Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Blocking IP from server

Posted on 2004-08-27
7
Medium Priority
?
180 Views
Last Modified: 2010-03-04

I have an Ensim server, linux 7.3.

I'm getting hundreds of spam emails each minute from some asian ip: 211.63.136.34 and several other 211.63.136 ip numbers.

My spam filter is blocking these based on the ip, but there are so many connections that it is getting overwhelmed and other emails end up either delayed or not getting through.

Is there a way to have the server refuse connections from 211.63.136 ?  So this never even reaches the spam filter?

If so, how do I go about it?

Thanks,

Chris
0
Comment
Question by:St_Aug_Beach_Bum
7 Comments
 
LVL 15

Accepted Solution

by:
samri earned 504 total points
ID: 11916460
It is best to relocate this question to Linux Area :

http://www.experts-exchange.com/Operating_Systems/Linux/
http://www.experts-exchange.com/Operating_Systems/Linux/Linux_Administration/
http://www.experts-exchange.com/Networking/Linux_Networking/

If you had firewall installed, you could block it there...

This IP address appears to be from :
136.63.211.in-addr.arpa.      43200      SOA      rev1.kornet.net.
                        domain.rev1.kornet.net.
                        2001071900      ; serial
                        43200      ; refresh (12 hours)
                        3600      ; retry (1 hour)
                        604800      ; expire (7 days)
                        43200      ; minimum (12 hours)

if you decided to report an Abuse : Check the information on this page: http://www.dnsstuff.com/tools/whois.ch?ip=211.63.136.34


0
 
LVL 7

Assisted Solution

by:CajunBill
CajunBill earned 498 total points
ID: 11918581
Contact your internet provider (ISP) to see if they can block it for you before it reaches you.
Some ISPs can do this - ours does.

A firewall would not block it unless it can block higher layer traffic.  Simple firewalls block on layer three, the IP address, but the email is not sent directly from there.  So it won't be seen as coming from there.

Regards
CajunBill
0
 
LVL 15

Expert Comment

by:samri
ID: 11920174
yes, a firewall could totally deny depending on various criteria.  In this case, you could deny traffic from the offending network source_network 211.63.136/24 destination_port 25 (smtp).  Even the "basic" tcp-wrapper which is available on most Unix should be able to do that.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 7

Expert Comment

by:CajunBill
ID: 11921374
samri,
I said in my comment "A firewall would not block it unless it can block higher layer traffic."
Your rule will work only if the actual mailserver (not the client) is in the offending IP range.

To explain:
The originating client is not sending a tcp/ip stream to his server, but that's what your firewall rule would block.
What the firewall will see is tcp/ip messages coming from a mail server somewhere.
Like this:

spammer |-----(email)----->[mailserver]------(email)----->BeachBum's server
mail client|                          a.b.c.d
211.63.136.x

So at the level of IP address and port, BB's server or firewall will see messages from the address a.b.c.d
The orginal client address (211.63.136.x) will be buried in the middle of the messages, in the upper-layer headers.

However, I agree that your rule will work if the mailserver is in the offending IP range, AND is connecting directly to BB's server.  (In other words, not forwarding the mail to another maillserver first.)

Regards, CajunBill
0
 
LVL 14

Assisted Solution

by:kenfcamp
kenfcamp earned 498 total points
ID: 11921593
Blocking access to port 25 through your firewall as samri suggested will work very well (It's done all the time, I do it as well)

alternatly you could add "211.63.136   REJECT" to sendmails access file.

The problem you may find with either of these is that you could find that you don't get legitmate mail if they are sent from a address matching the IP range being blocked.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 11922330

Hi all,

Thank you all for your comments, I meant to get back to this question sooner.

I found a simple working solution in another forum:

iptables -A INPUT -s 211.63.0.0/16 -j DROP

The author suggested I use this command and leave it in place for a few weeks, then remove it to see if the problem continues, replace if needed.

To remove, he gave me:

ipchains -F INPUT

Though I learned something from all the comments here, so I will split points,

Thanks again,

Chris
0
 
LVL 7

Expert Comment

by:CajunBill
ID: 11922419
Thanks for sharing that!
Good luck.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month11 days, 9 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question