Re: DNS blocklist software?
[ me wanting to firewall spammers and then record the activity in DNS so my secondary MXs know about it. ] On Thu, Mar 13, 2003 at 09:39:08AM +, Jason Clifford wrote: Hmm, this sounds much more hacky. I'd rather update it direct. Fair enough but to be warned that a lot of spammers are getting very good at confusing Received from headers so you need to be absolutely sure that you are acting upon the correct data. One question for you though, if you are acting only upon the mail logs how are you certain that the message in question is really spam? In answer to both of those: first off it doesn't use Received: fields only the sender address, i.e. connecting host, as reported by the MTA. So we always know that's accurate. As for then determining the spamminess I have spamc (spamassassin's client to spamd) wired into exim which can 550 or defer at DATA time, and this is all dutifully written out to the mail logs. There are other things like attempting to auth with empty passwords etc and other surefire spammer fingerprints it'll pick up. It strikes me that relying solely upon the address mail is sent to may result in false positives - perhaps that is just because I have so many email addresses though. It doesn't rely on rcpt address at all - it relies on spamassassin. ** The program's pretty much working at this point, and success at 10am this morning when a 2ndary MX using the block list rejected a message the primary had just itself rejected, 2003-03-19 02:01:58 H=(okmxrry) [208.177.229.98] F=[EMAIL PROTECTED] rejected RCPT ebay(at)curve.net: host is listed in bl.ucefree.com In essence it's watching for certain strings in the logs. Matches will cause an A and TXT record to appear in the blocklist and an iptables firewall entry DROPping packets to port 25. This lasts for quite a short period, say a few minutes. Repeated matches get exponentially longer. After the sin-bin period the fw entry is removed along with the A record. Even if there's a false positive the worst that'll happen is a legitimate host will have to sit about for a few minutes before it sends another message. The key observation is that most spamming sites aren't queuing messages - they're trying to stuff as many out as possible, and then they switch off, often gone for good. If a message isn't delivered, it never will be. This is in stark contrast to legit mail which will get queued for days. So by fw'ing a spammer you do so in the hopes you do it long enough to effectively heavily throttle them. (Note that it's a packet DROP, rather than a REJECT.) (I have been effectively DoS'ed a month or so back and this system would've saved me.) I was about to embark on a whole Cache::Cache adventure to store which IPs were blocked and how many times they'd transgressed the filters etc to make it all persistent 'til I decided to store this info in the TXT records. Also means other machines can contribute with the right DNS update key. Nice. Some notes, If a spammer can't get in through the primary they often try the secondary straight afterwards even though they got a 5xx code (bad). So this punts them nicely. One odd thing is that sometimes they'll just go straight for the secondaries, without first trying a primary. This happens quite often. So the spam blocker is running on all machines, and all can update the primary nameserver thanks to the secret keys they have, thus sharing how often they match filters. Sexy. Some spammers seem to maintain their own DNS caches that totally ignore TTLs - I've seen spammers attempting to deliver to hosts that haven't been an MX for over a week. Bizarre. Damned lies: of about 1400 spamming IPs recently about 250 have hit several times, including a few who have tripped spamassassin hard at least a dozen times (hint: host=efwd.dnsix.com [216.34.94.189]). I'm no ISP so these are reasonable numbers. I have some cool gnuplots of IPs against times spent on the firewall - there are a small fraction sending a lot of crap, and lots of one-time players. Paul -- Paul Makepeace ... http://paulm.com/ If there are storms in Africa, then be careful about the slippery slope. -- http://paulm.com/toys/surrealism/
Re: DNS blocklist software?
On Tue, Mar 11, 2003 at 06:03:48PM +, Jason Clifford wrote: If you want to update the zone from a script and want the updates live immediately then Net::DNS::Update will work well for this however do be warned that you can end up with very large journal files. The journal file is a beast whose size fluctuates. When named commits the changes to the zone file the log is adjusted accordingly. Mine's yet to get over a few KB yet, and that's with about 200 updates in the last twelve hours or so. Paul -- Paul Makepeace ... http://paulm.com/ If monkeys jabber endlessly, then sweden will inspire us all. -- http://paulm.com/toys/surrealism/
DNS blocklist software?
Has anyone implemented a barebones or better DNS blocklist? I'm wondering if Net::DNS::Update might appear somewhere there, and what changes to named.conf would be needed. Basically I'm trying to keep my secondary MXs aware of any IPs that are pissing me off. Cheers, Paul -- Paul Makepeace ... http://paulm.com/ What is the rhetoric in a pointy hat? A deep, deep, blissful sleep. -- http://paulm.com/toys/surrealism/
Re: DNS blocklist software?
On Tue, 2003-03-11 at 15:59, Paul Makepeace wrote: Has anyone implemented a barebones or better DNS blocklist? I'm wondering if Net::DNS::Update might appear somewhere there, and what changes to named.conf would be needed. Basically I'm trying to keep my secondary MXs aware of any IPs that are pissing me off. I'm assuming you mean updating BIND's blackhole configuration ? As far as I can see from the admin manual, there's no way to update that on the fly and the update RFC (2136) makes no mention of a generic acl update mechanism so I don't thing the Net::DNS::* modules will help much here. I'm sure lusercop (or his alter-ego mbm) will wade in here if I've got it wrong :) There's Bind::Conf_Parser [1] but it only seems to handle Bind 8 configs and it looks as though it's not being actively developed. You might look at autodns [2] as a base from which to start. It handles adding secondary zone files to name servers but I'm sure it could be adapted. HTH, Simon. [1] http://search.cpan.org/author/PGUEN/BIND-Conf_Parser-0.95/ [2] http://www.earth.li/projectpurple/progs/autodns.html
Re: DNS blocklist software?
On Tue, 11 Mar 2003, Paul Makepeace wrote: Has anyone implemented a barebones or better DNS blocklist? I'm wondering if Net::DNS::Update might appear somewhere there, and what changes to named.conf would be needed. Basically I'm trying to keep my secondary MXs aware of any IPs that are pissing me off. I am running such a blocklist here (spamsource.ukpost.com - the IPs of servers from which I have received SPAM, and yes anyone can use it) and it's fairly trivial to do. It's just a simple DNS zone so you configure it as any other in BIND (or other). Keeping it up to date is a simple matter of adding/removing entries to the zone (typically two entries in the zone file per IP - one that returns an A record and one that returns a TXT record being the error message to return). If you want to update the zone from a script and want the updates live immediately then Net::DNS::Update will work well for this however do be warned that you can end up with very large journal files. Alternatively, if you are not adding thousands of entries each our simply update the zone file manually of via a simple script and reload the name server. Jason Clifford -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ Get the T-Shirt Now
Re: DNS blocklist software?
On Tue, 2003-03-11 at 17:50, Paul Makepeace wrote: On Tue, Mar 11, 2003 at 04:51:56PM +, Simon Wilcox wrote: On Tue, 2003-03-11 at 15:59, Paul Makepeace wrote: Has anyone implemented a barebones or better DNS blocklist? I'm wondering if Net::DNS::Update might appear somewhere there, and what changes to named.conf would be needed. Basically I'm trying to keep my secondary MXs aware of any IPs that are pissing me off. I'm assuming you mean updating BIND's blackhole configuration ? I'm not sure what that is but probably not. /me re-reads previous post. Ah yes, you said secondary MX, I read secondary DNS.Me bad :) I'd like to create something like orbz.org, relays.orbs.org, njabl.org, etc. Where you look up the state of an IP by reversing its octets and asking the nameserver of the blocklist about it. E.g. checking 195.82.114.220 would involve a query to (say) 220.114.82.195.relays.orbs.org and it would return something like 127.0.0.2 where the final digit means something. Or no record if it's fine. Yep, you could do that with a subdomain, say 'blocked.paulm.com' for instance, and have that updated automatically. You wouldn't necessarily have to do it with pointer records, you could just turn the octets into a decimal number and make it an A record. Then a standard host lookup would succeed or fail. The same approach could be used to block whole subnets. I don't know of anything that implements such a thing but Net::DNS::Update should format the update request for you. You'll need a bind 9.x server of course. Nice idea ! Simon