A message to ignorant sysadmins about type 17

Dear ignorant system administrators,

Lately I am getting a lot of removal requests with comments in them that they fixed the email spam source while the reason they are listed is because their servers are usable as open proxy. The comment itself already shows you are not reading what the message above the removal request says and are simply filling in the form.

Lemme explain again what type 17 means. It is a collection of hosts found by scrapers on several proxy listing sites such as xroxy, spy.ru, several proxy blogspots, proxynova and similar sites, they or the submitters have tested your ip and found a way to use your server as proxy. They did not check if your mailserver allows relaying! So any excuse stating that you 'fixed' some spam issue is lame. Ok, it does make the recipients of the spam happy as they will no longer receive it from your servers, but not us, as the real issue why you have been listed is NOT spam. We got other classes for that (6 for example).

If you really can't find additional unwanted proc's on that box, check your damn apache if you use mod_proxy and check if thats the culprit by allowing a CONNECT statement. As you could have read in your apache documentation you should limit it in the following way (this is the case if you use stuff like chiliasp/tomcat/jsp/whatever proxied through apache):

<Proxy *>
order allow,deny
deny from all
allow from <your network>
</Proxy>

Another reason why you may have been listed as type 17 would be that an irc connection on a certain network has been found which has been associated to drone activity. So should the previous be not the case, then just fill in the removal request and ask. Also check your network for outgoing TCP connections towards ports 6667, or check if you got a process that generates IRC protocol specific requests like NICK/USER/JOIN/PRIVMSG/NOTICE/ISON using tcpdump or alikes.

Also remember that we only deal with requests from the responsible for that ip in question administrator, so if you are actually just a user on that box that wants to complain why he can't get on irc, then look in the mirror first if you know thats a proxy before even trying!

Kind regards,

Alexander Maassen
Maintainer of DroneBL

outsider / Nov-28-2011 12:53:42 GMT

Comments for A message to ignorant sysadmins about type 17

These are the 8 (0 hidden) comments for the above post. You may add your own comment below!

Riking said on Apr-15-2013 15:52:42 GMT :

The number of bot comments on here is amusing.

Bill said on Apr-15-2013 18:03:36 GMT :

Agree with Riking - on a page complaining about bots, the number of comments that were placed by bots is hilarious. Talk about being sloppy...

Alexander Maassen said on Apr-28-2013 17:13:52 GMT :

I know... recaptcha has become useless against them.. will look for something else soon

Rahmat 'Stickmaniaz' Hidayat said on Jun-18-2013 05:42:58 GMT :

Dear Admin,

I don't know why i'm banned, but it says "infected with an unknown worm, trojan or spam drone"

(I'm not a noob) i've installed Windows 8 with Windows Defender and i've already Turned on Real-time Protection (Always)

Please, this is a mistake. Unban me from the IRC please..

I have screenshot for the log. http://imgur.com/wKknIPa

-Stickmaniaz

namdets said on Jun-29-2013 23:23:43 GMT :

The IP that got flagged for me belongs to T-Mobile, as I IRC from my phone. Its just funny that these IP addys would even be analyzed as they are shared by blocks of devices so they will always look suspect.

Please make a smarter algorithm that accounts for legitimately shared IP address pools.

Alexander Maassen said on Jun-30-2013 15:47:54 GMT :

@stickmaniaz Have you tried http://dronebl.org/remove?incident=725158 yet (as in, request removal)

@namdets Certain mobile ranges (including some) from t-mobile are already being whitelisted due to the nature of the IP. So if you would mail me the ip in question, I could determine the CIDR to add in exceptions.

5 months blacklisted - Cause located! said on May-09-2014 00:53:53 GMT :

I got this from dronebl "Your IP Address was added because it resolves to a mail server, (resolved 1.2.3.4 to mail.ahostname.org) and was found connecting to irc.undernet.org"

At first I thought that meant you can't IRC via undernet from the same IPv4 address as a listening email server.

This was clarified to mean " if your IP Address host reverse is mail.* or mx.* it is banned on Undernet, because of the very high volume of compromised mail servers that have been found connecting to our network."

So if your IP resolves to something starting in mail or mx then you'll be blacklisted. Answer is to change the reverse DNS values to something else.

Alexander Maassen said on Jun-26-2014 12:23:40 GMT :

This has nothing to do with dronebl and is a decision by undernet

Add your own comment

Your name
Your comment
You can use markdown syntax here for formatting.