# Last updated September 7, 2017 # Document rich rules added to firewalld on mail.edgeinfotech.com # hinet.net, Taiwan. Looks like dynamic IP block. hinet has decades long history as spammer. Constant HELO command reject in maillog. List the /16. # 1.162.0.0 - 1.162.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="1.162.0.0/16" log prefix="firewalld drop " level="info" drop' # Hsinchu, Taiwan. Spammers. Excessive attempts at SASL logins. # 1.171.0.0 - 1.171.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="1.171.0.0/16" log prefix="firewalld drop " level="info" drop' # LG DACOM Corporation, Seoul, Republic of Korea. 256 SASL auth attempts. Block the /12. # 1.208.0.0 - 1.223.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="1.208.0.0/12" log prefix="firewalld drop " level="info" drop' # Fastweb SpA. Conversano, Apulia, Italy. Lots of hostname does not resolve to address. Block to start /24. # 2.229.126.0 - 2.229.126.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="2.229.126.0/24" log prefix="firewalld drop " level="info" drop' # AT&T Services, Inc. USA. 88 SASL Login auth attempts, multiple major spam DNSBL listings. Block to start /24. # 12.130.172.0 - 12.130.172.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="12.130.172.0/24" log prefix="firewalld drop " level="info" drop' # AT&T Services, Inc. USA. 257 hostname does not resolve in maillog, 256 SASL Login auth attempts. In a huge /9 block. Block to start /24. # 12.192.155.98 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="12.192.155.0/24" log prefix="firewalld drop " level="info" drop' # Comcast, Philadelphia. SASL auth attempts. Block to start /24. # 23.24.55.0 - 23.24.55.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="23.24.55.0/24" log prefix="firewalld drop " level="info" drop' # Hostwinds LLC, Tulsa, OK. 208 attempts to relay,327 SASL login auth attempts. Days later, 395 attempts, different IP. Block to whole /17. # 23.254.128.0 - 23.254.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="23.254.128.0/17" log prefix="firewalld drop " level="info" drop' # charter.com, Madison VW, almost 100 bad HELO requests daily, mail.wdpd.com does not resolve. List the whole /20. # 24.196.64.0 - 24.196.79.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="24.196.76.0/20" log prefix="firewalld drop " level="info" drop' # Charter.com Alhanbra, CA, USA. This block keeps showing up with SASL login and other attempts, repeatedly. List the /18. # 24.205.0.0 - 24.205.63.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="24.205.0.0/18" log prefix="firewalld drop " level="info" drop' # Charter.com Alhanbra, CA, USA. This block keeps showing up with SASL login and other attempts, repeatedly. List the /19. # 24.205.128.0 - 24.205.159.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="24.205.128.0/19" log prefix="firewalld drop " level="info" drop' # China Unicom Shenzen network. Shenzhen, Guangdong, China 115 Connection concurrency limit exceeded. Start with the /24. # 27.38.4.0 - 27.38.4.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="27.38.4.0/24" log prefix="firewalld drop " level="info" drop' # China, Hong Kong, PACSWITCH GLOBAL IP NETWORK. Spam. China, building my great firewall. List the /22. # 27.122.12.0 - 27.122.15.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="27.122.12.0/22" log prefix="firewalld drop " level="info" drop' # Company for communications services ONE.VIP DOO Skopje, Macedonia. 251 SASL auth attempts, 257 host does not resolve / 24 hrs. List the /21. # 31.11.64.0 - 31.11.71.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="31.11.64.0/21" log prefix="firewalld drop " level="info" drop' # Bezeq International Israel. SASL auth attempts. List the /20. # 31.168.192.0 - 31.168.207.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="31.168.192.0/20" log prefix="firewalld drop " level="info" drop' # CNCGROUP China169 Backbone, Hefei, Anhui, China. Dozens SASL auth attempts, hostname does not resolve. List the entire /14. # 36.32.0.0 - 36.35.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="36.32.0.0/14" log prefix="firewalld drop " level="info" drop' # Cyso Management B.V. Netherlands. 418 SASL auth attempts. Block the /21. # 37.46.136.0 - 37.46.143.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="37.46.136.0/21" log prefix="firewalld drop " level="info" drop' # HostPalace Web Solution PVT LTD, Netherlands. SASL auth attempts, spam attempts. Listed in spam RBLs. Start with /24. # 37.49.224.0 - 37.49.224.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="37.49.224.0/24" log prefix="firewalld drop " level="info" drop' # HostPalace Web Solution PVT LTD, Netherlands. SASL auth attempts, spam attempts. Listed in spam RBLs. Start with /24. # 37.49.226.0 - 37.49.226.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="37.49.226.0/24" log prefix="firewalld drop " level="info" drop' # ASN(ISP) unknown. Alexandria, Egypt. Multiple SASL auth attempts. Listed in spam RBLs. List the /16. # 41.39.0.0 - 41.39.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="41.39.0.0/16" log prefix="firewalld drop " level="info" drop' # Joint Stock company "KMVtelecom", Pyatigorsk, Stavropol'skiy Kray, Russia. Dozens SASL auth attempts / 24 hrs. Block the /24. # 46.29.113.0 - 46.29.113.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="46.29.113.0/24" log prefix="firewalld drop " level="info" drop' # VODAFONE ESPANA S.A.U., Valencia, Spain. 1,609 Connection concurrency limit exceeded in 24 hrs. 105 SASL auth attempts. Block the /16. # 46.136.0.0 - 46.136.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="46.136.0.0/16" log prefix="firewalld drop " level="info" drop' # infium UAS. Kharkiv, Kharkivs'ka Oblast', Ukraine . nearly 5,000 SASL Auth attempts over 48 hours. List the /24. # 46.148.27.0 - 46.148.27.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="46.148.27.0/24" log prefix="firewalld drop " level="info" drop' # Comcast Cable Communications, LLC, Portland, OR. 119 SASL auth attempts / 24 hrs. List the /24. # 50.76.0.0 - 50.79.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="50.76.0.0/14" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Nanjing, Jiangsu, China. Dozens SASL auth attempts / 24 hrs. Block the /12. # 58.208.0.0 - 58.223.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="58.208.0.0/12" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Shenyang, Liaoning, China. Dozens SASL auth attempts / 24 hrs. Block the /14. # 59.44.0.0 - 59.47.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="59.44.0.0/14" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Taiyuan, Shanxi, China. Dozens SASL auth attempts / 24 hrs. Block the /16. # 59.48.0.0 - 59.48.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="59.48.0.0/16" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street. Quanzhou, Fujian, China. 8700 plus SASL auth attempts / 24 hrs. Block the /14. # 59.56.0.0 - 59.59.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="59.56.0.0/14" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Hefei, Anhui, China. Dozens SASL auth attempts / 24 hrs. Block the /13. # 60.168.0.0 - 60.175.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="60.168.0.0/13" log prefix="firewalld drop " level="info" drop' # CNCGROUP China 169 Backbone. SASL auth attempts. China, building my great firewall. List the /13. # 60.208.0.0 - 60.215.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="60.208.0.0/13" log prefix="firewalld drop " level="info" drop' # CNCGROUP China169 Backbone. Jinan, Shandong, China. SASL login attempts . List the whole /15. # 60.216.0.0 - 60.217.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="60.216.0.0/15" log prefix="firewalld drop " level="info" drop' # TT Communications Corporation, Japan. Hostname not resolve, spam attempts. Listed in spam RBLs. Start with /24. # 61.119.123.0 - 61.119.123.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="61.119.123.0/24" log prefix="firewalld drop " level="info" drop' # ONLINE S.A.S., France. 200 SASL auth attempts in 24 hrs. Listed in half dozen major spam blocklists. Block to start /24. # 62.210.139.0 - 62.210.139.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="62.210.139.0/24" log prefix="firewalld drop " level="info" drop' # ONLINE S.A.S., France. 428 SASL Auth attempts / 24 hrs. Listed in half dozen major spam blocklists. Block to start /24. # 62.210.140.0 - 62.210.140.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="62.210.140.0/24" log prefix="firewalld drop " level="info" drop' # Virgin Media Limited, Clevedon, England. 424 SASL Auth attempts / 24 hrs. Block to start /24. # 62.30.229.0 - 62.30.229.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="62.30.229.0/24" log prefix="firewalld drop " level="info" drop' # OnX Enterprise Solutions Inc. Alpharetta, Georgia, USA. SASL Auth attempts, hostname does not resolve, spam attempts, 811 in 24 hrs. Start with /24. # 66.240.169.0 - 66.240.169.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="66.240.169.0/24" log prefix="firewalld drop " level="info" drop' # Windstream Communications Inc. Lexington, Kentucky, United States. 961 SASL auth atempts / 24 hrs. Five major spam blocklist. Do the whole /18. # 69.30.128.0 - 69.30.191.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="69.30.128.0/18" log prefix="firewalld drop " level="info" drop' # Cable & Wireless Dominica, Antigua and Barbuda. SASL auth attempts / 24 hrs. Multiple spam listings. Start with the /24. # 69.57.247.0 - 69.57.247.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="69.57.247.0/24" log prefix="firewalld drop " level="info" drop' # Time Warner Cable Internet LLC, Beverly Hills, CA, USA. SASL auth attempts persistent / 96 hrs. Whole the /16. # 69.75.0.0 - 69.75.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="69.75.0.0/16" log prefix="firewalld drop " level="info" drop' # Southern Light, LLC, Mobile, AL. 257 Hostname does not resovle, 156 SASL auth attempts. Block to start just /24. # 69.85.239.0 - 69.85.239.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="69.85.239.0/24" log prefix="firewalld drop " level="info" drop' # joesdatacenter.com Kansas City MO, excessive. Repeated spam to sysadmin. Multiple DNSBL listings. Start with /24. Days later, drop whole /19. # 69.195.128.0 - 69.195.128.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="69.195.128.0/19" log prefix="firewalld drop " level="info" drop' # Windstream Communications Inc., Savannah, Georgia. Hostnamedoes not resolve to address 70.43.61.226, over 100 SASL auth attempts / 48 hrs. Block to start /24. # 70.43.61.0 - 70.43.61.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="70.43.61.0/24" log prefix="firewalld drop " level="info" drop' # gtmc.net Blue Hills NE, excessive attemts at SASL auth logins. Start with /24. # 74.51.137.0 -74.51.137.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="74.51.137.0/24" log prefix="firewalld drop " level="info" drop' # Cablevision Systems Corp. Englishtown, New Jersey, United States. 139 attemts at SASL auth logins. Whole /15. # 74.88.0.0 - 74.89.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="74.88.0.0/15" log prefix="firewalld drop " level="info" drop' # charter.com, Reno NV, excessive attempts at SASL auth logins. Listed as riddled with botnets, hackers, spyware. # 75.140.32.0 - 75.140.47.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="75.140.32.0/20" log prefix="firewalld drop " level="info" drop' # MOBILTEL EAD. Sofia, Sofia-Capital, Bulgaria. 'op=PAM:authentication grantors=? acct="?" exe="/usr/libexec/dovecot/auth". Block the /24. # 78.90.34.0 - 78.90.34.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="78.90.34.0/24" log prefix="firewalld drop " level="info" drop' # OVH SAS, France. 44 SASL auth attempts. Reported spam sources. Block the /24. # 79.137.19.0 - 79.137.19.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="79.137.19.0/24" log prefix="firewalld drop " level="info" drop' # Jordan Data Communications Company LLC, Amman, Jordan. 256 SASL auth attempts / 24 hrs. Block the /24. # 79.173.252.0 - 79.173.252.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="79.173.252.0/24" log prefix="firewalld drop " level="info" drop' # Quasi Networks, Seychelles. SASL Auth attempts. Bit by bit blocking Seychelles. List the /24. # 80.82.65.0 - 80.82.65.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="80.82.65.0/24" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. Excessive 86 24 hrs persistent SASL login attempts . List the /24. # 80.82.70.0 - 80.82.70.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="80.82.70.0/24" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. Excessive 135 attempts / 36 hrs persistent SASL login attempts . List the /24. # 80.82.77.0 - 80.82.77.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="80.82.77.0/24" log prefix="firewalld drop " level="info" drop' # Quasi Networks, Seychelles. SASL Auth attempts. Bit by bit blocking Seychelles. List the /24. # 80.82.78.0 - 80.82.78.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="80.82.78.0/24" log prefix="firewalld drop " level="info" drop' # VELTON.TELECOM Ltd, Kharkiv, Kharkivs'ka Oblast', Ukraine. Attempts dovecot auth noted in logwatch. List the /19. # 82.117.224.0 - 82.117.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="82.117.224.0/19" log prefix="firewalld drop " level="info" drop' # Telco Pro Services, Horice, Kralovehradecky kraj, Czechia (CZ. Stream of 96 spam injection attempts, triggered max connections block. List the whole /18. # 89.111.64.0 - 89.111.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="89.111.64.0/18" log prefix="firewalld drop " level="info" drop' # Az.StarNet LLC.. Baku, Baku City, Azerbaijan. 193 SASL auth attempts / 24 hrs. List the whole /18. # 89.147.192.0 - 89.147.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="89.147.192.0/18" log prefix="firewalld drop " level="info" drop' # myLoc managed IT AGm Hattersheim, Hesse, Germany. 74 SASL auth attempts / 24 hrs. List the /24. # 89.163.132.0 - 89.163.132.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="89.163.132.0/24" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. Low rate but persistent SASL login attempts . List the whole /21. # 89.248.160.0 - 89.248.167.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="89.248.160.0/21" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. SASL login attempts . List the /24. # 89.248.168.0 - 89.248.168.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="89.248.168.0/24" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. Low rate but persistent SASL login attempts . List the whole /23. # 89.248.170.0 - 89.248.171.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="89.248.170.0/23" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. Low rate but persistent SASL login attempts . List the whole /23. # 89.248.172.0 - 89.248.173.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="89.248.172.0/23" log prefix="firewalld drop " level="info" drop' # Pars Online PJS, Iran. SASL auth attempts.. List the /19. # 91.98.32.0 - 91.98.63.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="91.98.32.0/19" log prefix="firewalld drop " level="info" drop' # belgacom.be, Wervik, Flanders, Belgium. 800 SASL login attempt. 811 hostname does not resolve in maillog in 24 hours. List the whole /14. # 91.180.0.0 - 91.183.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="91.180.0.0/14" log prefix="firewalld drop " level="info" drop' # PP SKS-LUGAN, vhoster.net, Ukraine. Non stop SASL auth login attempts. # 91.200.12.0 - 91.200.15.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="91.200.12.0/22" log prefix="firewalld drop " level="info" drop' # Ukraine, Gigatrans LTD. Spam. Russia, building my great firewall. List the /24. # 91.202.75.0 - 91.202.75.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="91.202.75.0/24" log prefix="firewalld drop " level="info" drop' # Bystrov Dmitriy Sergeevich, Odessa, Ukraine. Dozens SASL auth attempts / 24 hrs. Block the /22. # 91.211.172.0 - 91.211.175.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="91.211.172.0/22" log prefix="firewalld drop " level="info" drop' # Optima Telecom, Bishkek, Kygystan. SASL auth attempts. Russia, building my great firewall. List the /24. # 91.213.233.0 - 91.213.233.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="91.213.233.0/24" log prefix="firewalld drop " level="info" drop' # Fastweb sPa Bergamo, Lombardy, Italy. SASL auth attemts dozens over several days, persistent. List the /13. # 93.48.0.0 - 93.55.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="93.48.0.0/13" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. Excessive 86 24 hrs persistent SASL login attempts . List the whole /21. # 93.174.88.0 - 93.174.95.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="93.174.88.0/21" log prefix="firewalld drop " level="info" drop' # myLoc managed IT AG, Germany. SASL auth attempts. Block to start /24. # 93.186.200.0 - 93.186.200.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="93.186.200.0/24" log prefix="firewalld drop " level="info" drop' # Quasi Networks Seychelles. This block keeps showing up with SASL login and other attempts, repeatedly. List the /20. # 94.102.48.0 - 94.102.63.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="94.102.48.0/20" log prefix="firewalld drop " level="info" drop' # OJS Moscow city telephone network, Krasnogorsk, Moscow Oblast, Russia. 2,468 Helo cmd rejected spam attempts 62gob.ru in 72 hrs. Block the /16. # 95.165.0.0 - 95.165.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="95.165.0.0/16" log prefix="firewalld drop " level="info" drop' # FOP ILIUSHENKO VOLODYMYR OLEXANDROVUCH. Lipetsk, Lipetskaya Oblast', Russia. Dozens SASL auth attempts / 24 hrs. Block the /23. # 95.181.178.0 - 95.181.179.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="95.181.178.0/23" log prefix="firewalld drop " level="info" drop' # ELXIRE DATA SERVICES PVT. LTD., Rewari, Haryana, India. SASL auth attempts / 24 hrs. Start with the /24. # 103.50.7.0 - 103.50.7.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="103.50.7.0/24" log prefix="firewalld drop " level="info" drop' # PT Xepia Prima, Jakarta, Indonesia. SASL auth attempts / 24 hrs. Start with the /24. # 103.254.107.0 - 103.254.107.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="103.254.107.0/24" log prefix="firewalld drop " level="info" drop' # Hostwinds LLC, Tulsa, OK. 500 spam attempts, 1,250 SASL login auth attempts. Block to whole /17. # 104.168.128.0 - 104.168.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="104.168.128.0/17" log prefix="firewalld drop " level="info" drop' # Comcast Cable, Oakland, CA USA. 3168 SASL auth attempts / 24 hrs. Start with the /24. # 107.1.152.0-107.1.152.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="107.1.152.0/24" log prefix="firewalld drop " level="info" drop' # Verizon, MCI, Philadelphia. SASL auth attempts. Block the /24. # 108.16.228.0 - 108.16.228.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="108.16.228.0/24" log prefix="firewalld drop " level="info" drop' # CAT TELECOM Public Company Ltd,CAT, Thailand. SASL auth attempts / 24 hrs. Start with the /24. # 110.77.241.0 - 110.77.241.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="110.77.241.0/24" log prefix="firewalld drop " level="info" drop' # hinet.net, Taiwan. hinet has decades long history as spammer. Constant HELO command reject in maillog. List the /16. # 111.251.0.0 - 111.251.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="111.251.0.0/16" log prefix="firewalld drop " level="info" drop' # CNCGROUP China169 Backbone. SASL auth attempts, but mainly because it is China. List the /15. # 112.122.0.0 - 112.123.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="112.122.0.0/15" log prefix="firewalld drop " level="info" drop' # China Guangzhou network. Spam spam spam. China, building my great firewall. List the /12. # 113.96.0.0 - 113.96.3.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="113.96.0.0/12" log prefix="firewalld drop " level="info" drop' # VNPT Corp, Haiphong, Viet Nam. 500 SASL auth attempts and host does not resolve / 24 hrs. List the /19. # 113.162.32.0 - 113.162.63.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="113.162.32.0/19" log prefix="firewalld drop " level="info" drop' # Beijing Dian-Xin-Tong Network Technologies Co., Ltd. China. Block the whole /19. # 115.35.0.0 - 115.35.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="115.35.0.0/16" log prefix="firewalld drop " level="info" drop' # Smileserv, Republic Korea. Tcpipuitls reports nest of botnets, malware, spam. List the /17. # 115.68.0.0 - 115.68.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="115.68.0.0/17" log prefix="firewalld drop " level="info" drop' # ns.zjnbptt.net.cn, No.31,Jin-rong Street, Hangzhou, Zhejiang, China. 256 SASL auth attempts / 24 hrs. List the /12. # 115.224.0.0 - 115.239.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="115.224.0.0/12" log prefix="firewalld drop " level="info" drop' # China Telecom (Group), Shanghai, China. 137 attempts inject spam email / 48 hours. List the /16. # 116.228.0.0 - 116.228.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="116.228.0.0/16" log prefix="firewalld drop " level="info" drop' # CHINANET Jiangx province IDC network, Nanchang, Jiangxi, China. Spam stream 850 Helo cmd rejected / 24 hrs. List the /19. # 117.41.160.0 - 117.41.191.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="117.41.160.0/19" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Hefei, Anhui, China. Dozens SASL auth attempts, because it is China. List the /13. # 117.64.0.0 - 117.71.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="117.64.0.0/13" log prefix="firewalld drop " level="info" drop' # The Corporation for Financing & Promoting Technology, Viet Nam. 257 host name does not resolve, 253 SASL auth attempts in 24 hrs. Block the /20. # 118.69.32.0 - 118.69.47.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="118.69.32.0/20" log prefix="firewalld drop " level="info" drop' # The Corporation for Financing & Promoting Technology, Viet Nam. 115 SASL auth attempts in 24 hrs. Block the /24. # 118.69.194.0 - 118.69.194.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="118.69.194.0/24" log prefix="firewalld drop " level="info" drop' # hinet.net, Taiwan. hinet has decades long history as spammer. Constant HELO command reject in maillog. List the /16. # 118.163.0.0 - 118.163.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="118.163.0.0/16" log prefix="firewalld drop " level="info" drop' # China, Shanghai. SASL auth attempts nearly 1,000 from one IP in 24 hours. China, building my great firewall. List the /22. # 118.242.0.0 - 118.242.3.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="118.242.0.0/22" log prefix="firewalld drop " level="info" drop' # TRUE INTERNET Co.,Ltd. Bangkok, Thailand. 256 SASL auth attempts. Block the /18. # 119.46.64.0 - 119.46.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="119.46.64.0/18" log prefix="firewalld drop " level="info" drop' # asianet.co.th, Bangkok, Thailand: Helo command rejected: Host not found (total: 767) in 24 hours. List the whole /18. # 119.46.192.0 - 119.46.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="119.46.192.0/18" log prefix="firewalld drop " level="info" drop' # Guangdong Mobile Communication Co.Ltd. Xi'an, Shaanxi, China. Dozens SASL auth attempts / 24 hrs. Block the /18. # 120.192.192.0 - 120.192.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="120.192.192.0/18" log prefix="firewalld drop " level="info" drop' # Guangdong Mobile Communication Co.Ltd. Chifeng, Inner Mongolia Autonomous Region, China. SASL login attempts . List the whole /21. # 120.193.224.0 - 120.193.231.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="120.193.224.0/21" log prefix="firewalld drop " level="info" drop' # Hangzhou Alibaba Advertising Co.,Ltd., Hangzhou, Zhejiang, China. 100's SASL login attempts . List the whole /15. # 121.40.0.0 - 121.41.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="121.40.0.0/15" log prefix="firewalld drop " level="info" drop' # ZhengZhou GIANT Computer Network Technology Co., Ltd. China. SASL auth attempts in 24 hrs. Block the entire /16. # 122.114.0.0 - 122.114.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="122.114.0.0/16" log prefix="firewalld drop " level="info" drop' # shanghai science and technology network, Shanghai, China . Dozens SASL auth attempts / 24 hrs. Block the /23. # 122.144.136.0 - 122.144.137.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="122.144.136.0/23" log prefix="firewalld drop " level="info" drop' # Shenzhen Tencent Computer Systems Company Limited, Beijing, China . 256 SASL auth attempts / 24 hrs. Block the /23. # 123.207.98.0 - 123.207.99.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="123.207.98.0/23" log prefix="firewalld drop " level="info" drop' # WorldLink Communications Pvt Ltd, Nepal. SASL auth attempts / 24 hrs. Start with the /24. # 124.41.224.0 - 124.41.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="124.41.246.0/24" log prefix="firewalld drop " level="info" drop' # TM Net, Internet Service Provider. Malaysia. Over 70 SASL Auth attempts over 24 hours. List the /18. # 124.82.128.0 - 124.82.191.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="124.82.128.0/18" log prefix="firewalld drop " level="info" drop' # China Unicom IP network China169 Guangdong, Beijing, China. Dovecot auth attempts reported in logwatch summary. Block the /17. # 124.207.128.0 - 124.207.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="124.207.128.0/17" log prefix="firewalld drop " level="info" drop' # Telebec, Chibougamau, Quebec, Canada. Several days persistent spam attempts Helo rejected host not found. Start with the /24. # 142.217.217.0- 142.217.217.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="142.217.217.0/24" log prefix="firewalld drop " level="info" drop' # OVH SAS Beauharnois, Quebec, Canada. 476 SASL Auth attempts in 24 hrs. Start with /24. # 144.217.211.0 -144.217.211.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="144.217.211.0/24" log prefix="firewalld drop " level="info" drop' # OVH SAS, Reston VA. 591 SASL auth attempts / 24 hrs. Six major DNSBL lists. Start with the /24. # 147.135.167.0 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="147.135.167.0/24" log prefix="firewalld drop " level="info" drop' # Swiftway Sp. z o.o. USA. SASL auth attempts. Block the /24. # 149.255.35.0 - 149.255.35.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="149.255.35.0/24" log prefix="firewalld drop " level="info" drop' # Simply Transit Ltd, United Kingdom (GB). Helo / domain errors, spam attempts. List the /19. # 151.236.32.0 - 151.236.63.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="151.236.32.0/19" log prefix="firewalld drop " level="info" drop' # "SPRINT" S.A., Poland. SASL auth attempts. Block the /24. # 155.133.64.0 - 155.133.64.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="155.133.64.0/24" log prefix="firewalld drop " level="info" drop' # tedata.net, Cairo, Egypt. 100 attempts sumbission/smtpd. List the /15. # 156.198.0.0 - 156.199.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="156.198.0.0/15" log prefix="firewalld drop " level="info" drop' # Vicom Computer Services Inc, Farmingdale, NY. 256 SASL auth attempts. Start with the /23. # 162.246.40.0 - 162.246.41.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="162.246.40.0/23" log prefix="firewalld drop " level="info" drop' # SendGrid, Inc., Denver, CO. 31 host does not resolve spam attempts 48 hours. Block to start just the /24. # 167.89.72.0 - 167.89.72.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="167.89.72.88/24" log prefix="firewalld drop " level="info" drop' # NEW WAVE NET, Sao Joao da Barra, Rio de Janeiro, Brazil. SASL auth attempts / 24 hrs. Start with the /24. # 170.254.210.0 - 170.254.210.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="170.254.210.0/24" log prefix="firewalld drop " level="info" drop' # mcomdc.com, Santa Rosa Beach FL USA, spam, bad HELO, SASL login attempts . List the whole /22. # 173.30.216.0 - 173.30.219.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="173.30.216.0/22" log prefix="firewalld drop " level="info" drop' # woodbridgehousingauthority.org, Comcast. Sevearl hunderd stream spam attempts, bad HELO, 900 plus SASL login attempts / 24 hrs . Start with /24. # 173.161.172.0 - 173.161.172.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="173.161.172.0/24" log prefix="firewalld drop " level="info" drop' # Level 3 Marietta, GA. Recurring SASL auth attempts. List the /15. # 173.226.0.0 - 173.227.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="173.226.0.0/15" log prefix="firewalld drop " level="info" drop' # Rogers Cable Hamilton, Ontario, Canada. 64 SASL auth connection attempts/drops in 24 hrs. Multiple spam listings per tcpiputils. Block to start /24. # 174.119.186.0 - 174.119.186.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="174.119.186.0/24" log prefix="firewalld drop " level="info" drop' # Interconnects Inc Sweden. Spam nest, multiple SASL auth attempts. List the /24. # 176.61.138.0 - 176.61.138.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="176.61.138.0/24" log prefix="firewalld drop " level="info" drop' # Interconnects Inc Sweden. Spam nest, multiple SASL auth attempts. List the /24. # 176.61.142.0 - 176.61.142.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="176.61.142.0/24" log prefix="firewalld drop " level="info" drop' # TELEKOM SRBIJA a.d. Niš, Nisava, Serbia. Nearly 100 SASL auth attempts, variants suggesting nonbot? Start with the /24. # 178.220.21.0 - 178.220.21.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="178.220.21.0/24" log prefix="firewalld drop " level="info" drop' # China Telecom. Shanghai. phpAdmin probes scanning server for vulns. List the whole /13. # 180.160.0.0 - 180.167.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="180.160.0.0/13" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Hangzhou, Zhejiang, China. 43 SASL login auth attempts. List the whole /11. # 183.128.0.0 - 183.159.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="183.128.0.0/11" log prefix="firewalld drop " level="info" drop' # DGN TEKNOLOJI A.S., Turkey. 97 SASL login auth attempts / 24 hrs. List the /24. # 185.82.220.0 - 185.82.220.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="185.82.220.0/24" log prefix="firewalld drop " level="info" drop' # Kamatera INC, United Kingdom. 197 SASL login auth attempts / 48 hrs. List the /24. # 185.127.19.0 - 185.127.19.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="185.127.19.0/24" log prefix="firewalld drop " level="info" drop' # M247 Ltd. Paris, Île-de-France. 100 SASL auth connection attempts/drops in 24 hrs. Block to start /24. # 185.156.173.0 - 185.156.173.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="185.156.173.0/24" log prefix="firewalld drop " level="info" drop' # CLARO S.A. Várzea Grande, Mato Grosso, Brazil. Ca. 500 host not resolve and SASL auth attempts in 24 hrs. Block whole /18. # 187.183.128.0 - 187.183.191.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="187.183.128.0/18" log prefix="firewalld drop " level="info" drop' # OVH SAS, France. 256 SASL auth connection attempts/drops in 24 hrs. Block to start /24. # 188.165.0.0 - 188.165.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="188.165.157.0/24" log prefix="firewalld drop " level="info" drop' # PJSC megaFon Krasnodarskiy Kray, Russia. SASL auth attempts. Russia, building my great firewall. List the /23. # 188.170.192.0 - 188.170.193.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="188.170.192.0/23" log prefix="firewalld drop " level="info" drop' # Total Telecomunicações Ltda, Brazil. 120 plus SASL auth attempts / 48 hrs. Block the /23. # 189.50.40.0 - 189.50.41.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="189.50.40.0/23" log prefix="firewalld drop " level="info" drop' # WIND Telecom S.A., Dominican Republic. 260 SASL auth attempts / 24 hours. The whole /20. # 190.122.96.0 - 190.122.111.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="190.122.96.0/20" log prefix="firewalld drop " level="info" drop' # ENTEL CHILE S.A., Santiago. SASL auth attempts, 50 in 24 hours. Listed in spam RBLs. The whole /17. # 190.151.0.0 - 190.151.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="190.151.0.0/17" log prefix="firewalld drop " level="info" drop' # C7 Data Centers, Inc. Salt Lake City, Utah. HELO command rejected host not found, spam attempts, 521 in 24 hrs. Listed in spam RBLs. Start with /24. # 192.41.99.0 - 192.41.99.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="192.41.99.0/24" log prefix="firewalld drop " level="info" drop' # euronet.net.pl, excessive attemts at SASL auth logins. # 195.22.126.0 - 195.22.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="195.22.126.0/23" log prefix="firewalld drop " level="info" drop' # VODAFONE-PANAFON HELLENIC, Greece. Large spam attempt, 1,190 IP does not resolve / 48 hrs. Do the whole /20. # 195.46.0.0 - 195.46.15.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="195.46.0.0/20" log prefix="firewalld drop " level="info" drop' # spheral.ru, Russia. Probed the server . List the /23. # 195.62.52.0 - 195.62.53.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="195.62.52.0/23" log prefix="firewalld drop " level="info" drop' # 000 MEGACOM. Novosibirsk, Novosibirskaya Oblast', Russia. Over 1600 SASL auth attempts IN 24 HRS. Block the /23. # 195.189.218.0 - 195.189.219.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="195.189.218.0/23" log prefix="firewalld drop " level="info" drop' # ZIPNET / Broadband Home Ltd, Accra, Greater Accra Region, Ghana. Appears residential broadband? Low level SASL auth attempts / 24 hrs. Block the whole /19. # 197.148.224.0 - 197.148.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="197.148.224.0/19" log prefix="firewalld drop " level="info" drop' # Wisconsin CyberLynk Network, Inc., Franklin, WI, USA. Persistent attempts stream spam / 72 hrs. Block the whole /21. # 199.38.80.0 - 199.38.87.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="199.38.80.0/21" log prefix="firewalld drop " level="info" drop' # Telefonica del Peru S.A.A., Peru. Listed on nine major spam blocklists. 85 attempts inject spam email / 24 hrs. Block the whole /19. # 200.48.64.0 - 200.48.95.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="200.48.64.0/19" log prefix="firewalld drop " level="info" drop' # iiNet Limited, Adelaide, South Australia. 1,633 attempts inject spam Helo command rejected: Host not found /48 hours. Block the /24. # 202.6.157.0 - 202.6.157.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="202.6.157.0/24" log prefix="firewalld drop " level="info" drop' # M/s Ortel Communications Ltd. Bhubaneswar, Odisha, India. 218 SASL auth atempts / 24 hrs. Do the whole /20. # 202.62.224.0 - 202.62.239.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="202.62.224.0/20" log prefix="firewalld drop " level="info" drop' # Broadband ISP, FTTH and Cable Service Provider, Karachi, Sindh, Pakistan. 313 SASL auth atempts / 24 hrs. Do the /24. # 202.143.124.0 - 202.143.124.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="202.143.124.0/24" log prefix="firewalld drop " level="info" drop' # VADS Bus Internet Serive. Kuala Lumpur, Malaysia. This block keeps showing up with SASL login and other attempts, repeatedly. List the /22. # 202.162.12.0 - 202.162.15.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="202.162.12.0/22" log prefix="firewalld drop " level="info" drop' # China, Hong Kong Broadband Network Ltd. Bad HELO attempts at spam, lots. China, building my great firewall. List the /18. # 203.185.0.0 - 203.185.63.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="203.185.0.0/18" log prefix="firewalld drop " level="info" drop' # Sejong Telecom South Korea sejongtelecom.net. Spammers. Excessive attempts at SASL logins. # 203.239.0.0 - 203.239.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="203.239.0.0/17" log prefix="firewalld drop " level="info" drop' # Windstream Communications Inc, Keller TX. 500+ host does not resolve, ca. 500 SASL auth attempts. Start with the /24. # 207.106.83.0 - 207.106.83.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="207.106.83.0/24" log prefix="firewalld drop " level="info" drop' # CenturyTel Internet Holdings, Inc., Waukesha, Wisconsin. SASL Auth attempts. Start with /24. # 207.118.0.0 - 207.118.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="207.118.0.0/16" log prefix="firewalld drop " level="info" drop' # China Unicom Guangzhou network. SASL auth attempts. China, building my great firewall. List the /18. # 210.21.64.0 - 210.21.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="210.21.64.0/18" log prefix="firewalld drop " level="info" drop' # China Unicom Shenzen network, Shenzhen, Gunagdong, China. HELO command rejected email spam 1,617 48 hrs from one IP. China, building my great firewall. List the /19. # 210.22.0.0 - 210.22.31.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="210.22.0.0/19" log prefix="firewalld drop " level="info" drop' # China Unicom Shenzen network, Shenzhen, Gunagdong, China. HELO command rejected email spam 1,617 in 48 hrs from one IP. China, building my great firewall. List the /22. # 210.22.32.0 - 210.22.35.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="210.22.32.0/22" log prefix="firewalld drop " level="info" drop' # China Unicom Shanghia Network, Shanghai. HELO command rejected email rejected spam 1,617 ion 48 hrs hrs from one IP. China, building my great firewall. List the /18. # 210.22.64.0 - 210.22.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="210.22.64.0/18" log prefix="firewalld drop " level="info" drop' # hinet.net, Taiwan. hinet has decades long history as spammer. Constant HELO command reject in maillog. List the /16. # 211.22.0.0 - 211.22.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="211.22.0.0/16" log prefix="firewalld drop " level="info" drop' # China Education and Research Network, Wuhan, Hubei, China. 268 SASL auth attempts / 24 hours. List the /16. # 211.69.0.0 - 211.69.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="211.69.0.0/16" log prefix="firewalld drop " level="info" drop' # LG DACOM Corporation, Republic of Korea. 49 SASL auth attempts / 24 hrs. Block the /24. # 211.234.100.0 - 211.234.100.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="211.234.100.0/24" log prefix="firewalld drop " level="info" drop' # Host Europe GmbH, Cambridge, England. Low level 40/24 hrs persistent SASL auth attempts, TcpUtils reports multiple open ports. Block the /24. # 212.48.72.0 - 212.48.72.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="212.48.72.0/24" log prefix="firewalld drop " level="info" drop' # ONLINE S.A.S. France. Over 800 hostname vm19.visvms.com does not resolve to address 212.83.150.102, dozens SASL auth attempts. Block the whole /19. # 212.83.128.0 - 212.83.159.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="212.83.128.0/19" log prefix="firewalld drop " level="info" drop' # 32bit Transition AS, Russia. Dozens SASL auth attempts / 24 hrs. Block the /24. # 212.92.127.0 - 212.92.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="212.92.127.0/24" log prefix="firewalld drop " level="info" drop' # Israel, Smile Communications LTD. SASL auth attempts. List the /19. # 212.199.64.0 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="212.199.64.0/19" log prefix="firewalld drop " level="info" drop' # TELLCOM ILETISIM HIZMETLERI A.S. Turcky. 111 Helo command rejected: Host not found / 24 hrs. Block the /22. # 213.14.96.0 - 213.14.99.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="213.14.96.0/22" log prefix="firewalld drop " level="info" drop' # PRIVATE JOINT-STOCK COMPANY "FARLEP-INVEST", Kiev, Kyiv City, Ukraine. SASL Auth attempts, because it is Ukraine. Block the /23. # 213.159.250.0 - 213.159.251.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="213.159.250.0/23" log prefix="firewalld drop " level="info" drop' # WorldStream B.V., Netherlands. 500 SASL auth attempts / 48 hrs. Block the /20. # 217.23.0.0 - 217.23.15.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="217.23.0.0/20" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Hefei, Anhui, China. Dovecot auth attempts reported in logwatch summary. Block the /15. # 218.22.0.0 - 218.23.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="218.22.0.0/15" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street. Nanning, Guangxi, China. SASL Auth attempts. China, building my great firewall. List the /19. # 219.159.64.0 - 219.159.127.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="219.159.64.0/18" log prefix="firewalld drop " level="info" drop' # hinet.net, Taiwan. hinet has decades long history as spammer. Constant HELO command reject in maillog. List the /16. # 220.137.0.0 - 220.137.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="220.137.0.0/16" log prefix="firewalld drop " level="info" drop' # Hinet.net, Taiwan. Spammers. Bad Helo Commands. # 220.143.0.0 - 220.143.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="220.143.0.0/16" log prefix="firewalld drop " level="info" drop' # cninfo.net, China Kunming, Yunnan. SASL Login attempts. List the whole /15. # 220.164.0.0 - 220.165.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="220.164.0.0/15" log prefix="firewalld drop " level="info" drop' # Henan Mobile Communications Co.,Ltd, China. Dovecot auth attempts in logwatch. List the whole /17. # 221.176.128.0 - 221.176.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="221.176.128.0/17" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Chongqing, Chongqing, China. Dozens SASL auth attempts / 24 hrs. Block the /13. # 222.176.0.0 - 222.183.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="222.176.0.0/13" log prefix="firewalld drop " level="info" drop' # Nanjing, China. Spammers nest. Because it is China. List the whole /13. # 222.184.0.0 - 222.191.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="222.184.0.0/13" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Changsha, Hunan, China. Dozens SASL auth attempts / 24 hrs. Block the /13. # 222.240.0.0 - 222.247.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="222.240.0.0/13" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Xining, Qinghai, China. Dozens SASL auth attempts / 24 hrs. Block the /15. # 223.220.0.0 - 223.221.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="223.220.0.0/15" log prefix="firewalld drop " level="info" drop' # No.31,Jin-rong Street, Hefei, Anhui, China. Because it is China. Spam. Block the /13. # 223.240.0.0 - 223.247.255.255 firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="223.240.0.0/13" log prefix="firewalld drop " level="info" drop' </plaintext>