On Mon, Sep 22, 2003 at 08:46:15PM -0700, Steve Lamb wrote: > On Mon, 22 Sep 2003 22:44:50 -0400 > "H. S. Teoh" <[EMAIL PROTECTED]> wrote: > > Another major source is rr.com, which not only gives me tons of Swen, but > > also other spam in general. I've blacklisted rr.com in /etc/hosts.deny, > > but obviously I'm missing something obvious, 'cos rr.com spam still gets > > through unless I block them on the firewall. > > rr.com pisses me off. They RBL other ISP provider's customer blocks so > we can't complain about their mess. Pathetic.
Apparently rr.com has a reputation for being a spamhaus since years ago, in spite of their advertisements to the contrary. [snip] > > What are the exim rules you used to catch these things? > > exiscan-acl calling clamav and dropping it with a 550. A full log line > would be: > > 2003-09-22 07:38:05 1A1RpB-0007Xd-Of H=(smtp21.singnet.com.sg) > [165.21.101.201] F=<[EMAIL PROTECTED]> rejected after DATA: This > message contains a viru s or other malware (Worm.Gibe.F). I see. Thanks for the info, I'll look it up. [snip] > > For me, I just created a special iptables chain in the NAT table and wrote > > a script to put DROP rules into it. Then I have a rule in PREROUTING that > > diverts all port 25 traffic to that chain (so that other stuff doesn't > > incur too much overhead---the chain is quite long and growing rapidly). > > True. I'm just doing a blanket blacklist since I figure if they're > infected with this, what else will they hit? So far, I haven't got anything except port 25 connections from infected hosts. But then again, I have very few open ports on my machine, so who knows. > > If you want to automate this more, you could write a spamassassin rule > > that matches Swen mails, then use procmail to filter it (match against the > > rule name in X-Spam-Status) through a script that grabs the IP address and > > enters it into the firewall. > > Except it never hits SA nor do I even have procmail installed. Can't > stand the ugly beast. It never hits SA? Almost all Swen mails I got were caught by my bogofilter + SA setup. (It only missed like 2-3 out of at least 5000 per day.) [snip] > > But according to my observations from today, it's not a big deal if the > > first few messages get through---all my firewall rules were hand-added > > (only partially automated with some scripts), and they still catch a lot > > of subsequent crap. From the looks of it, infected machines are liable to > > repeatedly resend messages to the same target. The fact that you *did* > > blackhole the IP or subnet probably saves you from a lot of subsequent > > crap. > > True. Right now I'm just adding IPs by awking out the IPs, cleaning off > the brackets and tacking it onto the end of shorewall's blacklist. I've resorted to blocking wide subnets. 202.248.37.0/24 alone has had 3858 hits since yesterday, and still counting. Last night alone (about the past 8 hours or so) the firewall blocked about 6000+ port 25 connections, and shows no sign of slowing down. In fact, the rate seems to be increasing from the per minute scale and approaching the per second scale. [snip] > Ahhh, here's an interesting tidbit. From shorewall's status. > > Chain blacklst (2 references) > pkts bytes target prot opt in out source destination > 40 2400 DROP all -- * * 128.118.141.31 0.0.0.0/0 > 48 2880 DROP all -- * * 128.118.141.35 0.0.0.0/0 > 0 0 DROP all -- * * 128.83.126.136 0.0.0.0/0 > 1087 52176 DROP all -- * * 129.79.1.71 0.0.0.0/0 > 686 32928 DROP all -- * * 129.79.1.72 0.0.0.0/0 > > This in interesting. Some of these are hitting me a LOT and others have > not hit at all. I guess this means I can drop the ones with a 0 count, reset > the counts and let it go. This would, in theory, weed out the cleaned up > hosts while leaving in the infected, no? [snip] I noticed this also. However, I found that some of the subnets I blocked "rested" for several hours, and then started bombarding me again. So I'm leaving the rules in for at least a couple o' days before cleaning out those with 0 count. T -- To err is human; to forgive is not our policy. -- Samuel Adler
