Re: DNS blocklist software?

2003-03-19 Thread Paul Makepeace 
[ me wanting to firewall spammers and then record the activity in DNS so
  my secondary MXs know about it. ]

On Thu, Mar 13, 2003 at 09:39:08AM +, Jason Clifford wrote:
  Hmm, this sounds much more hacky. I'd rather update it direct.
 
 Fair enough but to be warned that a lot of spammers are getting very good 
 at confusing Received from headers so you need to be absolutely sure that 
 you are acting upon the correct data.
 
 One question for you though, if you are acting only upon the mail logs how 
 are you certain that the message in question is really spam?

In answer to both of those: first off it doesn't use Received: fields
only the sender address, i.e. connecting host, as reported by the MTA.
So we always know that's accurate. As for then determining the
spamminess I have spamc (spamassassin's client to spamd) wired into
exim which can 550 or defer at DATA time, and this is all dutifully
written out to the mail logs. There are other things like attempting to
auth with empty passwords etc and other surefire spammer fingerprints
it'll pick up.

 It strikes me that relying solely upon the address mail is sent to may 
 result in false positives - perhaps that is just because I have so many 
 email addresses though.

It doesn't rely on rcpt address at all - it relies on spamassassin.

**

The program's pretty much working at this point, and success at 10am
this morning when a 2ndary MX using the block list rejected a message
the primary had just itself rejected,

2003-03-19 02:01:58 H=(okmxrry) [208.177.229.98] F=[EMAIL PROTECTED] rejected RCPT 
ebay(at)curve.net: host is listed in bl.ucefree.com

In essence it's watching for certain strings in the logs. Matches will
cause an A and TXT record to appear in the blocklist and an iptables
firewall entry DROPping packets to port 25. This lasts for quite a short
period, say a few minutes. Repeated matches get exponentially longer.
After the sin-bin period the fw entry is removed along with the A
record. Even if there's a false positive the worst that'll happen is a
legitimate host will have to sit about for a few minutes before it sends
another message. The key observation is that most spamming sites aren't
queuing messages - they're trying to stuff as many out as possible, and
then they switch off, often gone for good. If a message isn't delivered,
it never will be. This is in stark contrast to legit mail which will get
queued for days. So by fw'ing a spammer you do so in the hopes you do it
long enough to effectively heavily throttle them. (Note that it's a
packet DROP, rather than a REJECT.)

(I have been effectively DoS'ed a month or so back and this system
would've saved me.)

I was about to embark on a whole Cache::Cache adventure to store which
IPs were blocked and how many times they'd transgressed the filters etc
to make it all persistent 'til I decided to store this info in the TXT
records. Also means other machines can contribute with the right DNS
update key. Nice.

Some notes,

If a spammer can't get in through the primary they often try the
secondary straight afterwards even though they got a 5xx code (bad). So
this punts them nicely.

One odd thing is that sometimes they'll just go straight for the
secondaries, without first trying a primary. This happens quite often.
So the spam blocker is running on all machines, and all can update the
primary nameserver thanks to the secret keys they have, thus sharing how
often they match filters. Sexy.

Some spammers seem to maintain their own DNS caches that totally ignore
TTLs - I've seen spammers attempting to deliver to hosts that haven't
been an MX for over a week. Bizarre.

Damned lies: of about 1400 spamming IPs recently about 250 have hit
several times, including a few who have tripped spamassassin hard at
least a dozen times (hint: host=efwd.dnsix.com [216.34.94.189]). I'm no
ISP so these are reasonable numbers. I have some cool gnuplots of IPs
against times spent on the firewall - there are a small fraction sending
a lot of crap, and lots of one-time players.

Paul

-- 
Paul Makepeace ... http://paulm.com/

If there are storms in Africa, then be careful about the slippery
 slope.
   -- http://paulm.com/toys/surrealism/

Re: DNS blocklist software?

2003-03-19 Thread Paul Makepeace 
On Tue, Mar 11, 2003 at 06:03:48PM +, Jason Clifford wrote:
 If you want to update the zone from a script and want the updates live 
 immediately then Net::DNS::Update will work well for this however do be 
 warned that you can end up with very large journal files.

The journal file is a beast whose size fluctuates. When named commits
the changes to the zone file the log is adjusted accordingly. Mine's yet
to get over a few KB yet, and that's with about 200 updates in the last
twelve hours or so.

Paul

-- 
Paul Makepeace ... http://paulm.com/

If monkeys jabber endlessly, then sweden will inspire us all.
   -- http://paulm.com/toys/surrealism/

DNS blocklist software?

2003-03-11 Thread Paul Makepeace 
Has anyone implemented a barebones or better DNS blocklist? I'm
wondering if Net::DNS::Update might appear somewhere there, and what
changes to named.conf would be needed.

Basically I'm trying to keep my secondary MXs aware of any IPs that are
pissing me off.

Cheers, Paul

-- 
Paul Makepeace ... http://paulm.com/

What is the rhetoric in a pointy hat? A deep, deep, blissful sleep.
   -- http://paulm.com/toys/surrealism/

Re: DNS blocklist software?

2003-03-11 Thread Simon Wilcox 
On Tue, 2003-03-11 at 15:59, Paul Makepeace wrote:
 Has anyone implemented a barebones or better DNS blocklist? I'm
 wondering if Net::DNS::Update might appear somewhere there, and what
 changes to named.conf would be needed.
 
 Basically I'm trying to keep my secondary MXs aware of any IPs that are
 pissing me off.

I'm assuming you mean updating BIND's blackhole configuration ?

As far as I can see from the admin manual, there's no way to update that
on the fly and the update RFC (2136) makes no mention of a generic acl
update mechanism so I don't thing the Net::DNS::* modules will help much
here.

I'm sure lusercop (or his alter-ego mbm) will wade in here if I've got
it wrong :)

There's Bind::Conf_Parser [1] but it only seems to handle Bind 8 configs
and it looks as though it's not being actively developed.

You might look at autodns [2] as a base from which to start. It handles
adding secondary zone files to name servers but I'm sure it could be
adapted.

HTH,

Simon.

[1] http://search.cpan.org/author/PGUEN/BIND-Conf_Parser-0.95/
[2] http://www.earth.li/projectpurple/progs/autodns.html

Re: DNS blocklist software?

2003-03-11 Thread Jason Clifford 
On Tue, 11 Mar 2003, Paul Makepeace wrote:

 Has anyone implemented a barebones or better DNS blocklist? I'm
 wondering if Net::DNS::Update might appear somewhere there, and what
 changes to named.conf would be needed.
 
 Basically I'm trying to keep my secondary MXs aware of any IPs that are
 pissing me off.

I am running such a blocklist here (spamsource.ukpost.com - the IPs of
servers from which I have received SPAM, and yes anyone can use it) and
it's fairly trivial to do.

It's just a simple DNS zone so you configure it as any other in BIND (or
other).

Keeping it up to date is a simple matter of adding/removing entries to the 
zone (typically two entries in the zone file per IP - one that returns an 
A record and one that returns a TXT record being the error message to 
return).

If you want to update the zone from a script and want the updates live 
immediately then Net::DNS::Update will work well for this however do be 
warned that you can end up with very large journal files.

Alternatively, if you are not adding thousands of entries each our simply 
update the zone file manually of via a simple script and reload the name 
server.

Jason Clifford
-- 
UKFSN.ORG   Finance Free Software while you surf the 'net
http://www.ukfsn.org/   Get the T-Shirt Now

Re: DNS blocklist software?

2003-03-11 Thread Simon Wilcox 
On Tue, 2003-03-11 at 17:50, Paul Makepeace wrote:
 On Tue, Mar 11, 2003 at 04:51:56PM +, Simon Wilcox wrote:
  On Tue, 2003-03-11 at 15:59, Paul Makepeace wrote:
   Has anyone implemented a barebones or better DNS blocklist? I'm
   wondering if Net::DNS::Update might appear somewhere there, and what
   changes to named.conf would be needed.
   
   Basically I'm trying to keep my secondary MXs aware of any IPs that are
   pissing me off.
  
  I'm assuming you mean updating BIND's blackhole configuration ?
 
 I'm not sure what that is but probably not.

/me re-reads previous post. Ah yes, you said secondary MX, I read
secondary DNS.Me bad :)

 I'd like to create something like orbz.org, relays.orbs.org, njabl.org,
 etc. Where you look up the state of an IP by reversing its octets and
 asking the nameserver of the blocklist about it.
 
 E.g. checking 195.82.114.220 would involve a query to (say)
 
 220.114.82.195.relays.orbs.org
 
 and it would return something like 127.0.0.2 where the final digit means
 something. Or no record if it's fine.

Yep, you could do that with a subdomain, say 'blocked.paulm.com' for
instance, and have that updated automatically.

You wouldn't necessarily have to do it with pointer records, you could
just turn the octets into a decimal number and make it an A record. Then
a standard host lookup would succeed or fail. The same approach could be
used to block whole subnets.

I don't know of anything that implements such a thing but
Net::DNS::Update should format the update request for you. You'll need a
bind 9.x server of course.

Nice idea !

Simon