Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 2869 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are you getting .CYOU spam?

Remuflon

We already block trash domains like .CYOU, but still my server was getting thousands of .CYOU spams to block each day.

It was playing whack-a-mole with blocking subnets.

That's when I stepped in and looked at it, turns out 100% of them, ALL OF THEM are coming from one hosting company.

Eonix Corporation in Las Vegas.

I blocked their entire ASN, which is 62904, and my .CYOU spam went to zero - instantly.  This weekend I have pages and pages of green logs, no spam.

(just 2 random spams that are not related).

CYOU later, Eonix.  You are now permanently blocked from any network I am in charge of.

If anyone else is experiencing this attack, I suggest you use this as a reference: https://asn.ipinfo.app/AS62904

Or hit me up and I will try and help.



This thread was automatically locked due to age.
  • 0

    This is my constant attacker, and this is as of this morning.  Both Iran and Russian Federation, and it's weekly.  It will grow a lot, but the numbers are small because it's just this early morning (The blacked out is my phone info).

    I am curious how you block an entire ASN?  Is this something you are doing within UTM itself?  Because if so, that's something I didn't know was possible.  Stuck out tongue

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    I am simply downloading the list of IP's in the ASN using the URL I provided in this post.  I have installed fail2ban on my UTM server.  So I take the IP list and tell fail2ban to block all these subnets..  Done.

    As I have said in previous posts, fail2ban should be intstalled and maintained by Sophos because I cannot imagine any sane situation where you do not run fail2ban alongside the rest of the firewall tools.  Discovering fail2ban was a life changing moment for me.

  • 0 in reply to Remuflon

    Ah okay, I will check into that - I have never heard of it.  I thought you were just adding a Deny filter in Border Gateway Protocol or some odd method after telnetting into the UTM.  Slight smile

    Thanks!

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    fail2ban monitors the UTM log files, and when it sees something that matches a rule that I created, it gets the ip address or subnet and adds it to a ipset or iptables block list that i created.

    It will take a bit of time to understand it, but it's well worth the investment.

    For example, you hit my network with something that trips Sophos IPS, and your IP is blocked from ever accessing us again.  (or what I configure it for).  Virus senders are blocked permanently, I block spammers for 6 months...  You try and hit SSH you are blocked for a year.

  • 0

    Scumbags at Eonix are back at this morning with a new AS30693.  This one only has one subnet so easily blocked.

    What is wrong with these people.

  • 0 in reply to Remuflon
    Remuflon said:
    What is wrong with these people.

    That's an easy one.  $$. Smiley

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Honestly, how does sending 10's of thousands of spam messages to my server, which are automatically deleted without being read, how does that profit anyone?

    The chances of me opening their crap is between zero and zero.  And even if I did, who is stupid enough to actually buy something from a spammer?

    Really, it seems like a waste of time.

  • 0 in reply to Remuflon

    Oh you'd be surprised who buys from them, haha.

    But really, the ISP is the one making the money off the ones who are renting/buying equipment and hosting trash.  They don't really seem to care anymore about their reputation, then claim absence of knowledge about it because no one complains to them.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Unfiltered HTML