1. Forum
  2. FidoNet
  3. SYNC SYSOPS

  • Pesky Mail Slammer

    From Daryl Stout@1:103/705 to All on Mon Jul 20 23:40:00 2020
    I've got a pesky email port slammer, using the email of
    0@synchro.net (a bunch of other stuff has been before the
    @synchro.net as well).

    I have the IP blocked, but it's nonstop trying to connect. The
    IP doesn't get in, and the IP address starts with 212. I'm not
    sure what country that is offhand, but if anyone knows, I'll add
    it to Peerblock.

    I also had to change the SSH and QOTD ports to "non-conventional"
    values, due to them being repeatedly slammed. I also discovered
    that logging on via SSH will BYPASS the CAPTCHA option.

    Daryl

    ... This tagline is freeware; future support is unavailable.
    --- MultiMail/Win v0.52
    þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mike Powell@1:103/705 to DARYL STOUT on Tue Jul 21 16:29:00 2020
    I've got a pesky email port slammer, using the email of
    0@synchro.net (a bunch of other stuff has been before the
    @synchro.net as well).

    I have the IP blocked, but it's nonstop trying to connect. The
    IP doesn't get in, and the IP address starts with 212. I'm not
    sure what country that is offhand, but if anyone knows, I'll add
    it to Peerblock.

    I also had to change the SSH and QOTD ports to "non-conventional"
    values, due to them being repeatedly slammed. I also discovered
    that logging on via SSH will BYPASS the CAPTCHA option.

    Are you sure that it is not email that someone is trying to forward through Rob's system to yours?


    * SLMR 2.1a * Aibohphobia, n. -- the fear of palindromes.

    ---
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Daryl Stout@1:103/705 to Mike Powell on Wed Jul 22 12:00:00 2020
    Mike Powell wrote to DARYL STOUT <=-

    I've got a pesky email port slammer, using the email of
    0@synchro.net (a bunch of other stuff has been before the
    @synchro.net as well).

    I have the IP blocked, but it's nonstop trying to connect. The
    IP doesn't get in, and the IP address starts with 212. I'm not
    sure what country that is offhand, but if anyone knows, I'll add
    it to Peerblock.

    I also had to change the SSH and QOTD ports to "non-conventional"
    values, due to them being repeatedly slammed. I also discovered
    that logging on via SSH will BYPASS the CAPTCHA option.

    Are you sure that it is not email that someone is trying to forward through Rob's system to yours?

    Well, I can take the block off, but it is slamming the deal nonstop.

    Daryl

    ... MultiMail, the new multi-platform, multi-format offline reader!
    --- MultiMail/Win v0.52
    þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mike Powell@1:103/705 to DARYL STOUT on Thu Jul 23 15:00:00 2020
    Are you sure that it is not email that someone is trying to forward through Rob's system to yours?

    Well, I can take the block off, but it is slamming the deal nonstop.

    That is up to you but it was just a thought. It could be that someone's
    system has been compromised or that someone is spoofing the domain, too.


    * SLMR 2.1a * ...Jupiter, Uranus, Neptune, Pluto, Mickey, Goofey...

    ---
    þ Synchronet þ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Nelgin@1:103/705 to Daryl Stout on Fri Jul 24 04:00:59 2020
    Daryl wrote:
    I've got a pesky email port slammer, using the email of
    0@synchro.net (a bunch of other stuff has been before the
    @synchro.net as well).

    I have the IP blocked, but it's nonstop trying to connect. The
    IP doesn't get in, and the IP address starts with 212. I'm not
    sure what country that is offhand, but if anyone knows, I'll add
    it to Peerblock.

    I also had to change the SSH and QOTD ports to "non-conventional"
    values, due to them being repeatedly slammed. I also discovered
    that logging on via SSH will BYPASS the CAPTCHA option.

    212 is a RIPE address so could be owned by anyone.

    Just block it at your firewall with iptables ufw or whatever you use then it won't even reach your system. Use your router's internal firewall if possible then it won't even reach your computer.

    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Daryl Stout@1:103/705 to Mike Powell on Thu Jul 23 23:25:00 2020
    Mike,

    Are you sure that it is not email that someone is trying to forward through Rob's system to yours?

    Well, I can take the block off, but it is slamming the deal nonstop.

    That is up to you but it was just a thought. It could be that
    someone's system has been compromised or that someone is spoofing the domain, too.

    I think it's the latter. It tried another handle/set of characters
    prior to @synchro.net -- along with a real funky password. When it
    entered the deal, the system put it on a temporary 10 day ban...and
    so, I blocked the IP altogether. The individual is not even a user here.

    Daryl

    ... All computers wait at the same speed.
    --- MultiMail/Win v0.52
    þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Daryl Stout@1:103/705 to Nelgin on Fri Jul 24 13:19:00 2020
    212 is a RIPE address so could be owned by anyone.

    Just block it at your firewall with iptables ufw or whatever you use
    then it won't even reach your system. Use your router's internal
    firewall if possible then it won't even reach your computer.

    Unfortunately, the way Synchronet is set up (unless it has changed),
    only the last part of the IP can be "wild carded" with an asterisk.

    I don't know of a function in Peerblock to block the individual IP's,
    but I can block it by country.

    The thing is, when I clicked on "Help" and "Documentation" in the
    program, I got a message noting "this domain name has expired".

    Daryl

    ... An Electrician gets into people's shorts!
    --- MultiMail/Win v0.52
    þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to Daryl Stout on Fri Jul 24 14:22:14 2020
    Re: Re: Pesky Mail Slammer
    By: Daryl Stout to Nelgin on Fri Jul 24 2020 01:19 pm

    212 is a RIPE address so could be owned by anyone.

    Just block it at your firewall with iptables ufw or whatever you use then it won't even reach your system. Use your router's internal firewall if possible then it won't even reach your computer.

    Unfortunately, the way Synchronet is set up (unless it has changed),
    only the last part of the IP can be "wild carded" with an asterisk.

    You can block a range of IP address using wildcards like so:
    192.168.*
    or 192.168/16

    or even:
    212.*
    or 212/24



    digital man

    Synchronet/BBS Terminology Definition #80:
    TLS = Transport Layer Security (successor to SSL)
    Norco, CA WX: 80.9øF, 51.0% humidity, 10 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.11-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Nelgin@1:103/705 to Daryl Stout on Sat Jul 25 04:50:41 2020
    Re: Re: Pesky Mail Slammer
    By: Daryl Stout to Nelgin on Fri Jul 24 2020 13:19:00

    I don't know of a function in Peerblock to block the individual IP's,
    but I can block it by country.

    Are you using linux?

    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Daryl Stout@1:103/705 to Digital Man on Sat Jul 25 11:35:00 2020
    Rob,


    You can block a range of IP address using wildcards like so:
    192.168.*
    or 192.168/16

    or even:
    212.*
    or 212/24

    I wasn't aware of that...thanks. The IP isn't getting in, but it
    is likely "filling up the log". It's spoofing the email with any
    number of letters and numbers before "@synchro.net", then using a
    funky password. For now, I've blocked that main IP, so it's not
    getting in.

    Daryl

    ... Effective cure for being a twit -- become a Sysop!!
    --- MultiMail/Win v0.52
    þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Daryl Stout@1:103/705 to Nelgin on Sat Jul 25 11:36:00 2020
    I don't know of a function in Peerblock to block the individual IP's,
    but I can block it by country.

    Are you using linux?

    No...Windows 10 32-bit on the BBS computer (so I wouldn't lose the legacy doors), but Windows 10 64-bit on the laptop, where I logon via SyncTerm to
    play the doors and do my QWK Mail, plus all my amateur radio and square
    dancing related items.

    Daryl

    ... I eat merely to put food out of my mind. -N.F. Simpson
    --- MultiMail/Win v0.52
    þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Gamgee@1:103/705 to Daryl Stout on Sat Jul 25 22:40:00 2020
    Daryl Stout wrote to Digital Man <=-

    You can block a range of IP address using wildcards like so:
    192.168.*
    or 192.168/16

    or even:
    212.*
    or 212/24

    I wasn't aware of that...thanks.

    For further light reading:

    http://wiki.synchro.net/config:filter_files



    ... If it walks out of your refrigerator, let it go.
    --- MultiMail/Linux v0.52
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Nelgin@1:103/705 to Daryl Stout on Sun Jul 26 02:19:37 2020
    Re: Re: Pesky Mail Slammer
    By: Daryl Stout to Nelgin on Sat Jul 25 2020 11:36:00

    No...Windows 10 32-bit on the BBS computer (so I wouldn't lose the legacy doors), but Windows 10 64-bit on the laptop, where I logon via SyncTerm to play the doors and do my QWK Mail, plus all my amateur radio and square dancing related items.

    I just installed Peerblock on a Win7 VM and it looks pretty easy. Not sure what version you have but I don't image it will be much different.

    Click List Manager from the peerblock window
    Click "Create List" near the bottom
    Give the list a name like "My Blocked IPs"
    Click "Browse" to pick a location and filename, like myblockedips.p2p
    Click "Save".
    Type "Block" should automatically be selected so click OK

    In the list window select "Add"

    You'll get a List window popup
    Click "Add" then enter a range.
    Click on range and enter a name, then click on the start and end ips
    Hit enter and repeat. Click Save when done.

    That should block the IPs before they get to sbbs. Alternatively you can use Windows Firewall to block individual ips.

    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Daryl Stout@1:103/705 to Nelgin on Sun Jul 26 18:32:00 2020
    I just installed Peerblock on a Win7 VM and it looks pretty easy. Not sure what version you have but I don't image it will be much different.

    I think it's the latest one. But, I reply on my laptop, which is in my bedroom. The BBS is on what was my late Mom's computer.

    Click List Manager from the peerblock window
    Click "Create List" near the bottom
    Give the list a name like "My Blocked IPs"
    Click "Browse" to pick a location and filename, like myblockedips.p2p Click "Save".
    Type "Block" should automatically be selected so click OK

    In the list window select "Add"

    You'll get a List window popup
    Click "Add" then enter a range.
    Click on range and enter a name, then click on the start and end ips
    Hit enter and repeat. Click Save when done.

    That should block the IPs before they get to sbbs. Alternatively you
    can use Windows Firewall to block individual ips.

    Thanks for the info...I'll save that, and do it on the BBS computer
    tomorrow. I'm busy with ham radio traffic nets this evening.

    Daryl

    ... Effective cure for being a twit -- become a Sysop!!
    --- MultiMail/Win v0.52
    þ Synchronet þ The Thunderbolt BBS - tbolt.synchro.net
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)