you like it!

Mun

EDIT: *UPDATE: *Checkout this handy tool to block via ASN:* *https://www.enjen.net/asn-blocklist/


----------



## TruvisT (Aug 2, 2014)

This is very nice! Throw theses IP up at the firewall level to keep spam out.


----------



## Aldryic C'boas (Aug 2, 2014)

Why are you including our ASN on a blocklist populated with known spam points, @Mun?


----------



## Mun (Aug 2, 2014)

Aldryic C said:


> Why are you including our ASN on a blocklist populated with known spam points, @Mun?



edit: I added frantech to the list, as to why you would use it is beyond me, but I know we have some CC lovers around here/there and I think they may like blocking Frantech for the simple reason they can.


----------



## SkylarM (Aug 2, 2014)

Aldryic C said:


> Why are you including our ASN on a blocklist populated with known spam points, @Mun?


Everyone should fear the stampede of Ponies.


----------



## Aldryic C'boas (Aug 2, 2014)

So why didn't you add other hosts that don't get along with CC?  Why are we just randomly thrown in with a batch of spam points with no real justification?

That's fairly akin to me publishing a list of known scammers/frauders, and including you "just incase someone wanted to block you".  Even though you're listed by *default*.


----------



## Mun (Aug 2, 2014)

Aldryic C said:


> So why didn't you add other hosts that don't get along with CC?  Why are we just randomly thrown in with a batch of spam points with no real justification?


I know mtwiscool wanted it. He said you spam him with good advice all the time.


----------



## Aldryic C'boas (Aug 2, 2014)

Oh, you're still sore over some personal issue.  Sad to see that you have to resort to adding a company's ASN on a very misleading blocklist as being blocked be default due to your personal vendetta.


----------



## Mun (Aug 2, 2014)

Aldryic C said:


> Oh, you're still sore over some personal issue.  Sad to see that you have to resort to adding a company's ASN on a very misleading blocklist as being blocked be default due to your personal vendetta.


ROFL, I'm not mad at all, and no where have I suggested people use all the block lists, it is funny how badly you are reacting to this. I did it for laughs and giggles, but since you are pouting so bad about it Ill remove it.

Ohh Aldryic.


----------



## Aldryic C'boas (Aug 2, 2014)

Any reasonable company would react the same way to someone listing them alongside known dirty entities.  As I said before, it would be the same as me releasing a list of known scammers, and including you in said list "for giggles".


----------



## Mun (Aug 2, 2014)

Aldryic C said:


> Any reasonable company would react the same way to someone listing them alongside known dirty entities.  As I said before, it would be the same as me releasing a list of known scammers, and including you in said list "for giggles".


Rolls eyes, ohh aldryic. Its ok, pats you on the head, everything will be ok in a little bit. Ohh look a new mtwiscool thread, go get it!


----------



## Aldryic C'boas (Aug 2, 2014)

Your trolling needs a good bit of work.  Just so you're aware - when you try too hard, as you're doing now?  It only makes it all the more obvious how desperate, how _badly_ you need me to react in order to justify whatever... thing you have going on.  Only makes yourself look bad, kiddo.


----------



## Mun (Aug 2, 2014)

Aldryic C said:


> Your trolling needs a good bit of work.  Just so you're aware - when you try too hard, as you're doing now?  It only makes it all the more obvious how desperate, how _badly_ you need me to react in order to justify whatever... thing you have going on.  Only makes yourself look bad, kiddo.


100% worth it.


----------



## mojeda (Aug 2, 2014)

The way I see this "project" now, is that someone can block your ASN for shits-n-giggles.

My suggestion, open source it and allow people to develop their own list of blocked ASNs.


----------



## SkylarM (Aug 2, 2014)

Why is B2net missing from this?!


----------



## drmike (Aug 2, 2014)

*$asns[] = 'AS6079'; // Colocrossing*

Unsure if you made a typo @Mun or what.

ColoCrossing =  AS36352

http://bgp.he.net/AS36352

-------------------------------------------------------------------

So if you just are scraping BGP.HE.NET, you are likely:

1. Missing IPs allocated to entity (where such hasn't been routed yet but issued to such) or such IPs have been recently issued.

2. You may or may not be including upstream allocated IPs - like datacenters who issue blocks to a provider or a backbone provider/upstream that does.

3. There are likely IPs ported to said networks, that are not IP's that such company owns or controls.  Rather as we are seeing more and more, people are making IP arrangements elsewhere and porting their rented/leased IPs to other network.  These people are often proactive and not part of the silly mess (likely porting due to silly mess on such networks).

Know we have gone back and forth about collateral innocent providers downstream getting dinged.  Banning ASNs blindly like this will cause such wrong dingings.   I see a need for these sorts of tools and I THANK YOU for creating such.  Big picture I think we need some feature enhancements to re-parse/sub parse things to eliminate various things, provide for whitelisting, etc.


----------



## DomainBop (Aug 2, 2014)

My suggestions would be long time favorites:

Ecatel AS29073 - the only people in the world who define "free speech" as warez, botnets, DDoS, and kiddieporn

Ubiquity / Nobis Tech AS15003 -spam

Psychz Networks AS40676 -evil attack bots

Hostnoc AS21788 - spam, comment spammers

Hostkey AS57043 -home to many Russian bots, attackers


----------



## Mun (Aug 2, 2014)

CC fixed, Im not sure what happened there at all and I am confused on how I got it.....

You are very much right, blocking full ASN's is very very tricky. Yes I know some hosts will be in collateral damage, and that is why: http://cdn.content-network.net/tools/cc-blocklist/ the CC-blocklist was made, which is only allocations with "colocrossing" in the name.

I honestly doubt anyone will actually use the list or files. Sorta why I was joking with Aldryic, as you really need to understand that you are blocking a whole chunk of the internet with a blanket when their is good and bad. Frankly anyone stupid enough to just take my lists and use them without looking deserves getting slightly smacked by it.


```
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
```


----------



## Mun (Aug 2, 2014)

DomainBop said:


> My suggestions would be long time favorites:
> 
> Ecatel AS29073 - the only people in the world who define "free speech" as warez, botnets, DDoS, and kiddieporn
> 
> ...



Added, thank you!


```
$asns[] = 'AS29073'; // ecatel
$asns[] = 'AS15003'; //Nobis Tech
$asns[] = 'AS40676'; // psychz
$asns[] = 'AS21788'; //burst
$asns[] = 'AS57043'; //hostkey
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
```


----------



## drmike (Aug 2, 2014)

Really is a good need for this sort of stuff @Mun.  Making the scripts "flexible" for users to self generate blocklists based on their whims would do a ton of good.  Whims might be only where company name matched or entire ASN.  Might include whitelist concept too.  Seems like a lot, but really isn't.

I recommend an option to include the TOP 10 Spamhaus shit-company-networks:

http://www.spamhaus.org/statistics/networks/

Catch there, is that said script would need to parse such, locate ASN relationship.


----------



## Mun (Aug 2, 2014)

drmike said:


> Really is a good need for this sort of stuff @Mun.  Making the scripts "flexible" for users to self generate blocklists based on their whims would do a ton of good.  Whims might be only where company name matched or entire ASN.  Might include whitelist concept too.  Seems like a lot, but really isn't.
> 
> I recommend an option to include the TOP 10 Spamhaus shit-company-networks:
> 
> ...


I honestly don't mind making it flexible so people can make it for any ASN, the problem is people will cause it to eventually to get blocked because of too many lookups. I actually would like to make a block list for every ASN. Currently though I am just doing what people suggest, and yes I want suggestions for what ever reason you may like.

Ill add those top 10 to the list as soon as I can find their ASNs. ("i'm going to do it manually for now").


----------



## Mun (Aug 2, 2014)

Is this Softbank? http://bgp.he.net/AS17676#_prefixes


----------



## drmike (Aug 2, 2014)

Mun said:


> I honestly don't mind making it flexible so people can make it for any ASN, the problem is people will cause it to eventually to get blocked because of too many lookups. I actually would like to make a block list for every ASN. Currently though I am just doing what people suggest, and yes I want suggestions for what ever reason you may like.
> 
> Ill add those top 10 to the list as soon as I can find their ASNs. ("i'm going to do it manually for now").


Trick here to limit ban/block is to cache priors and keep them for 24 hours I'd say.  If the tool still gets blocked then other methods to work around. 

I use BGP.HE.NET quite a bit and haven't been blocked or CAPTCHA'd yet...


----------



## drmike (Aug 2, 2014)

Mun said:


> Is this Softbank? http://bgp.he.net/AS17676#_prefixes


That is probably an old tiny piece of Softbank.  Softbank matches are numerous.

This is certainly one - north of 2 million IPs:

http://bgp.he.net/AS4725


----------



## drmike (Aug 2, 2014)

Mun said:


> Is this Softbank? http://bgp.he.net/AS17676#_prefixes


Oh yeah

http://bgp.he.net/AS17676

Which you posted - yep = them = IPs Originated (v4): 44,526,080


----------



## Mun (Aug 2, 2014)

$asns[] = 'AS29073'; // ecatel
$asns[] = 'AS15003'; //Nobis Tech
$asns[] = 'AS40676'; // psychz
$asns[] = 'AS21788'; //burst
$asns[] = 'AS57043'; //hostkey
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
$asns[] = 'AS17676'; // Softbank.co.jp
$asns[] = 'AS4134'; // Chinanet-hb
$asns[] = 'AS4808'; // Unicom
$asns[] = 'AS10013'; // DTI.ad.jp
$asns[] = 'AS23818'; // Jet.ne.jp
$asns[] = 'AS33028'; // vexxhost.com
$asns[] = 'AS4725'; // Softbank
$asns[] = 'AS29761'; // quadranet
$asns[] = 'AS62638'; // Query Foundry

Current List


----------



## DomainBop (Aug 2, 2014)

drmike said:


> I recommend an option to include the TOP 10 Spamhaus shit-company-networks:
> 
> http://www.spamhaus.org/statistics/networks/


I probably wouldn't block the majority of the companies on the Top 10 list because most of them are giant telecoms/ISPs and you'll end up blocking half of an entire country (or in the case of Softbank which also owns 80% of Sprint in the US, multiple countries).  Blocking Softbank or China Telecom/China Unicom is like blocking Verizon or Comcast: you'll be blocking a lot of residential users and enterprise level businesses.


----------



## Mun (Aug 2, 2014)

DomainBop said:


> I probably wouldn't block the majority of the companies on the Top 10 list because most of them are giant telecoms/ISPs and you'll end up blocking half of an entire country (or in the case of Softbank which also owns 80% of Sprint in the US, multiple countries).  Blocking Softbank or China Telecom/China Unicom is like blocking Verizon or Comcast: you'll be blocking a lot of residential users and enterprise level businesses.


I'm leaving that up to the individual. It is their server, they should know and understand what they are doing with a block list.

Also anyone willing to make me a readme file for how this stuff works, and words of caution.


----------



## Mun (Aug 2, 2014)

Does Ipset and iptables support ipv6 anywhere? If not I will add a special line to ignore IPv6 addresses so they won't be put in the config files for iptables or ipset.

Mun


----------



## drmike (Aug 2, 2014)

DomainBop said:


> I probably wouldn't block the majority of the companies on the Top 10 list because most of them are giant telecoms/ISPs and you'll end up blocking half of an entire country (or in the case of Softbank which also owns 80% of Sprint in the US, multiple countries).  Blocking Softbank or China Telecom/China Unicom is like blocking Verizon or Comcast: you'll be blocking a lot of residential users and enterprise level businesses.


definitely going to need ***** WARNING ***** to go slapped in the readme file Mun needs/wants- should come up in directory where files are and also commented at the top of the block lists.

I talked with geniuses about best approach for blocking these ranges and such being portable and fast.

Conclusion is that iptables and ipset (faster and better) aren't available notably on OVZ containers (usually).

Sub-blocking like in Nginx for instance is downstream in the stack, so still letting stuff in the front door.

The solution and supposedly really fast, is to use *route blackhole**.*


Example:  ip route add blackhole 23.249.160.128/25
That *should* work on KVM, OVZ, dedis, etc.  without any special modules.  Please add this block method @Mun to your scripts.


----------



## DomainBop (Aug 2, 2014)

Mun's list seems to be causing a bit of butthurt on LET 

Alex Vial: _"So your going to use LET to advertise a way to try to block CC, including LET. Brilliant."_

Jon Biloh: _"Might want to add quadranet and query foundry to the list, both have been in the top five for months at sender base for spam."_


----------



## drmike (Aug 2, 2014)

And, using BGP.HE.NET will result in a mega ton of overhead as blocking the tiny chunks they spit out to customers.  This is lots of overhead and will get ugly with HUGE networks or collectively.

I said about ARIN and the direct route of issuance based large block, ehh blocking.

This is what is in CC's hands.  I haven't vetted to make sure everything is in there / included in these larger blocks, but ARIN is supposedly brass tacks serious about ASN = account = your stuff in one pile:

http://whois.arin.net/rest/org/VGS-9/nets

(thanks to fellow that sent that my way)

Looking up other ASNs well, if they aren't on ARIN issuance, would be going to ARIN counterparts abroad - more complexity.

But as you see, tidy list there and includes the upstream issued blocks (which CC lately has begun to soil with spammers - see ServerCentral).


----------



## drmike (Aug 2, 2014)

DomainBop said:


> Mun's list seems to be causing a bit of butthurt on LET
> 
> Alex Vial: _"So your going to use LET to advertise a way to try to block CC, including LET. Brilliant."_
> 
> Jon Biloh: _"Might want to add quadranet and query foundry to the list, both have been in the top five for months at sender base for spam."_


Fuck Jon Biloh, he shoots his cannon at companies who he is asshurt with or by.

He's dipping on Quadranet - probably owes  invoices / back cashola.  Can't deliver ordered servers in LAX at CC in over 2 MONTHS.  Can't issue clean IPs there period. I know CC can't afford the Quadranet house blend BW cause he went fucking ghetto BW with Zayo single homed outbound and a nick of nLayer mixed with Zayo on the inbound.

As for Vial, fuck him too.   They used LET as a corruption vector to bash competitors for how long now?   They lied their ass off for a year plus.

No fucking where on LET or LEB does it say or declare who owns the hog pit.  Closest we get is a GRAPHIC that says it is HOSTED BY COLOCROSSING.   No About information, no privacy information, no DMCA address info, nothing.  Still deceiving the casual reader on LET / LEB they are.


----------



## Mun (Aug 2, 2014)

@drmike

Like this: https://cdn.content-network.net/tools/asn-blocklist/AS36352/ip-route-blackhole.txt

Also, its hard to use ARIN like that, I would actually have to compute the masks in the script and a few other things. If I get get a raw list like:

0.0.0.0/10

1.1.1.0/20

5.5.5.0/24

it would be a lot easier to handle. Anything like that on ARIN?


----------



## drmike (Aug 2, 2014)

and while I am f'boming CC,  I think it's shit naming your customer a spammer like Biloh just did supposedly in public and fingering QueryFoundry.

Fact is, I looked at QF recently,  they have a lot of outgoing email (likely a legit customer).  There have been some Spamhaus entries back to them (today I think 2+).  

I am inclined to believe QF is running legit customer with outbound email or I would have papered them into a hole a month back.

I'll let the QueryFoundry folks defend themselves.  Paging @concerto49.


----------



## MannDude (Aug 2, 2014)

drmike said:


> No fucking where on LET or LEB does it say or declare who owns the hog pit.  Closest we get is a GRAPHIC that says it is HOSTED BY COLOCROSSING.   No About information, no privacy information, no DMCA address info, nothing.  Still deceiving the casual reader on LET / LEB they are.


http://lowendbox.com/about/ == "LowEndBox is part of the VSNX family. We appreciate your feedback, please don’t hesitate to let us know how we’re doing at our help desk."

As far as LET goes. Still no publicly visible claim.


----------



## drmike (Aug 2, 2014)

MannDude said:


> http://lowendbox.com/about/ == "LowEndBox is part of the VSNX family. We appreciate your feedback, please don’t hesitate to let us know how we’re doing at our help desk."
> 
> As far as LET goes. Still no publicly visible claim.


See that little chime in they did right there, that's sheer rubbish.

It's in a FAQ of sorts.  It is the very last line in paragraphs with the title of:

"*Q. What information do you need to publish my offer?"*

Further, there is zero link to VSNX there.  Where else is VSNX listed or known? Nowhere.

In Google, a search for VSNX =

_VSNX_ - Velocity Servers Network Exchange
*vsnx*.net/

Get Quotes Results for VSN... - Symbol Lookup from Yahoo *...*
finance.yahoo.com/q?s=*VSNX*

etc.

Which VSNX is it  ?

You would THINK, that even if they were pretending to do this right, they'd create a HREF to their site.  And such site was actually current, correct, etc. And they'd link / mention such ON THEIR FOOTER.   Cause VSNX now within page says:

*"The company's first brand, Velocity Servers, maintains its position as a market leader in the latency sensitive game hosting arena. Entering its sixth year of operations, Velocity's acute awareness for customer service and excellent performance ensures a firm grasp as one of the world's top five game server providers. First conceptualized in late 2005, Summit is the brain child of two Cisco Engineers."*

Which is a bunch of lies.  Sixth year is likely ahh wrong, but they like to change year that they started.  Customer service, bahahaha.   Excellent performance - bahahaha.  Top 5 game server provider, WRONG. 

Two Cisco engineers?  Yeah never happened  Summit was one very smart fellow we have lingering here, but  Cisco engineer and someone else laying claim to such, come on.


----------



## drmike (Aug 2, 2014)

Mun said:


> @drmike
> 
> Like this: https://cdn.content-network.net/tools/asn-blocklist/AS36352/ip-route-blackhole.txt
> 
> ...


The ip route blackhole list looks right and good.  I just downloaded one and tested   Look MOM, no more ColoCrossing.

So with ARIN:

http://whois.arin.net/rest/org/VGS-9/nets

There are links/URLs in that page 

Within one: http://whois.arin.net/rest/net/NET-198-144-176-0-1.html

2nd line therein:

CIDR198.144.176.0/20

They have a proper REST interface for this supposedly. Unsure if that can help, or give better granular poking at the data.


----------



## Mun (Aug 2, 2014)

drmike said:


> The ip route blackhole list looks right and good.  I just downloaded one and tested   Look MOM, no more ColoCrossing.
> 
> So with ARIN:
> 
> ...



Yeah, using that would take a ton of time as I would have to get each address space. Very very bandwidth consuming.... hmm rest would be nice.

I could possibly cache the results if I built a dynamic one. It wouldn't be too hard. I'm going to see what other people suggest and I might make it. Wouldn't be that hard.


----------



## drmike (Aug 2, 2014)

Mun said:


> Yeah, using that would take a ton of time as I would have to get each address space. Very very bandwidth consuming.... hmm rest would be nice.
> 
> I could possibly cache the results if I built a dynamic one. It wouldn't be too hard. I'm going to see what other people suggest and I might make it. Wouldn't be that hard.


These are one time grabs.

If you grab the main records page at ARIN, you only have to parse it and look for ranges you don't yet have stored in database.  Then deal with those one off.

The ranges and blocks ARIN doles out aren't going away any time soon.  Only changes thereto are new blocks added.  So your need to hit all the sub-records is slim to none - if you develop it properly to save such and use such.


----------



## concerto49 (Aug 2, 2014)

We've missed Spamcop and abusesix.org in the past. Maybe a few others. These are being addressed so they send it to our correct abuse address etc.


It's just been a problem due to all the integrations / acquisitions.


Email volume is also going down on SenderBase so things are being worked on. Can't just kill people off, so abuse is definitely going down.


Senderbase is just email volume and not necessarily spam. Having said that, will take a closer look too.


As to Biloh. I'm happy they haven't banned us already


----------



## Awmusic12635 (Aug 2, 2014)

drmike said:


> and while I am f'boming CC, I think it's shit naming your customer a spammer like Biloh just did supposedly in public and fingering QueryFoundry.
> 
> 
> Fact is, I looked at QF recently, they have a lot of outgoing email (likely a legit customer). There have been some Spamhaus entries back to them (today I think 2+).
> ...


Should have just one open. Created just today. We forward or deal with abuse the moment it comes in. The SBL is in the forwarded state awaiting response.


----------



## DomainBop (Aug 2, 2014)

> Senderbase is just email volume and not necessarily spam


They list both email volume and spam volume

The Senderbase charts show daily Spam/ Email volume.  To get a more accurate picture you should use that little search box at the top of the page AND give equal weight to both "Last Month Volume" and "Spam Sending Domains".  If both numbers are large then there is probably  a problem.

July / Monthly Volume / Spam Sending Domains

---------------------------------------------------------

ColoCrossing / 7.8 / 310  <-- high spam volume + high number of spammers = problem network

Query Foundry / 7.8 / 3 <-- high volume but  low number of spammers so my guess would be they probably had the bad luck of having a couple of bad customers signup and I wouldn't hold it against them

B2 Net / 7.3 / 74 <-- biloh should have mentioned his buddies who are single homed to him


----------



## Kris (Aug 2, 2014)

DomainBop said:


> B2 Net / 7.3 / 74 <-- biloh should have mentioned his buddies who are single homed to him


I can only imagine they're using that ASN now because they had more problems with ARIN and CC. 

Just watching the 138.x's mount up as they drain the internet of its last v4 resources. Since approval of future requests are based on previous allocation amounts, they're just stacking up the /22, /21, /20 and a /19. 

Fucking sickening, that's all.

http://bgp.he.net/AS55286#_prefixes

Plus they forgot to change a few net block descriptions from ColoCrossing -> B2 Net... Wouldn't surprise me if all Vial did was manage ARIN resource requests, create bogus subnet allocations for 'customers'

Must get hard keeping up with all of the bullshit allocations they're given!


----------



## Mun (Aug 2, 2014)

I added b2net as well.


----------



## drmike (Aug 2, 2014)

Kris said:


> I can only imagine they're using that ASN now because they had more problems with ARIN and CC.
> 
> Just watching the 138.x's mount up as they drain the internet of its last v4 resources. Since approval of future requests are based on previous allocation amounts, they're just stacking up the /22, /21, /20 and a /19.
> 
> Fucking sickening, that's all.


See the Thank you button on this one just isn't enough.

Remember we both know and are seeing the spam flow up and outwards.  B2Net for sure.   ServerCentral issued IPs on Spamhaus 2x in past 2 weeks.

I am certain there is more, a sliver at best we aren't catching.

CC better order more IPs and get some competent network person to shuffleboard their IPs around.  Like I've been dropping here and there, it's damn hard to impossible to get clean IPs from CC in Los Angeles or Dallas.  LAX CC is about to fall into a fault line.


----------



## Mun (Aug 2, 2014)

https://cdn.content-network.net/tools/asn-blocklist/AS55286/ here they are now C=


----------



## Awmusic12635 (Aug 2, 2014)

Mun said:


> https://cdn.content-network.net/tools/asn-blocklist/AS55286/ here they are now C=


So I guess that's a no to removing us?

https://cdn.content-network.net/tools/asn-blocklist/AS62638/


----------



## drmike (Aug 2, 2014)

DomainBop said:


> Query Foundry / 7.8 / 3 <-- high volume but  low number of spammers so my guess would be they probably had the bad luck of having a couple of bad customers signup and I wouldn't hold it against them


QF in Senderbase just shows high volume and some IPs with poor ranking.

When I asked the owner @concerto49 he said they likely have some email sending companies as customers.  It's none of my business and that's sufficient to explain volume, it is what it is.   I'd rather hear that than jump to saying GROWL YOU HAVE SPAMMERS.

I can go back through my half baked archive and see how many QF Spamhaus entries we had in CC's ASN since I started the logging. There were a couple recently (past 48 hours~).

But, it is my understanding that CC may have issues with bad behavior notices not being sent/forwarded.  Perhaps someone from QF who handles ABUSE matters can speak in public about it.

Frankly I am fine with being able to fetch a list for any provider and block.  But QF, like BuyVM doesn't deserve the spot attention at this point.


----------



## Kris (Aug 2, 2014)

drmike said:


> I am certain there is more, a sliver at best we aren't catching.


Of course. But subscribing to the ARIN list of newly issued IPs / scoping them out daily is the most time I have the interest, and just watch them load up on IPs. 

*Seems they're so damn flooded with IPs (must be a lot of officer signing requests) they don't have the time to switch ColoCrossing -> B2 Net Solutions in the descriptions (or add anything)*

This is how I originally caught on to them, a BlueVM customer got a Hudson Valley Host IP. Mentioned it on LET, and i knew ColoCrossing wasn't SWIP'ing our IPs in the description. Looked at BGP.he.net, after we requested a /25 for a single machine. There were (7) /24's under Hudson Valley Host...  :huh:

A few days after it was brought up on LET, they were swiftly cleaned and changed to the company IP description umbrella of 'ColoCrossing'

Weird, innit?


----------



## Awmusic12635 (Aug 2, 2014)

drmike said:


> But, it is my understanding that CC may have issues with bad behavior notices not being sent/forwarded.  Perhaps someone from QF who handles ABUSE matters can speak in public about it.


We only get the forwarded SBL once it has already happened. Nothing before that


----------



## drmike (Aug 2, 2014)

So @Kris,   let's draw the point finer on this pencil.

HVH (when you were there) needed IPs (normal need).  CC probably asked for justification or info to BS the justification.  They then applied for and/or used HVH details to justify 7 /24's when all you asked for was ONE /25?

Fraud isn't it?


----------



## drmike (Aug 2, 2014)

Fliphost said:


> We only get the forwarded SBL once it has already happened. Nothing before that


But aren't there emails, warnings, etc. prior that other providers normally get?  Seems like CC is short circuiting the process with you.


----------



## Awmusic12635 (Aug 2, 2014)

drmike said:


> But aren't there emails, warnings, etc. prior that other providers normally get?  Seems like CC is short circuiting the process with you.


My assumption is that it probably has to do with instances such as spamcop not even bothering to send them reports anymore because of them not acting on it. But yes you are correct, no warnings or reports before the SBL.


----------



## Mun (Aug 2, 2014)

Fliphost said:


> We only get the forwarded SBL once it has already happened. Nothing before that


The problem is that this service got turned into a "bad network providers list". This is one reason I added Frantech to the list, until it was made such a big deal of. The point is you should only block networks that you see the need to do so, and blocking networks for simply being their is idiotic and wrong.

This is one of the reasons why I am currently thinking about changing how I run the applet and making it possibly fully dynamic so anyone can build a list for any ASN.


----------



## Awmusic12635 (Aug 2, 2014)

Mun said:


> The problem is that this service got turned into a "bad network providers list". This is one reason I added Frantech to the list, until it was made such a big deal of. The point is you should only block networks that you see the need to do so, and blocking networks for simply being their is idiotic and wrong.
> 
> This is one of the reasons why I am currently thinking about changing how I run the applet and making it possibly fully dynamic so anyone can build a list for any ASN.


In the case of our own network, the one you had in the block list, we get all notifications and reports of spam and deal with the very quickly. 99% of the time no SBL. In the previous case I was mentioning with what it is like at CC. Feel free to block them, I don't mind.


----------



## Mun (Aug 2, 2014)

Fliphost said:


> In the case of our own network, the one you had in the block list, we get all notifications and reports of spam and deal with the very quickly. 99% of the time no SBL. In the previous case I was mentioning with what it is like at CC. Feel free to block them, I don't mind.



The problem is I am being now put in the position of being a judge of whom should get listed on my list and if they should be taken off. This wasn't the goal at all.

Honestly I think I will whip up an app tonight that should allow people to make ASNs block lists for what ever ASN they want.

If anyone knows the ARIN rest interface and how to use it I would love a little how to. If not I will base the new app once again on bgp.he.net and I'll just cache the results from it for a day to prevent getting blocked.

Mun


----------



## drmike (Aug 2, 2014)

Mun said:


> The problem is I am being now put in the position of being a judge of whom should get listed on my list and if they should be taken off. This wasn't the goal at all.
> 
> Honestly I think I will whip up an app tonight that should allow people to make ASNs block lists for what ever ASN they want.
> 
> ...


I wouldn't be put in the role of having to decide these things.  Just create the README notices and the means to snag any ASN.

Straight ASN based blocks will be incomplete, but, warning on that also.

*I will whip up an app tonight that should allow people to make ASNs block lists for what ever ASN they want.*

+1 for that.  That's the approach I'd take.


----------



## Aldryic C'boas (Aug 2, 2014)

Mun said:


> The problem is I am being now put in the position of being a judge of whom should get listed on my list and if they should be taken off. This wasn't the goal at all.


That was a problem of your own creation. You made your intentions very clear posting that initial list, and tried very hard to backpedal out of it after being called on it.  "Joking with people" is one thing - but you're making a very clear statement that the ASNs your script blocks deserves to be blocked, by virtue of being included. If you have a legitimate reason to do so, then that's all fine and dandy. But when you add a company to an "ASN Blocklist" _for the lulz_, especially on a public thread, you're positing that you believe they should be blocked.  Yes, the companies you have wrongfully accused are going to take offense to this.


You really should stop trying to hide behind the _"The point is you should only block networks that you see the need to do so, and blocking networks for simply being their is idiotic and wrong."_ excuse. Your attempts to bait me earlier made it very clear that Frantech was on that list to try and get a rise out of us - don't try to just play that off as a joke. Your actions have consequences, for you and others - have the fortitude to stand behind the things you do instead of trying to play it _all just a joke_ card when you get scrutinized for it.


----------



## Mun (Aug 2, 2014)

Why are you so insecure?


----------



## Aldryic C'boas (Aug 2, 2014)

Funny you should ask that, given that you seem to be the one in the habit of resorting to insults and childish behaviour when a fault of yours is confronted.  Nobody likes to see a trantrum, and the only one impressed by your antics is... you.  Don't be that kid - own up to your faults, work to improve them.


----------



## Mun (Aug 2, 2014)

Aldryic C said:


> Funny you should ask that, given that you seem to be the one in the habit of resorting to insults and childish behaviour when a fault of yours is confronted.  Nobody likes to see a trantrum, and the only one impressed by your antics is... you.  Don't be that kid - own up to your faults, work to improve them.


I already fixed your "issue" a bunch of posts ago yet you keep bringing it up for what reason is nothing more to rub it in my face it seems, and you are calling me childish?

In all actuality if I had left you there it would have made the point fully clear, I do not make the decisions on what goes on the list and it is a list that shouldn't be blankly used.


----------



## Aldryic C'boas (Aug 2, 2014)

Mun said:


> In all actuality if I had left you there it would have made the point fully clear, I do not make the decisions on what goes on the list and it is a list that shouldn't be blankly used.


How so?  Aren't you the one compiling the list?  Isn't this *your* project?  Unless you've got someone over your shoulder, telling you what to do, then it is your list to add/remove from as you see fit.  And you're correct on the latter - no third party code should ever be 'blankly used', especially from an untrusted source.  But you've been around here for awhile, people tend to listen to what you say (as evidenced by this thread) - the onus is on you to be careful with _what_ you say.  Or, you could just start opening your submission threads with a disclaimer that your work is not to be trusted without modification.



Mun said:


> I already fixed your "issue" a bunch of posts ago yet you keep bringing it up for what reason is nothing more to rub it in my face it seems, and you are calling me childish?


I bring it up to hopefully impress upon you the importance of accountability.  A better question would be, why are you making such a fuss over polite explainations and suggestions?  Surely you cannot be so utterly _petty_ that you have to fall back to insults and juvenile discourse whenever someone points out your shortcomings?  Are ye not capable of civil rhetoric?


----------



## Mun (Aug 2, 2014)

Aldryic C said:


> How so?  Aren't you the one compiling the list?  Isn't this *your* project?  Unless you've got someone over your shoulder, telling you what to do, then it is your list to add/remove from as you see fit.  And you're correct on the latter - no third party code should ever be 'blankly used', especially from an untrusted source.  But you've been around here for awhile, people tend to listen to what you say (as evidenced by this thread) - the onus is on you to be careful with _what_ you say.  Or, you could just start opening your submission threads with a disclaimer that your work is not to be trusted without modification.
> 
> I bring it up to hopefully impress upon you the importance of accountability.  A better question would be, why are you making such a fuss over polite explainations and suggestions?  Surely you cannot be so utterly _petty_ that you have to fall back to insults and juvenile discourse whenever someone points out your shortcomings?  Are ye not capable of civil rhetoric?


I am not making a fuss over it, I already ended it a few pages back and I dropped it there. You should as well.


----------



## Aldryic C'boas (Aug 2, 2014)

Aldryic C said:


> How so?  Aren't you the one compiling the list?  Isn't this *your* project?  Unless you've got someone over your shoulder, telling you what to do, then it is your list to add/remove from as you see fit.  And you're correct on the latter - no third party code should ever be 'blankly used', especially from an untrusted source.  But you've been around here for awhile, people tend to listen to what you say (as evidenced by this thread) - the onus is on you to be careful with _what_ you say.  Or, you could just start opening your submission threads with a disclaimer that your work is not to be trusted without modification.


----------



## texteditor (Aug 2, 2014)

Another successful venture into Munposting


----------



## drmike (Aug 2, 2014)

Oh can't we all just get along  ?

Ald and myself need a fake spat.  Imagine that  Full paragraphs, logic, lotsssss of responses. Bahaha. 

Hey Ald, Pepsi!


----------



## Mun (Aug 2, 2014)

drmike said:


> Oh can't we all just get along  ?
> 
> Ald and myself need a fake spat.  Imagine that  Full paragraphs, logic, lotsssss of responses. Bahaha.
> 
> Hey Ald, Pepsi!


I like coke, thank you.


----------



## Aldryic C'boas (Aug 2, 2014)

ahahaha, indeed 

I do find the _"I do not make the decisions on what goes on the list"_ a really odd statement though.  It's possible he simply meant that he shouldn't be held responsible for how it's used... but the phrasing makes it sound like someone's twisting his arm to include particular ASNs >_>


----------



## Schultz (Aug 3, 2014)

So all I've managed to comprehend from this thread is that Aldryic is butthurt.


----------



## Mun (Aug 3, 2014)

Boxode said:


> So all I've managed to comprehend from this thread is that Aldryic is butthurt.


Have any ASNS you want blocked or config file formats I should export in?


----------



## Profuse-Jim (Aug 4, 2014)

Might as well block all the major colo and dedicated server providers.


----------



## QuadraNet.Dustin (Aug 6, 2014)

Profuse-Jim said:


> Might as well block all the major colo and dedicated server providers.


lol. Hi Jimmy!!


----------



## TruvisT (Aug 6, 2014)

Profuse-Jim said:


> Might as well block all the major colo and dedicated server providers.


And the NSA and other 3 letter groups!


----------



## Francisco (Aug 7, 2014)

Boxode said:


> So all I've managed to comprehend from this thread is that Aldryic is butthurt.


I wouldn't take it as butt hurt, it's more that OP is turning a project into a joke (even if it's the OP's own project). As Aldryic said, if there's a valid reason for an ASN to be there then put it and detail why (on a website, an included file, etc). People shouldn't blindly just execute vats of commands in a random BASH script but.. they do.

It might be 'nicer' to even make the bans block for a destination port. Have an ISP that doesn't have spam issues but has nothing but a crap load of brutes? Just block port 22 and hopefully it'll get brought to someones attention at some point.

There's a lot of people that see lists like this and apply them in hopes of "fixing" things incorrectly.

We have a client that was getting a layer 7 flood and instead of ticketing us, they applied an IP block list

that allowed about a /14 total of random IP space to access his VM (while blocking the rest of the world) then logs a bunch of tickets against us claiming everything is down (no shit Sherlock).

Francisco


----------



## Mun (Aug 7, 2014)

TruvisT said:


> And the NSA and other 3 letter groups!


Huh, that is a good idea. Does the NSA and FBI have ASNs?


----------



## Wintereise (Aug 7, 2014)

Mun said:


> Huh, that is a good idea. Does the NSA and FBI have ASNs?


While they do, their investigative work originating from those prefixes would be *too easy*.

Your sarcasm detector is broken.


----------



## Mun (Aug 7, 2014)

Wintereise said:


> While they do, their investigative work originating from those prefixes would be *too easy*.
> 
> Your sarcasm detector is broken.


I know. Still some people may have an actual reason to block them.


----------



## concerto49 (Aug 8, 2014)

Mun said:


> I know. Still some people may have an actual reason to block them.


You can't block them.


----------



## DomainBop (Aug 8, 2014)

concerto49 said:


> You can't block them.


Yes you can.


----------



## Mun (Aug 8, 2014)

concerto49 said:


> You can't block them.


You can block there ASN, but there is ways for them to get around, as with everything on the internet.


----------



## trewq (Aug 10, 2014)

King Hermes said:


> Good job i might test this sir.


Please stop all these useless comments. You're clogging the New Posts feed with useless crap and old threads.


----------



## mojeda (Aug 10, 2014)

trewq said:


> Please stop all these useless comments. You're clogging the New Posts feed with useless crap and old threads.


Don't worry, he's done now that he has reached 25 posts so that he can post his VPS offer.


----------



## trewq (Aug 10, 2014)

mojeda said:


> Don't worry, he's done now that he has reached 25 posts so that he can post his VPS offer.


@MannDude Can we have a rule against artificial post inflation?



Last post about this. Promise.


----------



## DomainBop (Aug 10, 2014)

mojeda said:


> Don't worry, he's done now that he has reached 25 posts so that he can post his VPS offer.


I think he just wasted an hour of his life posting in the wrong forum if he's looking for buyers...



> https://www.google.com/search?q=%22Hermes+Hosting.%22&ie=utf-8&oe=utf-8
> 
> hacksociety.net/Thread-Hermes-Hosting-KVM-Dedicated-Resources-1G...
> 
> ...


----------



## MartinD (Aug 10, 2014)

He's been dealt with


----------



## Schultz (Aug 10, 2014)

Francisco said:


> We have a client that was getting a layer 7 flood and instead of ticketing us, they applied an IP block list
> 
> 
> that allowed about a /14 total of random IP space to access his VM (while blocking the rest of the world) then logs a bunch of tickets against us claiming everything is down (no shit Sherlock).


*coughs* you sure that wasn't me? lol


----------



## Francisco (Aug 10, 2014)

Boxode said:


> *coughs* you sure that wasn't me? lol


At this point you've learned to not tinker too much and to just come by IRC or message us if you need

a hand 

The customer in question is a tad more stubborn.

Francisco


----------



## CentralHosts (Aug 18, 2014)

This is very interesting, thanks for putting it together.


----------



## trewq (Aug 18, 2014)

CentralHosts said:


> This is very interesting, thanks for putting it together.


Please stop trying to get to 25 posts. Ok, thanks.


@MannDude @MartinD


----------



## Munzy (Aug 18, 2014)

Sigh, another one? I thought I had to respond to something.


----------



## MartinD (Aug 18, 2014)

trewq said:


> Please stop trying to get to 25 posts. Ok, thanks.
> 
> 
> @MannDude @MartinD


Been watching, don't worry


----------



## Munzy (Aug 23, 2014)

Here are some previews of the build I have currently, care to give me any suggestions or advice while I am building away?


----------



## Munzy (Aug 23, 2014)

https://www.enjen.net/asn-blocklist/

Looking for testers!!

Let me know how it is working, please and thank you!


----------



## MannDude (Aug 25, 2014)

Awesome tool. Thanks for the time and effort spent creating this.


----------



## Munzy (Sep 12, 2014)

[SIZE=14.4444446563721px]Added Whois support, cleaned up stats page, and created a new list mode for removing ip blackholes and some other small patches to code. [/SIZE]


----------



## WSWD (Sep 19, 2014)

Love it!

Digital Ocean would be a great addition.


----------



## Munzy (Sep 19, 2014)

WSWD said:


> Love it!
> 
> Digital Ocean would be a great addition.


https://www.enjen.net/asn-blocklist/search.php?keyword=digital+ocean


----------



## Munzy (Sep 12, 2015)

I have added an amazing new page that keeps track of how the service is being used, as well as some cool server stats.

https://www.enjen.net/asn-blocklist/server-stats.php

The new page has a few different graphs,  like what type of request, what kind of format, and how the puller is being used and if there are errors.

Munzy


----------



## DomainBop (Jul 14, 2016)

I love this tool, thanks Munzy!


I just used it to add spam friendly ISP Reprise Hosting Inc's AS62838 to my firewall blocklist.  Same SPAM coming from the same spammer on their network for months and these clowns have repeatedly lied to Spamcop over the past few months and said they've terminated the spammer.  Their piddly 4,096 IP network won't be missed and either will this spammer customer who their abuse department is protecting.  


TL;DR when you're so desperate for business that you sell $1 VPS and $26 dedicateds you wind up with a network full of nothing but absolute crap.


----------



## Munzy (Jul 14, 2016)

DomainBop said:


> I love this tool, thanks Munzy!
> 
> 
> I just used it to add spam friendly ISP Reprise Hosting Inc's AS62838 to my firewall blocklist.  Same SPAM coming from the same spammer on their network for months and these clowns have repeatedly lied to Spamcop over the past few months and said they've terminated the spammer.  Their piddly 4,096 IP network won't be missed and either will this spammer customer who their abuse department is protecting.
> ...





I am really glad you like it. Let me know if I can add anything to help improve the service or your usage of it.


I do really need to rewrite the damn thing with rethinkdb as the backend database at some point in the future. As well as add predicted caching.


----------



## fm7 (Jul 14, 2016)

DomainBop said:


> TL;DR when you're so desperate for business that you sell $1 VPS and $26 dedicateds you wind up with a network full of nothing but absolute crap.



One could say the same about free services. I guess AWS a network full of nothing but absolute crap. 


IMO it is not a question of price but (simple) controls. E.g.serious spammers need lots of IPs and there is no interest in cheap VMs if they can't create dozens of instances.


----------



## RLT (Jul 15, 2016)

Sadly AWS is a network of pure crap.


----------

