All the Perl that's Practical to Extract and Report

back to blocking IPs again

merlyn on 2004-04-24T16:21:39

So, having been fed up with spam and virus mail again, pushing my monthly bandwidth up and over my 30GB/month purchased limit (which is supposed to be for web, not email!), I reenabled my dynamic rolling block.

I block mail at various levels. Postfix lets me block mail during the SMTP handshake for hosts that don't have an A or MX record, and for delivery to addresses that are known spamtraps within the @stonehenge.com mail domain. Then, the mail goes to amavis, which uses SpamAssassin to block mail that looks very spammy (I have this set fairly high to avoid false positives). Then, $user@stonehenge.com mail gets delivered to my procmailrc for sorting, and I do further checks for simple mydoom and sobig patterns, and finally I call clamscan looking for known virus payloads. Altogether, I've got about 10 log files being written in two different formats (/var/log/maillog vs rfc822 headers).

But, POE to the rescue. I set up tail watchers on all the various log files, extract the offending IPs of the hop prior to my box, and then issue simple pfctl commands to add and delete those from a block list in my OpenBSD pf firewall. The address goes in, and 2 hours later, comes back out.

At the moment, I have nearly 2000 addresses in my list that have assaulted me within the last two hours, and get about 300 attempts a minute to reconnect. Using tcpdump with openbsd's passive fingerprinting, I can see that most of the block reattempts are repeated hits from windows boxes on cable or DSL, very likely worm-infected machines that would be much better recycled than online.

The result is that my loadaverage has now returned to sensible values, and my total bandwidth due to mail is back down to a reasonable 5GB/month average. Yeay!

Bandwidth...

Purdy on 2004-04-26T17:22:38

If your focus in on saving the bandwidth (man, that's a lotta e-mail!), then you need to do as much upfront testing as possible (before the client gets to the "data" section of their e-mail). You may also not want to REJECT, which would double the bandwidth with bouncebacks (not sure if the original message is bounced back, too).

I love Postfix -- they have some really great UCE measures. I had some problems with "A or MX record" thing (reject_unknown_client?) -- that would block things like stories that were e-mailed to our users off of a Web site (you know -- that "E-mail this Story" link), e-newsletters or from my friend's Tennis Ladder site, who's hostname wasn't configured properly. When you see those type of examples, you could hand-add them to /etc/hosts and then remember to cp that file into Postfix's chroot jail (/var/spool/postfix in my case). I ended up just taking it out all together, it was so annoying. But you prolly don't have the number or type of users I have to support. :)

Peace,

Jason

Re:Bandwidth...

merlyn on 2004-04-26T17:46:53

For Postfix, I reject during the SMTP handshake, not bouncing it with checks later. Amavis doesn't bounce it either... we just swallow the spam. And I don't bounce anything from my procmail tests or clamscan tests. The only bounces I generate are $baduser@stonehenge.com (provided they aren't a spammed-to-death address).

Now available via RBL and HTTP-pull

merlyn on 2004-04-27T04:06:10

If you want an rbl feed of this list, or a URL to a private text file containing the IPs (both updated once a minute), please let me know (merlyn@stonehenge.com).

The caveat is that there might be false positives. It's useful as an outright smtp block, or at a place where you can return "try again later" to an incoming SMTP connection, but not at a point where you've already accepted the mail. You want a legit mailer to retry, but the bad guys mailers will not.