AbuseIPDB

[RJM62]

I've been a member of AbuseIPDB (who maintain a database of IP addresses used by malicious actors) since 2015, but never really did much with it until last week. I had a forum once that used their database, but that forum is now defunct.

Last week I decided to get active in AbuseIPDB again. I wrote some scripts to report hits on non-existent CMS pages (miscreants sniffing for "wp-login.php" for example), as well to report as all the IP addresses my firewalls blocked for whatever triggers. I tested the scripts on one server that hosts only my own sites, then implemented it on the others yesterday and this morning.

This is what the scripts have caught and reported so far:

https://www.abuseipdb.com/user/5688

It's pretty mind-boggling.

Rich

 

[DaleB]

I have blocked vast swaths of China, Eastern Europe, Africa, India, and South America using iptables. I'm getting much less spam and far fewer attacks now, but it's still a more or less constant onslaught.

I do have one commercial site hosted on my server. As soon as I get him kicked off, I'm just going to block every network I find assigned to APNIC, RIPE, LACNIC, and AfriNIC.

 

[Kenny Phillips]

If someone figures out hot to block VIOP with spoofed caller ID from India from hitting my phone, I'm in!
I'm old enough to remember when simple computer viruses were thought never to become a widespread threat, let alone attacks over a network. Not that we had a network, besides between our businesses on T1 lines.

 

[Pilawt]

Wow. That's quite a collection of flags.

 

[RJM62]

I have blocked vast swaths of China, Eastern Europe, Africa, India, and South America using iptables. I'm getting much less spam and far fewer attacks now, but it's still a more or less constant onslaught.

I do have one commercial site hosted on my server. As soon as I get him kicked off, I'm just going to block every network I find assigned to APNIC, RIPE, LACNIC, and AfriNIC.

I do have some advertisers in Asia, so I can't block whole countries anymore. Except for the worst offenders, I also don't block IP addresses or netblocks for more than an hour. The repeat offenders usually get blocked for a day. I have very, very few truly permanent blocks.

Rich

 

[RJM62]

Wow. That's quite a collection of flags.

It's even more mind-boggling when you consider that with the exception of the CMS honeypot hits, those are IP's that the firewalls blocked, which means they were multiple failed login attempts or distributed attacks. Also, if the same IP attacks more than one of the servers within 15 minutes (not unusual because they're in the same datacenter and netblock), they're only reported for the first block in that 15-minute span.

The CMS attempts are reported after a single hit. The odds of an innocent, random person accidentally trying to access a non-existent CMS login page on a site they don't own are pretty low; and even if they did, it wouldn't mean anything. One false report of an innocent IP acting in what appears to be a malicious manner won't have any consequences because the confidence rate would only be about 4 or 5 percent. No one blocks RBL IP's with confidence rates that low.

I do tempblock them, however, after one hit on the non-existent login pages on my own servers, and permblock them if they reoffend.

Rich

 

[RJM62]

I'm using a shell script to download the blacklist from AbuseIPDB to a dotted directory on one server every hour. That dotted directory is accessible only to my other servers, and CSF on those servers obtains the file from that directory rather than downloading it from AbuseIPDB.

The parameters I'm using right now (I'm still tweaking them) select only those IP addresses with 100 percent confidence and 200 or more reports, the oldest of which have to have been reported in the past 7 days. It tends to filter out the ephemeral anonymous proxies in favor of more persistently-abused IP addresses. Most of them are schools and colleges in third-world countries, schools and colleges in current or former communist countries, and a handful of ISPs and data centers with exceptionally poor policing (also mainly overseas, although we have a few here, too).

#!/bin/bash
cp -f /path/to/.blacklist/file.txt /path/to/.blacklist/file.bak
curl -G https://api.abuseipdb.com/api/v2/blacklist \
    -d countMinimum=200 \
    -d maxAgeInDays=7 \
    -d confidenceMinimum=100 \
    -H "Key: api-key-goes-here" \
    -H "Accept: text/plain" > /path/to/.blacklist/file.txt
size=$(stat -c%s /path/to/.blacklist/file.txt)
min="2000"
if [[ $size -lt $min ]]; then
    cp -f /path/to/.blacklist/file.bak /path/to/.blacklist/file.txt
fi
exit

What the script does is first backs up the current blacklist file, gets the new one, and overwrites the current one with the new one. But if the new one is smaller than 2000 bytes, it restores the backed-up version. A cron entry runs it every hour.

The reason I'm doing it this way is that once in a while the server vomits and returns either an error message, gibberish, or an empty file. Checking the file size -- it should always be greater than 4K using those parameters -- protects against all three possibilities. Checking the response code didn't work for the invalid files with successful response codes.

Checking the file size doesn't protect against a larger file that's gibberish, but that hasn't happened yet. This is still a work in progress, though, so I'm pondering ways to identify a properly-sized but invalid file and restore from backup in that event, even though it hasn't happened yet.

Saving the file to the one server and making it available to the others is just a courtesy to reduce the requests on AbuseIPDB's server. I have a paid account, so I could call it from each server; but that would be a waste of their resources.

CSF on the other servers imports the list to IPTABLES by way of a custom entry in /etc/csf/csf.blocklists on each server:

# AbuseIPDB Blacklist
ABUSEIPDB|3600|1000|https://path/to/.blacklist/file.txt

The capitalized entry is the name by which CSF knows the blacklist. 3600 is one hour. 1000 is the maximum IPs to import (there are usually around ~275 using the current parameters, but it will import as many as 1,000 if they're there).

So far this has worked flawlessly, but it's still a work-in-progress.

Rich

 

[flyingron]

I run a another forum using XenForo (similar to here). It wasn't up for more than a couple of days when I got account creation attempts blocked by one of these databases (this is after they have to go through a more than random vetting: CAPTCHA and giving a zip code that equates to one of the six states we permit members in).

 

[Lachlan]

I would like to be able to stop getting spam emails from anyone.

 

[Salty]

I would like to be able to stop getting spam emails from anyone.

Stop using email or get a secretary.

 

[RJM62]

I would like to be able to stop getting spam emails from anyone.

I'm convinced that if you report spam long enough and don't munge the reports, you get on some sort of database of email addresses who report spam, and they don't send you so much any more. I've been using Mail Washer Pro for years and have reported about 100,000 spams, and I get very few these days. Sometimes several days pass without a single one.

Rich

 

[flyingron]

But is that because they got caught in the filter? I regularly report as well, but my mail provider rejects more messages than get delivered. The bulk come from the invaluementSIP list.

 

[DaleB]

I haven't run actual numbers, but my mail server rejects FAR more emails than it accepts. Probably 100:1, or not too far from it. Most recently I've blocked a long list of either new or bogus TLDs (and I really Do Not Care(tm) which).

/^From:.*@*\.io>/
/^From:.*@*\.work>/
/^From:.*@*\.date>/
/^From:.*@*\.world>/
/^From:.*@*\.gdn>/
/^From:.*@*\.ooo>/
/^From:.*@*\.life>/
/^From:.*@*\.ltd>/
/^From:.*@*\.men>/
/^From:.*@*\.club>/
/^From:.*@*\.space>/
/^From:.*@*\.fun>/
/^From:.*@*\.country>/
/^From:.*@*\.download>/
/^From:.*@*\.xin>/
/^From:.*@*\.jetzt>/
/^From:.*@*\.vip>/
/^From:.*@*\.ren>/
/^From:.*@*\.kim>/
/^From:.*@*\.mom>/
/^From:.*@*\.perty>/
/^From:.*@*\.wang>/
/^From:.*@*\.accountants>/
/^From:.*@*\.cu>/
/^From:.*@*\.icu>/
/^From:.*@*\.reviews>/
/^From:.*@*\.review>/
/^From:.*@*\.faith>/
/^From:.*@*\.racing>/
/^From:.*@*\.trade>/
/^From:.*@*\.stream>/
/^From:.*@*\.win>/
/^From:.*@*\.cricket>/
/^From:.*@*\.webcam>/
/^From:.*@*\.loan>/
/^From:.*@*\.top>/
/^From:.*@*\.live>/
/^From:.*@*\.bid>/
/^From:.*@*\.online>/

 

[flyingron]

Blocking by domain is largely specious. Looking at my blocked spam reports, most of it comes from com and org domains, with a smaller amount coming from a few of the two letter country tlds (ru, it, nz, co, pw). Of these pw was the only one with more than a spattering of spam. I don't see any of the domains you list in my traps.

 

[RJM62]

But is that because they got caught in the filter? I regularly report as well, but my mail provider rejects more messages than get delivered. The bulk come from the invaluementSIP list.

The bulk that my server's spam filters reject are to throwaway addresses or other non-existent addresses. Mainly dictionary spam. Recently there's been an uptick in the "I hacked your password" scams from one of the breaches (probably Adobe or LinkedIN), but that's about it.

I'm using SpamAssassin at the MTA and the Spamcop, DShield, and AbuseIPDB RBL's at the firewalls. Nothing fancy.

Rich

 

[RJM62]

Spamhaus is very good if you update often, but you also get a lot of false positives.

Rich

 

[DaleB]

Blocking by domain is largely specious. Looking at my blocked spam reports, most of it comes from com and org domains, with a smaller amount coming from a few of the two letter country tlds (ru, it, nz, co, pw). Of these pw was the only one with more than a spattering of spam. I don't see any of the domains you list in my traps.

Not specious at all. SpamAssassin and Postgrey do a lot of the heavy listing, with much more done with e 600-plus line header_checks and over 250 lines in body_checks. There are even a couple of MIME headers I block now, like "filename=*.ace". Every spam email that makes it through gets looked at (before reporting) to see how I can block more like it.

Mar 18 08:10:42 reject: header From: "Alpha Male" <AlphaMale@keepsecretarm.trade>
Mar 18 08:28:00 reject: header From: "Concealed Ankle Holster" <ConcealedAnkleHolster@superfiqureformula.stream>
Mar 18 08:41:17 reject: header From: "Power Efficiency Guide" <PowerEfficiencyGuide@superhotgirl.review>
Mar 18 09:52:16 reject: header From: "Russian Girl For U" <RussianGirlForU@solarrevolution.faith>
Mar 20 08:20:45 reject: header From: "Microsoft flight sim x" <Microsoftflightsimx@painreliefbody.bid>
Mar 20 08:54:36 reject: header From: "Your back pain" <Yourbackpain@removepianfast.win>
Mar 20 09:35:19 reject: header From: "Diy Smart Saw" <DiySmartSaw@painindependence.men>
Mar 20 09:58:52 reject: header From: "Fat-Flushing Herb" <Fat-FlushingHerb@prepaireyepeoduct.review>
Mar 20 12:59:54 reject: header From: "Sexy Girl" <SexyGirl@planningdailydiet.loan>
Mar 21 04:02:16 reject: header From: "Online-Roofing-Quotes" <Online-Roofing-Quotes@summerroofingus.bid>
Mar 21 14:51:52 reject: header From: "Domain Service" <info@rspshow.icu>
Mar 21 19:03:53 reject: header From: "Life Time Insider" <noreply@emails.lifetime.life>
Mar 22 09:54:39 reject: header From: "Domain Service" <info@ps0320.vtimableare.icu>

 

[DaleB]

Recently there's been an uptick in the "I hacked your password" scams from one of the breaches (probably Adobe or LinkedIN), but that's about it.

Those are getting annoying. I put a filter in that eradicated the text version, but now it's an image. Fortunately, so far they've been stupid enough to use an easily predictable image filename.