|
Posted by Moe Trin on November 9, 2005, 1:39 pm
If you were Registered and logged in, you could reply and use other advanced thread options
In the Usenet newsgroup comp.security.firewalls, in article
>I am getting some spam in here from 211.57.x.x IP addresses.
Do you have an expectation of receiving any normal mail from that block?
Korea has been assigned 211.32.0.0 to 211.63.255.255. in 37 blocks by
APNIC. If not, simply block the entire range. If yes, either block smaller
chunks, or block all but cut holes for the legitimate mail.
>I have determined that Pubnet is the assigned owner of 211.57.0.0 - 211.57.3.63
>spread over a number of sub ranges i.e. 211.57.0.0 - 211.57.0.127 etc etc.
Have you tried asking Pubnet? (Yeah, I know, but I'm trying to be
politically correct.)
[ ISP IPv4 Admin Contact Information ]
Name : IP Administrator
Phone : +82-2-3674-5890
E-Mail : ip@pubnet.ne.kr
>If I enter addresses above 211.57.3.63 - i.e. 211.57.3.64 KRNIC reverts to
>single IP addresses. I expect that Pubnet has the 211.57.0.0 - 211.57.255.255
>address range but to confirm this via KRNIC's WHOIS service will be very
>tedious if I have to do this by single IP addresses.
The APNIC delegation files don't even agree even with the results of a
whois query.
[compton ~]$ grep ' 211.5[0-9]' IP.ADDR/stats/APNIC | grep KR | cut -d' '
-f1,2,3 | column
KR 211.50.0.0 255.255.0.0 KR 211.53.0.0 255.255.0.0
KR 211.51.0.0 255.255.0.0 KR 211.54.0.0 255.254.0.0
KR 211.52.0.0 255.255.0.0 KR 211.56.0.0 255.252.0.0
[compton ~]$
whois at APNIC returns 211.54.0.0 - 211.59.255.255 being allocated to
KRNIC as a single block, which really isn't much help. The 211.54/15
and 211.56/14 blocks were both allocated to KRNIC on the same day, so
I don't know why they would be separately listed in the delegation file.
It's not a CIDR issue.
>APNIC, ARIN, DNS Stuff etc all point to KRNIC so they are no help.
Agreed - APNIC delegated it to KRNIC, and ARIN has nothing to do with it.
(ARIN only has one legacy assignment to Korea - the rest having been
transferred to APNIC.) DNS Stuff (and similar sites) are merely reporting
the information they get from the RIRs.
>Is there another resource on the net I can use that will give me the full
>range assigned to Pubnet?
I suspect if we understood Korean, it would be possible to frame a more
appropriate query to KRNIC - but other than that, nothing official.
>I would also like to get the full set of IP address ranges assigned to
>Chinanet and CNCGroup. Knowing this would save me a heap of time.
Same question - are you expecting any legitimate mail from China? APNIC has
allocated 899 blocks to China totalling 73,519,360 addresses. Ignoring the
202.0.0.0/7 block (with 387 assignments to China - all but 21 smaller than
a /18), this can be cut to only 99 rules (or less if you want to second
guess APNIC). For that, see a country blacklist service. China has a
national whois web page (http://www.cnnic.net.cn/) and there is probably
a standard whois server, but the information hasn't been useful to me.
One point I have seen is that China seems to ignore the IANA requirements
for reverse DNS, so you might consider setting your mail server to reject
_at_the_SMTP_"EHLO/HELO"_ stage (and NOT afterwards) any host that doesn't
match forward and reverse DNS records. I also noticed this with Korea to a
_slightly_ lesser extent. This had a significant effect in reducing spam.
Old guy
| 
XML site map