Solved

Blocking IP from server

Posted on 2004-08-27
7
176 Views
Last Modified: 2010-03-04

I have an Ensim server, linux 7.3.

I'm getting hundreds of spam emails each minute from some asian ip: 211.63.136.34 and several other 211.63.136 ip numbers.

My spam filter is blocking these based on the ip, but there are so many connections that it is getting overwhelmed and other emails end up either delayed or not getting through.

Is there a way to have the server refuse connections from 211.63.136 ?  So this never even reaches the spam filter?

If so, how do I go about it?

Thanks,

Chris
0
Comment
Question by:St_Aug_Beach_Bum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 15

Accepted Solution

by:
samri earned 168 total points
ID: 11916460
It is best to relocate this question to Linux Area :

http://www.experts-exchange.com/Operating_Systems/Linux/
http://www.experts-exchange.com/Operating_Systems/Linux/Linux_Administration/
http://www.experts-exchange.com/Networking/Linux_Networking/

If you had firewall installed, you could block it there...

This IP address appears to be from :
136.63.211.in-addr.arpa.      43200      SOA      rev1.kornet.net.
                        domain.rev1.kornet.net.
                        2001071900      ; serial
                        43200      ; refresh (12 hours)
                        3600      ; retry (1 hour)
                        604800      ; expire (7 days)
                        43200      ; minimum (12 hours)

if you decided to report an Abuse : Check the information on this page: http://www.dnsstuff.com/tools/whois.ch?ip=211.63.136.34


0
 
LVL 7

Assisted Solution

by:CajunBill
CajunBill earned 166 total points
ID: 11918581
Contact your internet provider (ISP) to see if they can block it for you before it reaches you.
Some ISPs can do this - ours does.

A firewall would not block it unless it can block higher layer traffic.  Simple firewalls block on layer three, the IP address, but the email is not sent directly from there.  So it won't be seen as coming from there.

Regards
CajunBill
0
 
LVL 15

Expert Comment

by:samri
ID: 11920174
yes, a firewall could totally deny depending on various criteria.  In this case, you could deny traffic from the offending network source_network 211.63.136/24 destination_port 25 (smtp).  Even the "basic" tcp-wrapper which is available on most Unix should be able to do that.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:CajunBill
ID: 11921374
samri,
I said in my comment "A firewall would not block it unless it can block higher layer traffic."
Your rule will work only if the actual mailserver (not the client) is in the offending IP range.

To explain:
The originating client is not sending a tcp/ip stream to his server, but that's what your firewall rule would block.
What the firewall will see is tcp/ip messages coming from a mail server somewhere.
Like this:

spammer |-----(email)----->[mailserver]------(email)----->BeachBum's server
mail client|                          a.b.c.d
211.63.136.x

So at the level of IP address and port, BB's server or firewall will see messages from the address a.b.c.d
The orginal client address (211.63.136.x) will be buried in the middle of the messages, in the upper-layer headers.

However, I agree that your rule will work if the mailserver is in the offending IP range, AND is connecting directly to BB's server.  (In other words, not forwarding the mail to another maillserver first.)

Regards, CajunBill
0
 
LVL 14

Assisted Solution

by:kenfcamp
kenfcamp earned 166 total points
ID: 11921593
Blocking access to port 25 through your firewall as samri suggested will work very well (It's done all the time, I do it as well)

alternatly you could add "211.63.136   REJECT" to sendmails access file.

The problem you may find with either of these is that you could find that you don't get legitmate mail if they are sent from a address matching the IP range being blocked.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 11922330

Hi all,

Thank you all for your comments, I meant to get back to this question sooner.

I found a simple working solution in another forum:

iptables -A INPUT -s 211.63.0.0/16 -j DROP

The author suggested I use this command and leave it in place for a few weeks, then remove it to see if the problem continues, replace if needed.

To remove, he gave me:

ipchains -F INPUT

Though I learned something from all the comments here, so I will split points,

Thanks again,

Chris
0
 
LVL 7

Expert Comment

by:CajunBill
ID: 11922419
Thanks for sharing that!
Good luck.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Suggested Courses

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question