Solved

Slammed with mail from China, need help with IPBLOCK or IPCHAINS

Posted on 2006-06-29
2
369 Views
Last Modified: 2013-12-16
My server is being slammed (15,000+ daily) with mail originating from China. For now, I am using DNSBL but trying to use it in conjunction with ipchains and ipblock

Jun 29 19:54:42 mythos sendmail[28877]: k5U0sbq28877: ruleset=check_relay, arg1=[61.140.60.62], arg2=61.140.60.62, relay=[61.140.60.62], reject=450 5.7.1 Mail from suspected spam source 61.140.60.62 refused - using DNSBL countries.nerd.dk

I have used this script below to enter "ipblock 61.140.60.62", yet why does is still have a sendmail attempt as opposed to a full outright ban?

mythos:/# more /usr/spc/ipblock
#!/bin/sh
# ipblock v2.0
# replaces ipblock that calls route, calling /usr/spc/block, which uses
# the new ipchains method of blocking/logging
IP=$1

if [ "$IP" = "" ]; then
        echo "ipblock: blocks an entire class C netblock"
        echo
        echo "Usage: $0 <ip_addr>"
        echo "where <ip_addr> is in the form a.b.c.d, a.b.c.0/24 will be blocked"
        echo
        exit 1;
fi

if [ `grep -c ^$IP$ /etc/.blockips` -gt 0 ]; then
        echo $IP already blocked
        exit
fi

CLASSC=`echo $IP | sed 's,\.[0-9]*$,\.0/24,'`
echo $IP >> /etc/.blockips
/usr/spc/block -f $CLASSC
mythos:/#

Should I use ipchains instead and if so, how does it need to read to block 61.140.60.62?
 
ipchains -A input -s ##WHAT GOES HERE TO BLOCK 61.140.60.62??## -j DENY

Help/Ideas/Advice please.
0
Comment
Question by:innsites
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 22

Expert Comment

by:pjedmond
ID: 17016200
ipchains or iptables is a much better method of doing this.....and if they are trying to sending 15000 emails a day, then you can make a significant difference to the speed at which the spammer can function. Ive always used of using 'DROP' rather than DENY (although I think they are treated identically) Avoids any confusion with REJECT - this forces the thread trying to send the email to wait for a time out, rather that continuing to the next email immediately on receiving a rejection. With 15000 emails per day and a 20 second delay per email you may almost prevent the spammer from functioning (OK there will be multiple threads trying to run, but this is a nice opportunity to do something that will have a real effect on spam...until the perpetrators sort out what's happening)

iptables -A INPUT -p tcp -s 61.140.60.62 --dport 25 -j DROP

The following will also work:

iptables -A INPUT -p tcp -s 61.140.60.62 --dport smtp -j DROP

or if you don't want to be selective about protocol or incoming port then:

iptables -A INPUT -s 61.140.60.62 -j DROP

is fine. Have a look here for a nice overview:

http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

(   (()
(`-' _\
 ''  ''
0
 
LVL 22

Accepted Solution

by:
pjedmond earned 500 total points
ID: 17016246
As for the script that you've got - not sure how it is called and run, however, in this case, running a bash script to check every script to remove/reject/drop emails from spammer is not the way to go as your poor little server would end up accepting connection, reading in email, process it a bit (write it to  a queue), run rejection script, log results 15,000 times a day. With the ipchains approach, the mail is denied when it tries to connect, and the spammer also ends up waiting to time out:) Much better approach.

Just noticed I was thinking iptables...not chains (although the syntax is similar. You need:

ipchains -A input -s 61.140.60.62 -j DENY

(   (()
(`-' _\
 ''  ''






0

Featured Post

WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question