Solved

Relentless spam from a network.  How do I find their IP addresses?

Posted on 2014-01-09
11
432 Views
Last Modified: 2014-01-14
I was getting heavily spammed by 23.228.242.34,   So I blocked the IP on our firewall.  Then immediately spam began from 23.238.229.236 and then from 23.238.228.210
The particular spam they are doing is malicious.  They are "botting" our contact forms and trying to send junk mail to our users.  Now even though their messages are getting filtered (users aren't getting them), I still see them.  So ideally, I just want to block them entirely from our website altogether by putting them in a firewall block at the server level (instead of  blocking them at the form level) - that way, these abusers cannot even get to our site to begin with.

It looks like all of these IP's belong to the same network.  I would like to ban the entire range of IP's on this network.  How do I figure that out?
0
Comment
Question by:arthurh88
11 Comments
 
LVL 17

Expert Comment

by:sweetfa2
ID: 39769984
Do a whois on the ip address.

That should then give you the details of the address group that the IP addresses belong to:

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=192.168.100.40?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       192.168.0.0 - 192.168.255.255
CIDR:           192.168.0.0/16
OriginAS:       
NetName:        PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED
NetHandle:      NET-192-168-0-0-1
Parent:         NET-192-0-0-0-0
NetType:        IANA Special Use
Comment:        These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices.  They are only intended for use within a private context  and traffic that needs to cross the Internet will need to use a different, unique address.
Comment:        
Comment:        These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry.  The traffic from these addresses does not come from ICANN or IANA.  We are not the source of activity you may see on logs or in e-mail records.  Please refer to http://www.iana.org/abuse/answers
Comment:        
Comment:        These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:
Comment:        http://datatracker.ietf.org/doc/rfc1918
RegDate:        1994-03-15
Updated:        2013-08-30
Ref:            http://whois.arin.net/rest/net/NET-192-168-0-0-1

OrgName:        Internet Assigned Numbers Authority
OrgId:          IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:           Los Angeles
StateProv:      CA
PostalCode:     90292
Country:        US
RegDate:        
Updated:        2012-08-31
Ref:            http://whois.arin.net/rest/org/IANA

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number
OrgTechPhone:  +1-310-301-5820 
OrgTechEmail:  abuse@iana.org
OrgTechRef:    http://whois.arin.net/rest/poc/IANA-IP-ARIN

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number
OrgAbusePhone:  +1-310-301-5820 
OrgAbuseEmail:  abuse@iana.org
OrgAbuseRef:    http://whois.arin.net/rest/poc/IANA-IP-ARIN

Open in new window


In the example above the NetRange indicates the range of IP addresses supported by the group.

Check that the OrgName is not something that appears to be generic or likely to have some traffic you may want.

Then add a rule into your sonic wall to block the range shown.
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 39770009
Here's the info for those IP addresses.  You can send a complaint to the email address or call them on the phone.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=23.228.242.34?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       23.228.192.0 - 23.228.255.255
CIDR:           23.228.192.0/18
OriginAS:       AS40676
NetName:        PSYCHZ-NETWORKS
NetHandle:      NET-23-228-192-0-1
Parent:         NET-23-0-0-0-0
NetType:        Direct Allocation
RegDate:        2013-09-19
Updated:        2013-09-19
Ref:            http://whois.arin.net/rest/net/NET-23-228-192-0-1

OrgName:        Psychz Networks
OrgId:          PS-184
Address:        20687-2 Amar Road #312
City:           Walnut
StateProv:      CA
PostalCode:     91789
Country:        US
RegDate:        2013-04-17
Updated:        2013-09-05
Ref:            http://whois.arin.net/rest/org/PS-184

ReferralServer: rwhois://rwhois.psychz.net:4321

OrgTechHandle: NOC3077-ARIN
OrgTechName:   NOC
OrgTechPhone:  +1-626-549-2801 
OrgTechEmail:  noc@psychz.net
OrgTechRef:    http://whois.arin.net/rest/poc/NOC3077-ARIN

OrgAbuseHandle: NOC3077-ARIN
OrgAbuseName:   NOC
OrgAbusePhone:  +1-626-549-2801 
OrgAbuseEmail:  noc@psychz.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/NOC3077-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Open in new window

0
 
LVL 17

Expert Comment

by:sweetfa2
ID: 39770014
It may be an ISP given the large block allocated to it.

NetRange:       23.228.192.0 - 23.228.255.255 is the range you need to block for the time being until you can get a response from the abuse handle.
0
 

Author Comment

by:arthurh88
ID: 39770048
23.228.192.0 - 23.228.255.255 ?  That is a lot of IP addresses.  A simple Google of psychz.net shows a lot of complaints about spam.  I'm not a security expert, but do you think blocking the entire range is a wise move?   Am I going too far?
0
 

Author Comment

by:arthurh88
ID: 39770049
i did sent a note to their abuse department twice, by the way.  no response yet, but hopefully ill get one soon.   Am I correct in concluding that this URL means this network is pretty poor as far as reputation?
http://www.senderbase.org/lookup/?search_string=psychz.net
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 17

Expert Comment

by:sweetfa2
ID: 39770078
Blocking the range will depend a lot on what type of traffic you get normally into your network.

As they are an ISP if you expect a lot of individuals from within their control blocking it would not be wise.

Your context is known to you, not to me, so the implications of the block depend very much on your situation.

A lot of ISP's don't care if spam gets generated from their network.  The fact that you get instant address changes more likely indicates a lot of insecure machines that are botnetting from within that ISP.  Again, a lot of ISP's don't care because they charge for the traffic.

In terms of reputation, it is similar to many others.
0
 
LVL 27

Expert Comment

by:Steve
ID: 39771201
firstly, complaining to the 'owner' of the IPs is worth doing but it wont get you anywhere. most ISPs don't really seem to care what their clients do with their IPs unfortunately.

As for blocking IPs, its a tough one. It's unlikely you can find out what block of IPs this company owns/uses. You can therefore either block only the ones you have history with, or risk blocking a larger range and hoping you haven't blocked anyone genuine.
Also, how do you know this is a single company? once you end up on a list of known targets you may well be attacked by multiple companies.

As much of a pain as it is, it's best to amend your forms to prevent BOTs if possible, as this would be a long term solution.

23.228.192.0 - 23.228.255.255 ?  That is a lot of IP addresses.
I agree, that is a lot of IPs to block without evidence that it's worth the risk of blocking genuine traffic.


@sweetfa2 could you advise where you got that range from to explain why you feel that is the best option?
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 250 total points
ID: 39771534
Yes, it is a large block, but your first priority is the integrity of your own network.  Personally if I blocked a few and it still was coming I would block the entire range with little hesitation.

However i wouldn't just leave it at that.  There are some other options you can look into as well.  
1) a hosted filtering service
2) a separate server for filtering on your network
3) use filter lists on your email server like spam cop, etc.
4) custom filtering rules like verifying if the ip connecting has a PTR record, if not, drop it.  You'd be amazed how many emails will be rejected by just dropping anything that presents itself to your server with the server's name or localhost address.  I think my spam level dropped 30% after just those type of rules
5) implement greylisting.  basically you reject the first connection from the sender.  normal MTAs will try again, spammers generally don't.  as you saw, it switched IPs.

just some thoughts anyway since there are several areas you can filter at, each providing various pros/cons.
0
 
LVL 17

Expert Comment

by:sweetfa2
ID: 39771612
@totallytonto, if you read through the message trail you will see where the range came from.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39774147
As soon as I saw that a blocked address was switched to a second address within the same network, I would block that network range and make a formal 'Abuse' complaint to the registered abuse account. You showed addresses from two different ranges, but I wouldn't be concerned about it; I'd do it twice.

Your responsibility is to your network as stated by Cyclops3590. If legitimate connections from that network range are also blocked, then those source sites are responsible for complaining to their ISPs to get them to clean up their act. Those source sites are almost certainly seeing blockages anyway because other sites like yours are also blocking the same network addresses.

I don't see that either range is large enough to be concerned about.

Tom
0
 

Author Comment

by:arthurh88
ID: 39781330
this was amazing advice.  thank you.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now