[ me wanting to firewall spammers and then record the activity in DNS so my secondary MXs know about it. ]
On Thu, Mar 13, 2003 at 09:39:08AM +0000, Jason Clifford wrote: > > Hmm, this sounds much more hacky. I'd rather update it direct. > > Fair enough but to be warned that a lot of spammers are getting very good > at confusing Received from headers so you need to be absolutely sure that > you are acting upon the correct data. > > One question for you though, if you are acting only upon the mail logs how > are you certain that the message in question is really spam? In answer to both of those: first off it doesn't use Received: fields only the sender address, i.e. connecting host, as reported by the MTA. So we always know that's accurate. As for then determining the spamminess I have spamc (spamassassin's client to spamd) wired into exim which can 550 or defer at DATA time, and this is all dutifully written out to the mail logs. There are other things like attempting to auth with empty passwords etc and other surefire spammer fingerprints it'll pick up. > It strikes me that relying solely upon the address mail is sent to may > result in false positives - perhaps that is just because I have so many > email addresses though. It doesn't rely on rcpt address at all - it relies on spamassassin. ** The program's pretty much working at this point, and success at 10am this morning when a 2ndary MX using the block list rejected a message the primary had just itself rejected, 2003-03-19 02:01:58 H=(okmxrry) [208.177.229.98] F=<[EMAIL PROTECTED]> rejected RCPT <ebay(at)curve.net>: host is listed in bl.ucefree.com In essence it's watching for certain strings in the logs. Matches will cause an A and TXT record to appear in the blocklist and an iptables firewall entry DROPping packets to port 25. This lasts for quite a short period, say a few minutes. Repeated matches get exponentially longer. After the sin-bin period the fw entry is removed along with the A record. Even if there's a false positive the worst that'll happen is a legitimate host will have to sit about for a few minutes before it sends another message. The key observation is that most spamming sites aren't queuing messages - they're trying to stuff as many out as possible, and then they switch off, often gone for good. If a message isn't delivered, it never will be. This is in stark contrast to legit mail which will get queued for days. So by fw'ing a spammer you do so in the hopes you do it long enough to effectively heavily throttle them. (Note that it's a packet DROP, rather than a REJECT.) (I have been effectively DoS'ed a month or so back and this system would've saved me.) I was about to embark on a whole Cache::Cache adventure to store which IPs were blocked and how many times they'd transgressed the filters etc to make it all persistent 'til I decided to store this info in the TXT records. Also means other machines can contribute with the right DNS update key. Nice. Some notes, If a spammer can't get in through the primary they often try the secondary straight afterwards even though they got a 5xx code (bad). So this punts them nicely. One odd thing is that sometimes they'll just go straight for the secondaries, without first trying a primary. This happens quite often. So the spam blocker is running on all machines, and all can update the primary nameserver thanks to the secret keys they have, thus sharing how often they match filters. Sexy. Some spammers seem to maintain their own DNS caches that totally ignore TTLs - I've seen spammers attempting to deliver to hosts that haven't been an MX for over a week. Bizarre. Damned lies: of about 1400 spamming IPs recently about 250 have hit several times, including a few who have tripped spamassassin hard at least a dozen times (hint: host=efwd.dnsix.com [216.34.94.189]). I'm no ISP so these are reasonable numbers. I have some cool gnuplots of IPs against times spent on the firewall - there are a small fraction sending a lot of crap, and lots of one-time players. Paul -- Paul Makepeace ....................................... http://paulm.com/ "If there are storms in Africa, then be careful about the slippery slope." -- http://paulm.com/toys/surrealism/