Solved

Slammed with mail from China, need help with IPBLOCK or IPCHAINS

Posted on 2006-06-29
2
365 Views
Last Modified: 2013-12-16
My server is being slammed (15,000+ daily) with mail originating from China. For now, I am using DNSBL but trying to use it in conjunction with ipchains and ipblock

Jun 29 19:54:42 mythos sendmail[28877]: k5U0sbq28877: ruleset=check_relay, arg1=[61.140.60.62], arg2=61.140.60.62, relay=[61.140.60.62], reject=450 5.7.1 Mail from suspected spam source 61.140.60.62 refused - using DNSBL countries.nerd.dk

I have used this script below to enter "ipblock 61.140.60.62", yet why does is still have a sendmail attempt as opposed to a full outright ban?

mythos:/# more /usr/spc/ipblock
#!/bin/sh
# ipblock v2.0
# replaces ipblock that calls route, calling /usr/spc/block, which uses
# the new ipchains method of blocking/logging
IP=$1

if [ "$IP" = "" ]; then
        echo "ipblock: blocks an entire class C netblock"
        echo
        echo "Usage: $0 <ip_addr>"
        echo "where <ip_addr> is in the form a.b.c.d, a.b.c.0/24 will be blocked"
        echo
        exit 1;
fi

if [ `grep -c ^$IP$ /etc/.blockips` -gt 0 ]; then
        echo $IP already blocked
        exit
fi

CLASSC=`echo $IP | sed 's,\.[0-9]*$,\.0/24,'`
echo $IP >> /etc/.blockips
/usr/spc/block -f $CLASSC
mythos:/#

Should I use ipchains instead and if so, how does it need to read to block 61.140.60.62?
 
ipchains -A input -s ##WHAT GOES HERE TO BLOCK 61.140.60.62??## -j DENY

Help/Ideas/Advice please.
0
Comment
Question by:innsites
  • 2
2 Comments
 
LVL 22

Expert Comment

by:pjedmond
ID: 17016200
ipchains or iptables is a much better method of doing this.....and if they are trying to sending 15000 emails a day, then you can make a significant difference to the speed at which the spammer can function. Ive always used of using 'DROP' rather than DENY (although I think they are treated identically) Avoids any confusion with REJECT - this forces the thread trying to send the email to wait for a time out, rather that continuing to the next email immediately on receiving a rejection. With 15000 emails per day and a 20 second delay per email you may almost prevent the spammer from functioning (OK there will be multiple threads trying to run, but this is a nice opportunity to do something that will have a real effect on spam...until the perpetrators sort out what's happening)

iptables -A INPUT -p tcp -s 61.140.60.62 --dport 25 -j DROP

The following will also work:

iptables -A INPUT -p tcp -s 61.140.60.62 --dport smtp -j DROP

or if you don't want to be selective about protocol or incoming port then:

iptables -A INPUT -s 61.140.60.62 -j DROP

is fine. Have a look here for a nice overview:

http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

(   (()
(`-' _\
 ''  ''
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 500 total points
ID: 17016246
As for the script that you've got - not sure how it is called and run, however, in this case, running a bash script to check every script to remove/reject/drop emails from spammer is not the way to go as your poor little server would end up accepting connection, reading in email, process it a bit (write it to  a queue), run rejection script, log results 15,000 times a day. With the ipchains approach, the mail is denied when it tries to connect, and the spammer also ends up waiting to time out:) Much better approach.

Just noticed I was thinking iptables...not chains (although the syntax is similar. You need:

ipchains -A input -s 61.140.60.62 -j DENY

(   (()
(`-' _\
 ''  ''






0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now