Find zombies in your netspace
More and more spammers, and yes, even linkspammers, are using zombies to spam from. From my vantage point, I’d say cutting down on zombies and proxies should be a goal.
There’s one list that zombies often end up on, the one at dnsstuff.com. I don’t know why, but those lists seem quite full (though I’m sure there are more zombies not on those lists). They’ll also list open proxies, which is bad as well.
And there’s a way to keep an eye on your own IP space (let’s say you’re an ISP, webhost or IP block owner). And don’t think you won’t be listed even if you have no end users. Servers can and will be infected and misconfigured. Keep this link handy, and check it often:
http://www.dnsstuff.com/tools/banned.ch?ip=xx.xx.0.0/16
Where the xx’s represent the first two quads of your IP block.
The site is unfortunately down today, but I checked Google’s cache, and found quite a few listed for various blocks.
This method is crude enough you’ll see your IP space neighbor’s zombies as well. But it’s still a good tool. Do you guys know of any other tools such as this one?
I’ve tried several RBL’s, but they don’t display results unless you search for the specific IP number that’s listed. There’s no wildcard search, which would have been useful for network admins.
I did find another way to test IP blocks. But this is ONLY relating to e-mail, and only shows which servers are used for e-mail. So at most it will help you figure out if an IP number that shouldn’t send e-mail, actually does anyway.
Search this address for an IP address in your block. For instance:
http://www.senderbase.org/search?searchString=xx.xx.xx.1
You’ll see all servers they’ve detected sending mail in that C-block. So for those with large net blocks, it’s quite a chore. You’ll have to do it all over again for each C-block.
Update: Dshield has a list of IP ranges and attackers coming from them. Look up your IP ranges here.