Solved

Blocking IP from server

Posted on 2004-08-27
7
170 Views
Last Modified: 2010-03-04

I have an Ensim server, linux 7.3.

I'm getting hundreds of spam emails each minute from some asian ip: 211.63.136.34 and several other 211.63.136 ip numbers.

My spam filter is blocking these based on the ip, but there are so many connections that it is getting overwhelmed and other emails end up either delayed or not getting through.

Is there a way to have the server refuse connections from 211.63.136 ?  So this never even reaches the spam filter?

If so, how do I go about it?

Thanks,

Chris
0
Comment
Question by:St_Aug_Beach_Bum
7 Comments
 
LVL 15

Accepted Solution

by:
samri earned 168 total points
Comment Utility
It is best to relocate this question to Linux Area :

http://www.experts-exchange.com/Operating_Systems/Linux/
http://www.experts-exchange.com/Operating_Systems/Linux/Linux_Administration/
http://www.experts-exchange.com/Networking/Linux_Networking/

If you had firewall installed, you could block it there...

This IP address appears to be from :
136.63.211.in-addr.arpa.      43200      SOA      rev1.kornet.net.
                        domain.rev1.kornet.net.
                        2001071900      ; serial
                        43200      ; refresh (12 hours)
                        3600      ; retry (1 hour)
                        604800      ; expire (7 days)
                        43200      ; minimum (12 hours)

if you decided to report an Abuse : Check the information on this page: http://www.dnsstuff.com/tools/whois.ch?ip=211.63.136.34


0
 
LVL 7

Assisted Solution

by:CajunBill
CajunBill earned 166 total points
Comment Utility
Contact your internet provider (ISP) to see if they can block it for you before it reaches you.
Some ISPs can do this - ours does.

A firewall would not block it unless it can block higher layer traffic.  Simple firewalls block on layer three, the IP address, but the email is not sent directly from there.  So it won't be seen as coming from there.

Regards
CajunBill
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
yes, a firewall could totally deny depending on various criteria.  In this case, you could deny traffic from the offending network source_network 211.63.136/24 destination_port 25 (smtp).  Even the "basic" tcp-wrapper which is available on most Unix should be able to do that.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Expert Comment

by:CajunBill
Comment Utility
samri,
I said in my comment "A firewall would not block it unless it can block higher layer traffic."
Your rule will work only if the actual mailserver (not the client) is in the offending IP range.

To explain:
The originating client is not sending a tcp/ip stream to his server, but that's what your firewall rule would block.
What the firewall will see is tcp/ip messages coming from a mail server somewhere.
Like this:

spammer |-----(email)----->[mailserver]------(email)----->BeachBum's server
mail client|                          a.b.c.d
211.63.136.x

So at the level of IP address and port, BB's server or firewall will see messages from the address a.b.c.d
The orginal client address (211.63.136.x) will be buried in the middle of the messages, in the upper-layer headers.

However, I agree that your rule will work if the mailserver is in the offending IP range, AND is connecting directly to BB's server.  (In other words, not forwarding the mail to another maillserver first.)

Regards, CajunBill
0
 
LVL 13

Assisted Solution

by:kenfcamp
kenfcamp earned 166 total points
Comment Utility
Blocking access to port 25 through your firewall as samri suggested will work very well (It's done all the time, I do it as well)

alternatly you could add "211.63.136   REJECT" to sendmails access file.

The problem you may find with either of these is that you could find that you don't get legitmate mail if they are sent from a address matching the IP range being blocked.
0
 

Author Comment

by:St_Aug_Beach_Bum
Comment Utility

Hi all,

Thank you all for your comments, I meant to get back to this question sooner.

I found a simple working solution in another forum:

iptables -A INPUT -s 211.63.0.0/16 -j DROP

The author suggested I use this command and leave it in place for a few weeks, then remove it to see if the problem continues, replace if needed.

To remove, he gave me:

ipchains -F INPUT

Though I learned something from all the comments here, so I will split points,

Thanks again,

Chris
0
 
LVL 7

Expert Comment

by:CajunBill
Comment Utility
Thanks for sharing that!
Good luck.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now