Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 11:45:38 +1300, Pulu wrote in message [EMAIL PROTECTED]: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). ..and then trap them in a tarpit server outside your current gateway? I see no reason to let spammers tie up ip_conntrack entries, they should be sunk in a tarpit. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi, you shouldn't try to block everything that comes from a host which has no open smtp port, this is in generel a bad idea... reason: there are a lot (and I mean a lot) of servers out there, which only sends mail out to the world, but should never recieve any mail directly, so that it is okay to bind the smtpd only to localhost or to a internal lan interface. Often there are other servers which recieves the mail for these kind of setups... The better way is to check against a real blacklist which has entries for dial-up networks and maybe for dns-names without any MX or A entry... for example spamassassin asks a lot of real blacklists and so it also checks these things: example for checks against RBLs (sorry, it's a german system, but I will translate): - NO_DNS_FOR_FROM: Domain der Absendeadresse nicht im DNS registriert (kein MX/A Eintrag) / Domain of the sendingaddress has no dns entry (no mx/a record) - RCVD_IN_NJABL_DIALUP RBL: NJABL: Senderechner nur temporär mit Internet verbunden [XXX.XXX.XXX.XXX listed in dnsbl.njabl.org] / Sending host is only connected to the internet temporary (dial up) and so on So in my opinion it's better to check against such lists than simply block all mail that comes from a system without open smtp... --Ralph Am Samstag 10 April 2004 01:18 schrieb Andreas John: Hi! Dave Watkins wrote: If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Dave, your theory is right, you don't have to have an MX record in your DNS zone in order to receive mail, but Pulu wants to tcpping, so his idea is to check if there is an open port 25, i.e. check if the sending server is an mailserver. This would not be the case with infected outlooks ;) but also not for hosts behind NAT FW. @Pulu: Is that your idea? The problem is more that a sending host has not neccessarily to be an receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp (submission et al?) In Germany several large scale ISPs began to block all mail comming directly from an dialup ip, so I think it would be an accepted way to try what Pulu wants to do. Rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 08:45, Pulu 'Anau [EMAIL PROTECTED] wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. Is there any legit mail server software for Win98? If not then you can permanently block it. For NT (XP etc) you could allow every fourth day for receiving mail. Mail is generally queued for four days before being bounced, so if you only accept mail from NT machines every fourth day then you lose 75% of the spam and viruses because spam proxies and viruses generally don't re-try. Legit mail servers will keep trying until you let them through. Avoiding 75% of the spam and viruses isn't a solution to the problem, but it's a good start... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
- Original Message - From: Russell Coker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Pulu 'Anau [EMAIL PROTECTED] Sent: Saturday, April 10, 2004 3:12 PM Subject: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?) For NT (XP etc) you could allow every fourth day for receiving mail. Mail is generally queued for four days before being bounced, so if you only accept mail from NT machines every fourth day then you lose 75% of the spam and viruses because spam proxies and viruses generally don't re-try. Legit mail servers will keep trying until you let them through. Avoiding 75% of the spam and viruses isn't a solution to the problem, but it's a good start... Have a look at http://www.greylisting.org/ and you could avoid much more spam while reducing false positives to nearly zero! Christian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 11:45:38 +1300, Pulu wrote in message [EMAIL PROTECTED]: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). ..and then trap them in a tarpit server outside your current gateway? I see no reason to let spammers tie up ip_conntrack entries, they should be sunk in a tarpit. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi, you shouldn't try to block everything that comes from a host which has no open smtp port, this is in generel a bad idea... reason: there are a lot (and I mean a lot) of servers out there, which only sends mail out to the world, but should never recieve any mail directly, so that it is okay to bind the smtpd only to localhost or to a internal lan interface. Often there are other servers which recieves the mail for these kind of setups... The better way is to check against a real blacklist which has entries for dial-up networks and maybe for dns-names without any MX or A entry... for example spamassassin asks a lot of real blacklists and so it also checks these things: example for checks against RBLs (sorry, it's a german system, but I will translate): - NO_DNS_FOR_FROM: Domain der Absendeadresse nicht im DNS registriert (kein MX/A Eintrag) / Domain of the sendingaddress has no dns entry (no mx/a record) - RCVD_IN_NJABL_DIALUP RBL: NJABL: Senderechner nur temporär mit Internet verbunden [XXX.XXX.XXX.XXX listed in dnsbl.njabl.org] / Sending host is only connected to the internet temporary (dial up) and so on So in my opinion it's better to check against such lists than simply block all mail that comes from a system without open smtp... --Ralph Am Samstag 10 April 2004 01:18 schrieb Andreas John: Hi! Dave Watkins wrote: If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Dave, your theory is right, you don't have to have an MX record in your DNS zone in order to receive mail, but Pulu wants to tcpping, so his idea is to check if there is an open port 25, i.e. check if the sending server is an mailserver. This would not be the case with infected outlooks ;) but also not for hosts behind NAT FW. @Pulu: Is that your idea? The problem is more that a sending host has not neccessarily to be an receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp (submission et al?) In Germany several large scale ISPs began to block all mail comming directly from an dialup ip, so I think it would be an accepted way to try what Pulu wants to do. Rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
On Sat, 10 Apr 2004 08:45, Pulu 'Anau [EMAIL PROTECTED] wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. Is there any legit mail server software for Win98? If not then you can permanently block it. For NT (XP etc) you could allow every fourth day for receiving mail. Mail is generally queued for four days before being bounced, so if you only accept mail from NT machines every fourth day then you lose 75% of the spam and viruses because spam proxies and viruses generally don't re-try. Legit mail servers will keep trying until you let them through. Avoiding 75% of the spam and viruses isn't a solution to the problem, but it's a good start... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
- Original Message - From: Russell Coker [EMAIL PROTECTED] To: debian-isp@lists.debian.org Cc: Pulu 'Anau [EMAIL PROTECTED] Sent: Saturday, April 10, 2004 3:12 PM Subject: Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?) For NT (XP etc) you could allow every fourth day for receiving mail. Mail is generally queued for four days before being bounced, so if you only accept mail from NT machines every fourth day then you lose 75% of the spam and viruses because spam proxies and viruses generally don't re-try. Legit mail servers will keep trying until you let them through. Avoiding 75% of the spam and viruses isn't a solution to the problem, but it's a good start... Have a look at http://www.greylisting.org/ and you could avoid much more spam while reducing false positives to nearly zero! Christian
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Pulu 'Anau wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker [EMAIL PROTECTED]: On Fri, 9 Apr 2004 21:32, Arnt Karlsen [EMAIL PROTECTED] wrote: On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message http://www.netfilter.org/patch-o-matic/pom-base.html See the section on osf in the above URL for a better solution. Simply block Windows machines from accessing your port 25. ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi! Dave Watkins wrote: If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Dave, your theory is right, you don't have to have an MX record in your DNS zone in order to receive mail, but Pulu wants to tcpping, so his idea is to check if there is an open port 25, i.e. check if the sending server is an mailserver. This would not be the case with infected outlooks ;) but also not for hosts behind NAT FW. @Pulu: Is that your idea? The problem is more that a sending host has not neccessarily to be an receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp (submission et al?) In Germany several large scale ISPs began to block all mail comming directly from an dialup ip, so I think it would be an accepted way to try what Pulu wants to do. Rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Pulu 'Anau wrote: To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25). We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly. We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to: 1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours Other than the 72 hour checks it's pretty straightforward and seems (at least to me) very unlikely to stop legitimate mail, while cutting those guys who send 40-50 viruses a day down to 1 every three. Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users. Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes. Pulu Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu Quoting Russell Coker [EMAIL PROTECTED]: On Fri, 9 Apr 2004 21:32, Arnt Karlsen [EMAIL PROTECTED] wrote: On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message http://www.netfilter.org/patch-o-matic/pom-base.html See the section on osf in the above URL for a better solution. Simply block Windows machines from accessing your port 25. ..if only all isp's did it... Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to. If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian kernel-patch package for it so that other Debian users can conveniently use it. The more accessible you make this to Debian people the closer it comes to being installed on Debian list servers... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - This mail sent from Tonga's Premiere Internet Cafe Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php generic info @ http://www.tongatapu.net.to
Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)
Hi! Dave Watkins wrote: If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well Dave, your theory is right, you don't have to have an MX record in your DNS zone in order to receive mail, but Pulu wants to tcpping, so his idea is to check if there is an open port 25, i.e. check if the sending server is an mailserver. This would not be the case with infected outlooks ;) but also not for hosts behind NAT FW. @Pulu: Is that your idea? The problem is more that a sending host has not neccessarily to be an receiver. (remindes me on goatse.cx ;-)) nor that is has to be smtp (submission et al?) In Germany several large scale ISPs began to block all mail comming directly from an dialup ip, so I think it would be an accepted way to try what Pulu wants to do. Rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net