HenrysCat 0 Posted March 26, 2020 Posted March 26, 2020 How up to date are the ip lists used? We block China but still get email from there, this ip 114.101.17.197 sent 12 emails last night and it traces back to China.
itman 1,801 Posted March 26, 2020 Posted March 26, 2020 1 hour ago, HenrysCat said: We block China but still get email from there, this ip 114.101.17.197 CHINANET Anhui PROVINCE NETWORK China Telecom No.31,jingrong street Beijing 100032 It's a backbone server, CHINANET-BACKBONE No.31,Jin-rong Street. As such, it wouldn't be the origin of the e-mail but just an intermediary delivering it.
ESET Staff M.K. 22 Posted March 26, 2020 ESET Staff Posted March 26, 2020 Hi, Our GeoIP DB correctly identifies this IP as Chinese. But only the sender's address (last hop) is verified against Blocked countries list, not all intermediate servers from Received headers.
HenrysCat 0 Posted March 26, 2020 Author Posted March 26, 2020 5 hours ago, M.K. said: But only the sender's address (last hop) is verified against Blocked countries list, not all intermediate servers from Received headers. The from address was contact@candidconcepts.com which traces to a UK ip, I have reported to the abuse address, is there anything else I can do?
ESET Staff M.K. 22 Posted March 27, 2020 ESET Staff Posted March 27, 2020 Hi, I meant sender's IP address in this context - this is usually the topmost Received header. M.K.
HenrysCat 0 Posted March 27, 2020 Author Posted March 27, 2020 Oh ok, so the senders ip was 114.101.17.197 yet the messages get through?
itman 1,801 Posted March 27, 2020 Posted March 27, 2020 (edited) As far as candidconcepts.com goes, the IP addresses associated with it are 88.208.222.179 and 88.208.222.180. As far as domain name blocking goes, have you tried *.candidconcepts.com/* and *.candidconcepts.net/*? I assume Eset mail server supports that wildcard notation. 1 hour ago, HenrysCat said: Oh ok, so the senders ip was 114.101.17.197 yet the messages get through? Block that IP address then. Doing so might end up blocking a lot of legit e-mail though. It appears a lot of Internet traffic routes through those relay backbone servers. Edited March 27, 2020 by itman
itman 1,801 Posted April 5, 2020 Posted April 5, 2020 Of note is this article that notes ChinaNet; i.e. China Telecom, is the no. 1 source for BGP hijacking: https://www.zdnet.com/article/russian-telco-hijacks-internet-traffic-for-google-aws-cloudflare-and-others/
Recommended Posts