Finally Happened-Blocking a Microsoft Subnet 9
Today the blog was spammed by an IP that DNS resolves back to a Microsoft Corporate subnet address. It was a Chinese language spam, if that means anything. I expect this to happen from Joe’s Pizza of San Jaquine, but not from Microsoft.
I added another rule to the firewall, which already has a few thousand similar rules.
/sbin/iptables -I INPUT -s 168.61.0.0/16 -j DROP
I hate having to block large subnets, but if they can’t keep their network free from botnets, I don’t want them visiting my little blog.
The actual offending IP is 168.61.72.70 so if someone from MS wants to respond with a little more data, I’d love to hear it. I have no idea what that machine is, since even running an nmap could get me into trouble.. It could be a honeypot run by MS. I don’t know.
Subnet blocked. Sorry Microsoft.
I’m I being too harsh? What would you do?
Have you blocked United Arab Emirates too? I’m unable to visit your blog. Currently doing so by connecting to my US based VPN.
I’m blocking thousands of subnets due to blog spam. I don’t think AE as a country is blocked, but there are specific subnets from almost everywhere in the world being blocked. I haven’t blocked an entire country in years.
There are huge subnets in the USA blocked as well – lots of blog spam originates here, though most of it comes from small-to-medium sized webhosts.
If you post a specific IP, I can look up if it is blocked. I’ll hide the IP before posting the comment and try to unblock that specific subnet.
I’d also point out that IP-geographic location maps are not the best, so the block for another country might include the AE too.
My current IP is 2.50.xx.xx but this is a dynamic IP.
I spent the last 10 minutes checking and I am NOT blocking that subnet. It could simply be a TTL issue due to the network hops between your home and my server.
Could that be it?
BTW, according to my country-based block lists, that subnet is in France, which I do not block.
Further, I check whether a specific block was added for any 2.×.×.x addresses. There is one, but it is on 2.219.15.0/24.
If you are seeing an error page – perhaps a 403 error and not just complete dropped packets, let me know.
Sorry I don’t have a better answer.
When I ping blog.jdpfu.com the corresponding IP address i get is 50.73.91.145, TTL is 41 and time is between 250-300ms. There are no dropped packets. Also I don’t get a 403 error. The connection just times out.
That is the correct IP. 41 TTL is high, right? I thought in the old days the default setting was 30 on many OSes? OTOH, I see ttl of 64 is the setting on my Ubuntu boxes.
I’ll check the router and turn up logging on the system firewall so I get some data. I’m not seeing any logs with any blocks happening on the system. Nothing in the nginx logs either. I don’t think you are getting that far into the sw stack.
The router shows your IP being passed to the nginx reverse proxy IP.
kernel: ACCEPT IN=vlan1
everything looks fine on the router. Hummmm.
Nginx logs don’t show anything from that IP, that means IP tables has to be the blocking point, but I’ve reviewed all the settings and don’t see anything related to your subnet.
Dumping the actual running tables now – that takes a while since there are thousands of rules.
Thanks for your help! We should be able to figure this out. I’m flattered that anyone would want to read my crap enough to bring up the issues.
Quick update
I can access your blog from home (IP 92.98.×.x) but at work (IP 2.50.×.x) I cant.
So, I have to ask. Why do your posts appear to be from 199.19.2×.x and not from the IP at home?
I definitely do block some 199.19.×.x subnets. Blog spammers, just not the specific subnet your proxy seems to use … er … yet.
That’s the public IP of my VPS on which I run a squid proxy and OpenVPN server(please hide it!)
I generally do my surfing at work :P Home is for watching TV shows and the occasional movie. That’s why I hadn’t noticed that your blog was accessible at home. The internet is like heavily blocked here in the UAE. Always thought they had a messed up config!