This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are you getting .CYOU spam?

We already block trash domains like .CYOU, but still my server was getting thousands of .CYOU spams to block each day.

It was playing whack-a-mole with blocking subnets.

That's when I stepped in and looked at it, turns out 100% of them, ALL OF THEM are coming from one hosting company.

Eonix Corporation in Las Vegas.

I blocked their entire ASN, which is 62904, and my .CYOU spam went to zero - instantly.  This weekend I have pages and pages of green logs, no spam.

(just 2 random spams that are not related).

CYOU later, Eonix.  You are now permanently blocked from any network I am in charge of.

If anyone else is experiencing this attack, I suggest you use this as a reference: https://asn.ipinfo.app/AS62904

Or hit me up and I will try and help.



This thread was automatically locked due to age.
Parents
  • This is my constant attacker, and this is as of this morning.  Both Iran and Russian Federation, and it's weekly.  It will grow a lot, but the numbers are small because it's just this early morning (The blacked out is my phone info).

    I am curious how you block an entire ASN?  Is this something you are doing within UTM itself?  Because if so, that's something I didn't know was possible.  Stuck out tongue

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • This is my constant attacker, and this is as of this morning.  Both Iran and Russian Federation, and it's weekly.  It will grow a lot, but the numbers are small because it's just this early morning (The blacked out is my phone info).

    I am curious how you block an entire ASN?  Is this something you are doing within UTM itself?  Because if so, that's something I didn't know was possible.  Stuck out tongue

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
  • I am simply downloading the list of IP's in the ASN using the URL I provided in this post.  I have installed fail2ban on my UTM server.  So I take the IP list and tell fail2ban to block all these subnets..  Done.

    As I have said in previous posts, fail2ban should be intstalled and maintained by Sophos because I cannot imagine any sane situation where you do not run fail2ban alongside the rest of the firewall tools.  Discovering fail2ban was a life changing moment for me.

  • Ah okay, I will check into that - I have never heard of it.  I thought you were just adding a Deny filter in Border Gateway Protocol or some odd method after telnetting into the UTM.  Slight smile

    Thanks!

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • fail2ban monitors the UTM log files, and when it sees something that matches a rule that I created, it gets the ip address or subnet and adds it to a ipset or iptables block list that i created.

    It will take a bit of time to understand it, but it's well worth the investment.

    For example, you hit my network with something that trips Sophos IPS, and your IP is blocked from ever accessing us again.  (or what I configure it for).  Virus senders are blocked permanently, I block spammers for 6 months...  You try and hit SSH you are blocked for a year.