Back to blacklisting again
Wouldn't you know. I was happy to remove all the firewall rules blacklisting certain ISPs because of the spamming behavior of their customers. I was able to do this because the spam prevention methods I use on taupehat.com now are much more effective, and mostly what I get anymore are 419 scams sent by way of one-off Yahoo! accounts (not sure why they're using Yahoo so much for this, but it's really consistent that they come from there).
Well, this good thing has come to an end, and I'm putting /8 and /16 blacklists up again. This time, it isn't because of spam, oh no. This is much worse, in my opinion. What I've been seeing over the past couple of weeks are some VERY persistent SSH brute-force attempts coming from servers in China. I use fail2ban to temporarily block IP addresses that fail to login a set number of times in a row, but I'm getting some of these addresses coming back again and again in the banlogs. This looks to me like better scripting on the part of the attacker, and when I look up the address and find it part of a large dynamic netblock, my only recourse is to ban the entire netblock.
As most anyone in the business can tell you, sending email to abuse@ in China is futile. My own attempts have resulted in bounce messages, autoresponses in Chinese (fair turnabout, that - I sent an email in English to China), and most often, nothing at all. In no case was I ever given the impression that anyone on the other end cared or was going to do anything about the problem, and frankly, I've given up.
My previous attempts at blacklisting were clumsy, and friends of mine in Australia complained that they could no longer reach this site. So my question to you is: does anyone have a comprehensive list of IP blocks assigned to China? I'm done. Until Chinese network operators can show that they're willing to be professional and responsible with regard to criminal activity originating from their networks, I'm banning the whole damn country. I don't get this kind of crap from other hotbeds... the Russians aren't showing up on my radar like this, nor are the Central and South Americans, and even those countries have NOC admins that actually handle stuff when it's pointed out to them.
