Virus / Spam Messages Help

M

Mean_Monster

Senior Member
Joined
Mar 2, 2004
Messages
584
Reaction score
0
Location
Cape Town, South Africa
We receive a lot of messages containing Spam or Virusses from IP's in the 155.239 and 165.146 range. All of them seem to belong to Telkom. Are all the ip's in the Net block only for dynamic assignment to users or are there mail servers on there? Meaning will those ip's only be used by adsl and dial-up users or would there be "legit" mail servers in that range.

I am considering blocking all traffic from those network blocks of ips on the firewall on port 25. Good idea, bad idea?

Currently every message is being picked up by AV etc. But it gets rather annoying getting 500 virus notification messages per day. :mad: As well as the waste in bandwidth of course. Blocking traffic from those IP's totally would at least save some bandwidth?

What do you guys do about this problem?

Any comments / advice would be greatly appreciated. ;)
 
If you're being spammed and loads of incoming emails contain viruses, then block the IP ranges, I would suggest doing this as a temporary measure only, just put out the fire for now.
 
ic,

what gets me worked up though is that even mailing the admins for those networks don't seem to help. They could at least just tell their users to install virus scanners you would think or listen you are running an SMTP relay (which may also be the case for some). If the users are not going to be told then I am afraid it is going to carry on for a very long time. The bad thing though is from the logs I get that half of these 500 messages a day is from ADSL users. Then some people wonder why they reach their cap in 2 to 3 days. Install a Firewall. :) In the end user machines like that end up making the internet slow(er) for us all with all the junk traffic they are creating.
 
Mean_Monster,

you're right of course, but the end result of your efforts to get Telkom to do anything useful has proved to be a losing battle.

What you need here is someone on the forum to post or private message, the contact details of someone useful in Telkom - that might be impossible though - do such people exist in Telkom...

From the email headers, is Telkom's smtp server being used in the majority of these spam & virus riddled emails, or is it just the sender's IP address that is allocated to Telkom?

PS: I've been tracking down a single spam email today (spoofing a domain name I administer), all of the IP addresses are allocated to IANA (Internet Assigned Numbers Authority). So, should I try get those IP addresses blacklisted? Can one actually get IANA's IPs blacklisted...
 
IC,

That is the thing. Every person running and ADSL line can setup a SMTP server. That is what is happening. None of these people have firewalls it seems. All the ip's differ. None of them are "legit" mail servers in my book. I have a list of 30 different ip's.

I am going to get flamed for this, bit I am going to say it anyway. Dynamic IP's should not be allowed to host mail server as this makes it very difficult to control spam and virusses. Especially if the ISP is slack. With static I could at least try and block the traffic if the ISP is to lazy to take thing further. Just more positives about static IP's.

Is it that much effort to send the users mail and tell them their computers are infected with virusses. If I had their e-mail addresses I would. But these worms use spoofed adresses. Maybe even a general e-mail suggesting a scan on a website like: http://www.sarc.com or installing firewall software, etc.

In the end the amount of ip's that these message come from and sending it to our mail server is almost like a DDOS.

That said not only Telkom are to blame. 90% yes. Others though are not virus attacks but spoofs via open relays on other networks.

Isn't distributing virusses knowingly a crime? :p
 
Hmmm....

I'm sure you realise, the reason I was asking if Telkom's smtp server was being used in the majority of these attempted email attacks, is Telkom should be using anti-virus scanning on email sent via their smtp server. I doubt they are though, in which case they merely perpetuate the problem.

If other smtp servers are involved it is a loosing battle.

On the issue of dynamic vs static IPs: the one thing I wanted when considering ADSL was a static IP for hosting purposes, but Telkom don't offer that.

I have started to think that having a dynamic IP isn't all that bad, everytime your IP changes, it makes it more difficult for someone to hack into your network. Obviously that's no substitute for firewalls & antivirus software. Having said that, I'm still struggling with DynDNS through No-IP.com, for some reason it just doesn't work with the host name. Sorry straying off topic there...

I administer several domains for small companies, and I have setup all their email to first be spam & virus filtered through Net@address accounts, from there email gets forwarded to individual local POP3 accounts. If I could just get DynDNS going I could run a mail server and get rid of the POP3 accounts.

The point is that Net@ddress (uses BrightMail) filters out 99% of all viruses & spam, including phishing attacks which are definitely on the increase.

Forgot to mention the most important point - all of that filtered out email uses Net@ddress' bandwidth, not mine! ;)
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X