Slammed with mail from China, need help with IPBLOCK or IPCHAINS

My server is being slammed (15,000+ daily) with mail originating from China. For now, I am using DNSBL but trying to use it in conjunction with ipchains and ipblock

Jun 29 19:54:42 mythos sendmail[28877]: k5U0sbq28877: ruleset=check_relay, arg1=[61.140.60.62], arg2=61.140.60.62, relay=[61.140.60.62], reject=450 5.7.1 Mail from suspected spam source 61.140.60.62 refused - using DNSBL countries.nerd.dk

I have used this script below to enter "ipblock 61.140.60.62", yet why does is still have a sendmail attempt as opposed to a full outright ban?

mythos:/# more /usr/spc/ipblock
#!/bin/sh
# ipblock v2.0
# replaces ipblock that calls route, calling /usr/spc/block, which uses
# the new ipchains method of blocking/logging
IP=$1

if [ "$IP" = "" ]; then
        echo "ipblock: blocks an entire class C netblock"
        echo
        echo "Usage: $0 <ip_addr>"
        echo "where <ip_addr> is in the form a.b.c.d, a.b.c.0/24 will be blocked"
        echo
        exit 1;
fi

if [ `grep -c ^$IP$ /etc/.blockips` -gt 0 ]; then
        echo $IP already blocked
        exit
fi

CLASSC=`echo $IP | sed 's,\.[0-9]*$,\.0/24,'`
echo $IP >> /etc/.blockips
/usr/spc/block -f $CLASSC
mythos:/#

Should I use ipchains instead and if so, how does it need to read to block 61.140.60.62?
 
ipchains -A input -s ##WHAT GOES HERE TO BLOCK 61.140.60.62??## -j DENY

Help/Ideas/Advice please.
innsitesAsked:
Who is Participating?
 
pjedmondCommented:
As for the script that you've got - not sure how it is called and run, however, in this case, running a bash script to check every script to remove/reject/drop emails from spammer is not the way to go as your poor little server would end up accepting connection, reading in email, process it a bit (write it to  a queue), run rejection script, log results 15,000 times a day. With the ipchains approach, the mail is denied when it tries to connect, and the spammer also ends up waiting to time out:) Much better approach.

Just noticed I was thinking iptables...not chains (although the syntax is similar. You need:

ipchains -A input -s 61.140.60.62 -j DENY

(   (()
(`-' _\
 ''  ''






0
 
pjedmondCommented:
ipchains or iptables is a much better method of doing this.....and if they are trying to sending 15000 emails a day, then you can make a significant difference to the speed at which the spammer can function. Ive always used of using 'DROP' rather than DENY (although I think they are treated identically) Avoids any confusion with REJECT - this forces the thread trying to send the email to wait for a time out, rather that continuing to the next email immediately on receiving a rejection. With 15000 emails per day and a 20 second delay per email you may almost prevent the spammer from functioning (OK there will be multiple threads trying to run, but this is a nice opportunity to do something that will have a real effect on spam...until the perpetrators sort out what's happening)

iptables -A INPUT -p tcp -s 61.140.60.62 --dport 25 -j DROP

The following will also work:

iptables -A INPUT -p tcp -s 61.140.60.62 --dport smtp -j DROP

or if you don't want to be selective about protocol or incoming port then:

iptables -A INPUT -s 61.140.60.62 -j DROP

is fine. Have a look here for a nice overview:

http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

(   (()
(`-' _\
 ''  ''
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.