Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Slammed with mail from China, need help with IPBLOCK or IPCHAINS

Posted on 2006-06-29
2
Medium Priority
?
372 Views
Last Modified: 2013-12-16
My server is being slammed (15,000+ daily) with mail originating from China. For now, I am using DNSBL but trying to use it in conjunction with ipchains and ipblock

Jun 29 19:54:42 mythos sendmail[28877]: k5U0sbq28877: ruleset=check_relay, arg1=[61.140.60.62], arg2=61.140.60.62, relay=[61.140.60.62], reject=450 5.7.1 Mail from suspected spam source 61.140.60.62 refused - using DNSBL countries.nerd.dk

I have used this script below to enter "ipblock 61.140.60.62", yet why does is still have a sendmail attempt as opposed to a full outright ban?

mythos:/# more /usr/spc/ipblock
#!/bin/sh
# ipblock v2.0
# replaces ipblock that calls route, calling /usr/spc/block, which uses
# the new ipchains method of blocking/logging
IP=$1

if [ "$IP" = "" ]; then
        echo "ipblock: blocks an entire class C netblock"
        echo
        echo "Usage: $0 <ip_addr>"
        echo "where <ip_addr> is in the form a.b.c.d, a.b.c.0/24 will be blocked"
        echo
        exit 1;
fi

if [ `grep -c ^$IP$ /etc/.blockips` -gt 0 ]; then
        echo $IP already blocked
        exit
fi

CLASSC=`echo $IP | sed 's,\.[0-9]*$,\.0/24,'`
echo $IP >> /etc/.blockips
/usr/spc/block -f $CLASSC
mythos:/#

Should I use ipchains instead and if so, how does it need to read to block 61.140.60.62?
 
ipchains -A input -s ##WHAT GOES HERE TO BLOCK 61.140.60.62??## -j DENY

Help/Ideas/Advice please.
0
Comment
Question by:innsites
  • 2
2 Comments
 
LVL 22

Expert Comment

by:pjedmond
ID: 17016200
ipchains or iptables is a much better method of doing this.....and if they are trying to sending 15000 emails a day, then you can make a significant difference to the speed at which the spammer can function. Ive always used of using 'DROP' rather than DENY (although I think they are treated identically) Avoids any confusion with REJECT - this forces the thread trying to send the email to wait for a time out, rather that continuing to the next email immediately on receiving a rejection. With 15000 emails per day and a 20 second delay per email you may almost prevent the spammer from functioning (OK there will be multiple threads trying to run, but this is a nice opportunity to do something that will have a real effect on spam...until the perpetrators sort out what's happening)

iptables -A INPUT -p tcp -s 61.140.60.62 --dport 25 -j DROP

The following will also work:

iptables -A INPUT -p tcp -s 61.140.60.62 --dport smtp -j DROP

or if you don't want to be selective about protocol or incoming port then:

iptables -A INPUT -s 61.140.60.62 -j DROP

is fine. Have a look here for a nice overview:

http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

(   (()
(`-' _\
 ''  ''
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 2000 total points
ID: 17016246
As for the script that you've got - not sure how it is called and run, however, in this case, running a bash script to check every script to remove/reject/drop emails from spammer is not the way to go as your poor little server would end up accepting connection, reading in email, process it a bit (write it to  a queue), run rejection script, log results 15,000 times a day. With the ipchains approach, the mail is denied when it tries to connect, and the spammer also ends up waiting to time out:) Much better approach.

Just noticed I was thinking iptables...not chains (although the syntax is similar. You need:

ipchains -A input -s 61.140.60.62 -j DENY

(   (()
(`-' _\
 ''  ''






0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month11 days, 8 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question