Spamhaus IP blocking

[haremlover]

Thanks for all the suggestions. Renewing the connexion released the IP number to be reconnected on another - but it's interesting that the TDF server has some sort of Spamhaus connexion somewhere along the line. It could disable members' or potential members' access from China . ..

Best wishes

Harem

[Nescio50]

To answer the original question, the forum software PHPBB has a blacklist check by default. Apparently it uses spamhouse.

If this IP was unfairly blacklisted, Harem has to contact his ISP to get the IP off the list.
But as this is a shared IP, probably someone used it for spamming, so the ISP has to check their customers.

[haremlover]

Yes - thanks - the personal problem was overcome but having done a lot of spam filtering in the past I'm aware that blacklists relating to email aren't particularly relevant to forums. I run a minor unrelated forum and the spam occurs only from SEO-monkeys and they always include AIM details in their profiles - so looking for this as well as setting a Captcha system or question/answer criteria cuts out bots and people without interest in the subject.

The important thing is that the system this forum uses only blocks making a response rather than joining the forum, I assume, but if the latter then it could preclude members from parts of the world where many IP numbers are sources of spam from compromised computers.

Best wishes

Harem

[Nescio50]

Although spammers try to post a lot *A LOT* of spam here every day, you hardly will find any spam at TDF.
The captcha filters some of the spammers, but their bots are getting more intelligent. We also do some IP filtering (even more than I knew ) to stop bots from certain addresses. Finally, newbie restriction make that we catch the ones that pass the filters. For a forum like TDF, spam filters are necessary. Also we have a zero tolerance policy, spammers are banned.

As this is the first time a member reports that his IP is blocked by spamhouse, it doesn't seem that this filter causes much problems for our members.

[haremlover]

Although spammers try to post a lot *A LOT* of spam here every day, you hardly will find any spam at TDF.

As a new member or a junior member or as one who had not participated across a wider breadth of the forum the amount of work and expertise of everyone behind the scenes is not particularly visible and undercelebrated.

There are many people who think that this or that might be better run differently but they are not at the coalface of dealing with coping with a wide variety of different issues and conflicting interests, ideas and characters.

But there is one thing of which we have all in common, an enjoyment of lifelike dolls whatever the reasons might be, and their benefit in bringing joy to others.

Thanks are due to all those who contribute, often unsung, to the smooth channels of communication that this forum facilitates without the irritations of spammers or technical issues alike.

Best wishes

Harem

[jiayi]

Converted to Debian about three years ago.

Yes! I've been using Debian exclusively on my web and mail servers since 2003. Started with command line and still use command line. Glad to know someone else speaks Debian.
Jiayi

[deadpringle]

To answer the original question, the forum software PHPBB has a blacklist check by default. Apparently it uses spamhouse.

If this IP was unfairly blacklisted, Harem has to contact his ISP to get the IP off the list.
But as this is a shared IP, probably someone used it for spamming, so the ISP has to check their customers.

One of the record entries has already been cleared. There are two more left.

According to the PBL and CBL record entries, it was most likely someone sending SMTP directly from their internal host, which would NAT to the ISP's public IP. Most ISPs forbid this, for obvious reasons. You either have to use an external SMTP server to relay your mail for you, or in some cases, you have to use your ISP's SMTP servers. The main reason why ISP's do this is to prevent people from running businesses from their residential accounts, because often times, that bandwidth is shared between multiple nodes, and it's possible otherwise that some inconsiderate user might saturate all of the bandwidth for their purposes, which will effectively cut services off for others.

In this case, the SMTP traffic might have been intentional. It might have been because someone was unwittingly infected with a spambot, or trojan. No way to know for sure.

In any case, having this code in place is a good thing, and spamhaus.org is a great contributor to network security overall. I would highly encourage the TDF staff to keep this parameter in place, because not only does it prevent something malicious from being injected into the site itself, but it will also let other users know if they are sending something outbound they shouldn't be sending. This includes viruii, trojans, botnet broadcasts, etc. Spamhaus notifies on more than just spam.

Some idiot at my place of work managed to infect a lab PC with conficker, and our lab public IP was blacklisted in this same manner. It was kind of funny, but not for him.

[deadpringle]

Yes - thanks - the personal problem was overcome but having done a lot of spam filtering in the past I'm aware that blacklists relating to email aren't particularly relevant to forums.

Well, it's not quite that simple.

Spamhaus was originally created as a spam reporting site, but it has grown into a fully fledged infection reporting site. They don't only report on spam. They also report on infections from virii, trojans, botnet clients, etc. It's good that TDF has this code in place. It protects us all (well, those of you using Windows. ).

The important thing is that the system this forum uses only blocks making a response rather than joining the forum, I assume, but if the latter then it could preclude members from parts of the world where many IP numbers are sources of spam from compromised computers.

An unfortunate situation, yes, but nonetheless, I am of the opinion that TDF should keep this parameter enabled in the PHPBB code. In my job, I've seen way too many instances of people (clients mostly) losing years of work and thousands (in a few cases millions) of dollars because they simply didn't want the minor inconvenience of security protocols in place.

In one case I worked, it was a bank who had $500,000.00 stolen from them, because of a back door that was implanted into their https server (a banking website for their customers). At that time, DPI-SSL (MitM software which allows IPS devices to scan SSL-encrypted traffic for malicious payload) didn't exist, and so the sql injection was free to pass through their security infrastructure unhindered, because the SSL encryption obfuscated it from the DPI engine of their IPS device. Of course, their admin had an unpatched SQL server in place. I imagine he wasn't working there any longer after we determined the cause of the intrusion.

[deadpringle]

Although spammers try to post a lot *A LOT* of spam here every day, you hardly will find any spam at TDF.
The captcha filters some of the spammers, but their bots are getting more intelligent. We also do some IP filtering (even more than I knew ) to stop bots from certain addresses. Finally, newbie restriction make that we catch the ones that pass the filters. For a forum like TDF, spam filters are necessary. Also we have a zero tolerance policy, spammers are banned.

As this is the first time a member reports that his IP is blocked by spamhouse, it doesn't seem that this filter causes much problems for our members.

Agreed. My opinion as a network security professional is that this option should be left in place. I don't think I recall ever experiencing any problems with this site, other than the odd 5-min unresponsiveness, likely due to backend maintenance.

[deadpringle]

Thanks are due to all those who contribute, often unsung, to the smooth channels of communication that this forum facilitates without the irritations of spammers or technical issues alike.

Seconded. The TDF staff rocks, and so does this site!

I for one know all too well how difficult it is to maintain the security of a network infrastructure. I've been doing TCP/IP networking for about 15 years, and 8 of those have been focused on network security, which is a LOT harder than your average systems or network administration position. Thankfully I'm in more of a conslutant[0] role these days, so I still get to dirty my hands with tech goodness, without having to be directly responsible for it.

[0] That is not a typo.

[Nescio50]

Agreed. My opinion as a network security professional is that this option should be left in place.

Don't worry, disabling this has never crossed our minds

[deadpringle]

Converted to Debian about three years ago.

Yes! I've been using Debian exclusively on my web and mail servers since 2003. Started with command line and still use command line. Glad to know someone else speaks Debian.
Jiayi

Hail!

Yep, I cut my teeth on Slackware and BSD. Loved compiling my own software on P5 and P6 generation processors because you would see a performance boost of around 25 to 30% in some cases. Then I got so sick and tired of compiling software, and today, on modern hardware you get *MAYBE* a 0.5% performance increase by doing so. So not worth the time anymore.

Debian is beautiful. The community is friendly to old System V and BSD UNIX farts like me, and new users alike. And the quality of the software is stellar. Debian may be the DS doll of the Linux world.[0]

I still spend half of my time in a terminal, but truth be told, I've actually grown quite fond of GNOME 3. I used GNOME 2, fluxbox, and OpenBox happily for years, but even though GNOME 3 is a monster, it has wonderful workflow. I actually started using originally it because I wanted to see what was so horrible about it. So I forced myself to use it for a week, expecting to rant and rave about how stupid and infantile it is to my colleagues. I wound up loving it. LOL

If you haven't tried out Jessie yet, FYI, it's fantastic. They even included E17 this time around, which surprised the heck out of me. I installed Terminology just last night. Yay Xterm eye candy!

[0] Or is DS the Debian of the doll world?

[deadpringle]

Agreed. My opinion as a network security professional is that this option should be left in place.

Don't worry, disabling this has never crossed our minds

Excellent! Thanks again for keeping us all in the loop. Issy[0] sends her respects.

[0] She still manages to hack my stuff! If she wasn't so pretty, I swear...

[Dollstudio]

[0] Or is DS the Debian of the doll world?

No, it is not, as there are no derivates of DS dolls yet

But I kind of fancy the idea of a free (as in freedom) doll specification. With open 'build howto' documentation, community-based enhancements, and a bug tracker to be used by doll developers and users. A doll 'distribution' could be a kit including all components to make your own doll. Maybe the molds someday can be 3D printed. Why not?

I guess, in their first decade these 'GNU' dolls would be inferior to the current doll designs, and somewhere in the second decade, 90% of all doll designs would be based on the now matured and superior free designs. It happened before and could happen again.

Sandro