[PLUG] [Fwd: Implementing a filter to deal with these attached 450's...]
Darkhorse
plug_0 at robinson-west.com
Tue Oct 5 10:28:02 UTC 2004
Sorry, blew it. I have two imap accounts under evolution and I keep
sending from the wrong identity. I've tried su'ing in a terminal to
run evolution as a different user, but that tends to break bonobo
or something similar. Can postfix do source address correction?
-----Forwarded Message-----
From: Michael Robinson <robinsom at robinson-west.com>
To: plug at lists.pdxlinux.org <plug at lists.pdxlinux.org>
Subject: Implementing a filter to deal with these attached 450's...
Date: 05 Oct 2004 10:04:44 -0700
I don't have a michael user. If you look at my website,
http://robinson-west.com, you can find a michael page
that says just this though without giving more than
the correct email prefix.
I greylist, some 450's are ok. None of these are though.
I think a lot of these could be stopped with a spamtrap.
I'm wondering if I really need to get debian up to
implement one of those or if I can do this under Linux
on my existing Postfix relays? A spamtrap is a high
numbered exchanger that 554's anybody who tries to
send email to it so long as the lower numbered exchangers
are available. There's an RFC on this, though I'm certain
it's not 2505. I could use the spam trap to generate
ip block lists, not every spammer uses the same system
every time.
I'm trying to do three strikes and you're out, but it
might take days for the same ip to blow it three times
and I only have one level of ip filtering, a three day
level. If you reoffend, maybe you should be ignored
for three weeks that second time, and 9 weeks a third
time, followed by a three month blackout for a fourth
offense. Longer blackouts raise the probability
of false positives, but surely I'll have to block some
people long enough to get anywhere. My algorithm
should probably have a permanently blocked level, but
I'm trying to be dynamic.
One thought is to keep track of matching helos as well
as ip and implement a bulk blocking trick. The
secret is to get all of the ip's the offender is using
blocked at the same time. Unfortunately, a lot of
spammers are smart enough to not use the same helo.
I've attached my first version of ip_block for iptables
and postfix-2.1.1. It doesn't run as part of postfix,
but a cron job seems to do the trick. I run it every
six hours, but that was just a guess. I would it to
work as a daemon instead. I don't keep track of the
day a 5xx is recorded for possible ip blocking because
that would involve a full blown calendar, but the time
it takes to get someone blocked should probabbly be
used to determine how long they should stay blocked.
I'm after how to tune ip_block, whether to include some of
the 450's, and what difference getting a spamtrap up
might make?
-- Michael C. Robinson
----
Oct 5 05:03:48 xerxes postfix/smtpd[20695]: NOQUEUE: reject: RCPT from unknown[217.44.189.37]: 450 <217.44.189.37>: Helo command rejected: Host not found; from=<zgodkuvjmjfjhua at unix-consult.com> to=<michael at goose.robinson-west.com> proto=SMTP helo=<217.44.189.37>
Oct 5 08:09:23 xerxes postfix/smtpd[20748]: NOQUEUE: reject: RCPT from unknown[212.159.67.173]: 450 <212.159.67.173>: Helo command rejected: Host not found; from=<grekaqhgrbm at piwh.org> to=<michael at ns1.robinson-west.com> proto=SMTP helo=<212.159.67.173>
Oct 5 09:34:27 xerxes postfix/smtpd[20771]: NOQUEUE: reject: RCPT from unknown[218.191.74.42]: 450 <209.210.202.171>: Helo command rejected: Host not found; from=<reminder at computeradmin.org> to=<697.camel at goose.robinson-west.com> proto=SMTP helo=<209.210.202.171>
Oct 5 09:42:27 xerxes postfix/smtpd[20773]: NOQUEUE: reject: RCPT from unknown[65.87.160.197]: 450 <ael at ns1.robinson-west.com>: Recipient address rejected: Domain not found; from=<reminder at computeradmin.org> to=<ael at ns1.robinson-west.com> proto=SMTP helo=<user-10lf865.cable.mindspring.com>
Oct 5 09:42:28 xerxes postfix/smtpd[20773]: NOQUEUE: reject: RCPT from unknown[65.87.160.197]: 450 <ichael at ns1.robinson-west.com>: Recipient address rejected: Domain not found; from=<reminder at computeradmin.org> to=<ichael at ns1.robinson-west.com> proto=SMTP helo=<user-10lf865.cable.mindspring.com>
----
#!/bin/bash
#
# The purpose of this is to temporarily packet filter ip addresses that
# are getting 504's, 554's, 550's, or 555's on this Postfix relay.
file504="/root/firewall/mail_504/file504"
top_count=1
count_list=`cat /var/log/maillog | grep ' 5[0-9][0-9] ' | cut -d '[' -f3 | cut -d ']' -f1 | wc -l`
list=`cat /var/log/maillog | grep ' 5[0-9][0-9] '`
list_ip=`cat /var/log/maillog | grep ' 5[0-9][0-9] ' | cut -d '[' -f3 | cut -d ']' -f1`
list_date=`cat /var/log/maillog | grep ' 5[0-9][0-9] ' | cut -d ' ' -f4`
date_today=`date +%A`
prefix="/root/firewall/mail_504"
blocks_needed=/root/firewall/mail_504/blocks_needed.$date_today
blocks_Mon="$prefix/blocks_needed.Monday"
blocks_Tue="$prefix/blocks_needed.Tuesday"
blocks_Wed="$prefix/blocks_needed.Wendsday"
blocks_Thu="$prefix/blocks_needed.Thursday"
blocks_Fri="$prefix/blocks_needed.Friday"
blocks_Sat="$prefix/blocks_needed.Saturday"
blocks_Sun="$prefix//blocks_needed.Sunday"
all_blocks="/root/firewall/temp"
while [ "$top_count" -le "$count_list" ];
do
curr_ip=`echo $list_ip | cut -d ' ' -f $top_count`
list_date_aa=`echo $list_date | cut -d ' ' -f $top_count`
testing=`cat $file504 2>/dev/null | grep $curr_ip | grep $list_date_aa`
# Make sure this ip and date not already recorded...
if [ ! "$testing" ];then
count_this_ip=`cat $file504 2>/dev/null | grep $curr_ip |wc -l`
echo "$curr_ip $list_date_aa" >> $file504 2>/dev/null
if [ $count_this_ip -ge 2 ];then
cat $prefix/blocks_needed.* 2>/dev/null \
> $all_blocks
testing=`cat /root/firewall/temp|grep $curr_ip`
if [ ! "$testing" ];then
echo "$curr_ip" >> $blocks_needed
fi
fi
fi
let top_count+=1
done
remove_blocks()
{ # Remove blocked ip's from bad_maili and bad_mailo...
total_blocks_removing=`cat $block_switch | wc -l`
top_list=1
while [ $top_list -le $total_blocks_removing ];
do
curr_ip_to_remove=`cat $block_switch | tail -n $top_list | head -n1`
/sbin/iptables -nL bad_maili --line-numbers > $prefix/temp_maili
chmod 600 $prefix/temp_maili
/sbin/iptables -nL bad_mailo --line-numbers > $prefix/temp_mailo
chmod 600 $prefix/temp_mailo
close_number=`cat temp_mailo | grep $curr_ip_to_remove`
if [ $close_number ];then
/sbin/iptables -D bad_mailo $close_number
fi
close_number=`cat temp_maili | grep $curr_ip_to_remove`
if [ $close_number ];then
/sbin/iptables -D bad_maili $close_number
fi
let top_list+=1
done
}
if [ $date_today == "Thursday" ];then
if [ -e $blocks_Mon ];then
echo "hello"
lines_to_cover_day=`cat $blocks_Mon | wc -l`
block_switch=$blocks_Mon
remove_blocks
rm -f $blocks_Mon
fi
fi
if [ $date_today == "Friday" ];then
if [ -e $blocks_Tue ];then
lines_to_cover_day=`cat $blocks_Tue | wc -l`
block_switch=$blocks_Tue
remove_blocks
rm -f $blocks_Tue
fi
fi
if [ $date_today == "Saturday" ];then
if [ -e $blocks_Wed ];then
lines_to_cover_day=`cat $blocks_Wed | wc -l`
block_switch=$blocks_Wed
remove_blocks
rm -f $blocks_Wed
fi
fi
if [ $date_today == "Sunday" ];then
if [ -e $blocks_Thu ];then
lines_to_cover_day=`cat $blocks_Thu | wc -l`
block_switch=$blocks_Thu
remove_blocks
rm -f $blocks_Thu
fi
fi
if [ $date_today == "Monday" ];then
if [ -e $blocks_Fri ];then
lines_to_cover_day=`cat $blocks_Fri | wc -l`
block_switch=$blocks_Fri
remove_blocks
rm -f $blocks_Fri
fi
fi
if [ $date_today == "Tuesday" ];then
if [ -e $blocks_Sat ];then
lines_to_cover_day=`cat $blocks_Sat | wc -l`
block_switch=$blocks_Sat
remove_blocks
rm -f $blocks_Sat
fi
fi
if [ $date_today == "Wendsday" ];then
if [ -e $blocks_Sun ];then
lines_to_cover_day=`cat $blocks_Sun | wc -l`
block_switch=$blocks_Sun
remove_blocks
rm -f $blocks_Sun
fi
fi
# If 3000 recorded 5[0-9][0-9], dump them...
length_file_504=`cat $file504|wc -l`
if [ $length_file_504 -ge 3000 ];then
rm -f $file504 2> /dev/null
touch $file504
chmod 600 $file504
fi
# If there's a file called all blocks, then there are
# probably new drops to be added to maili and mailo.
if [ -e $all_blocks ];then
all_blocks_length=`cat $all_blocks|wc -l`
top_count=1
while [ $top_count -le $all_blocks_length ];
do
current_block_ip=`cat $all_blocks | tail -n $top_count | head -n1`
testing=`/sbin/iptables -nL bad_desti|grep $current_block_ip`
if [ ! "$testing" ];then
/sbin/iptables -A bad_maili -p tcp -s $current_block_ip --dport 25 -j DROP
/sbin/iptables -A bad_maili -p udp -s $current_block_ip --dport 25 -j DROP
/sbin/iptables -A bad_maili -p tcp -s $current_block_ip --dport 465 -j DROP
/sbin/iptables -A bad_mailo -p tcp -d $current_block_ip --dport 25 -j DROP
/sbin/iptables -A bad_mailo -p udp -d $current_block_ip --dport 25 -j DROP
/sbin/iptables -A bad_mailo -p tcp -d $current_block_ip --dport 465 -j DROP
fi
let top_count+=1
done
fi
rm -f $all_blocks
More information about the PLUG
mailing list