Re: Side-warning about the new proxy zombies...

2005-02-08 Thread Brian Godette 
On Tuesday 08 February 2005 2:14 pm, Kenneth Porter wrote:
> --On Tuesday, February 08, 2005 11:14 AM -0700 Brian Godette
>
> <[EMAIL PROTECTED]> wrote:
> > care must be taken to have the expiry times
> > reasonable or the iptables rule lists becomes much too large and
> > eventually  chews up all available CPU.
>
> Have you seen the "ipset" stuff on the netfilter-devel list? This is a new
> set of modules that works with sets of addresses. It should allow you to
> have a much larger rejection list.

The rejection list can be pretty huge as it is, however since the script 
doesn't aggregate IP addresses there is a possibility of it becoming 
excessively large (8 figures or more) if addresses stay in the list for very 
long periods of time (months) before being expired. That's completely 
theoretical since I doubt there's 10's of millions of zombie proxies/open 
relays out there, but still expiration times that long are IMO excessive.

Re: Side-warning about the new proxy zombies...

2005-02-08 Thread Kenneth Porter 
--On Tuesday, February 08, 2005 1:14 PM -0800 Kenneth Porter 
<[EMAIL PROTECTED]> wrote:

Have you seen the "ipset" stuff on the netfilter-devel list? This is a
new set of modules that works with sets of addresses. It should allow you
to have a much larger rejection list.
Just checked, this project has a web page:

Re: Side-warning about the new proxy zombies...

2005-02-08 Thread Kenneth Porter 
--On Tuesday, February 08, 2005 11:14 AM -0700 Brian Godette 
<[EMAIL PROTECTED]> wrote:

care must be taken to have the expiry times
reasonable or the iptables rule lists becomes much too large and
eventually  chews up all available CPU.
Have you seen the "ipset" stuff on the netfilter-devel list? This is a new 
set of modules that works with sets of addresses. It should allow you to 
have a much larger rejection list.

Re: Side-warning about the new proxy zombies...

2005-02-08 Thread Brian Godette 
On Thursday 03 February 2005 4:22 pm, Matt Kettler wrote:
> At 06:13 PM 2/3/2005, Brian Godette wrote:
> >Those sorts of mail servers end up in my firewall rules till some point in
> >the
> >future.
>
> I started off using a shun on them as a short-term fix, but then went to a
> 500 error message for all mail from the server in /etc/mail/access.
>
> They seem to behave properly upon getting a 5xx and go away until a new
> spam is queued, so it's less bandwidth for me if I do that then let them
> continually try to reconnect and fail to get any answer. It also gives me
> an opportunity to bounce back a message about why I'm blocking them.

My observations indicate the opposite, they just keep trying, often very 
rapidly. Plus a silent firewall drop of SYNs behaves as a mini-tarpit, the 
thread attempting to connect to you is blocked until connect() times out.

>
> In general doing a 5xx is better than a firewall block, unless the server
> is so broken it doesn't respond to 5xx's and keeps retrying anyway.

I should probably explain how IPs end up in my mail server firewall. I use a 
slightly modified version of watch-maillog 
(http://taz.net.au/postfix/scripts/watch-maillog.pl) to automatically 
add/remove IPs based on regexs on a tailed mail log.

This stops dead any dictionary attack or any other 100% spam-source thing you 
can make your MTA log such as rejecting invalid HELOs using your MX's own IP 
or hostname(s). Yes it's kinda like grey-listing, but without the initial 
first time penalty, however care must be taken to have the expiry times 
reasonable or the iptables rule lists becomes much too large and eventually 
chews up all available CPU.

The "too many" firewall rules case is one of the modifications I made, I 
limited the max rules, removing the next due before is was supposed to 
happen.

Re: Side-warning about the new proxy zombies...

2005-02-04 Thread Spam Admin 
Don't know if it's related, but I'm seeing a SIGNIFICANT increase in
SMTP REJECTs, something to the tune of a 10- to 15-fold increase. I
started seeing it simultaneously on both my primary and secondary boxes,
starting around 7:AM EST yesterday (Thursday). I log RBL rejects as
'spam' so this is something different.

I'm going through the logs now, but it appears I started getting a
large number of connections similar to the following:

Feb  3 07:23:17 gwmail1 postfix/smtpd[27839]: connect from
unknown[w.x.y.z]
Feb  3 07:23:17 gwmail1 postfix/smtpd[27839]: lost connection after
CONNECT from unknown[w.x.y.z]

Most of them appear to resolve to residential connections...related? -
GA

>>> Matt Kettler <[EMAIL PROTECTED]> 2/3/2005 5:32:46 PM >>>
I encountered one ISP who's legitimate mail gateway is freaking out
under 
the load of all the proxy spam.

Re: Side-warning about the new proxy zombies...

2005-02-03 Thread Matt Kettler 
At 06:13 PM 2/3/2005, Brian Godette wrote:
Those sorts of mail servers end up in my firewall rules till some point in 
the
future.
I started off using a shun on them as a short-term fix, but then went to a 
500 error message for all mail from the server in /etc/mail/access.

They seem to behave properly upon getting a 5xx and go away until a new 
spam is queued, so it's less bandwidth for me if I do that then let them 
continually try to reconnect and fail to get any answer. It also gives me 
an opportunity to bounce back a message about why I'm blocking them.

In general doing a 5xx is better than a firewall block, unless the server 
is so broken it doesn't respond to 5xx's and keeps retrying anyway.

Re: Side-warning about the new proxy zombies...

2005-02-03 Thread Brian Godette 
On Thursday 03 February 2005 3:32 pm, Matt Kettler wrote:
> I encountered one ISP who's legitimate mail gateway is freaking out under
> the load of all the proxy spam.
>
> It's now retrying temp-fail messages immediately without any delay... 24+
> times per second.
>
> Since I have Sendmail set up to verify sender domains exist, a lot of spam
> gets a 451 error.. Unfortunately, this server doesn't give up. Since Monday
> they tried to deliver a small number of different messages a total of 1.6
> million times.
>
> "reject=451 4.1.8 Domain of sender address [EMAIL PROTECTED] does not
> resolve". Over and over and over again..
>
> Needless to say, my maillog is rather huge this week with about 300mb of
> the above messages tacked on top of my normal logging.
>
> Other admins might want to watch out for this kind of garbage..

Those sorts of mail servers end up in my firewall rules till some point in the 
future.

Side-warning about the new proxy zombies...

2005-02-03 Thread Matt Kettler 
I encountered one ISP who's legitimate mail gateway is freaking out under 
the load of all the proxy spam.

It's now retrying temp-fail messages immediately without any delay... 24+ 
times per second.

Since I have Sendmail set up to verify sender domains exist, a lot of spam 
gets a 451 error.. Unfortunately, this server doesn't give up. Since Monday 
they tried to deliver a small number of different messages a total of 1.6 
million times.

"reject=451 4.1.8 Domain of sender address [EMAIL PROTECTED] does not 
resolve". Over and over and over again..

Needless to say, my maillog is rather huge this week with about 300mb of 
the above messages tacked on top of my normal logging.

Other admins might want to watch out for this kind of garbage..