[PLUG] [Fwd: Implementing a filter to deal with these attached 450's...]

Darkhorse plug_0 at robinson-west.com
Tue Oct 5 10:28:02 UTC 2004 

Sorry, blew it.  I have two imap accounts under evolution and I keep
sending from the wrong identity.  I've tried su'ing in a terminal to
run evolution as a different user, but that tends to break bonobo
or something similar.  Can postfix do source address correction?

-----Forwarded Message-----

From: Michael Robinson <robinsom at robinson-west.com>
To: plug at lists.pdxlinux.org <plug at lists.pdxlinux.org>
Subject: Implementing a filter to deal with these attached 450's...
Date: 05 Oct 2004 10:04:44 -0700


I don't have a michael user.  If you look at my website,
http://robinson-west.com, you can find a michael page
that says just this though without giving more than
the correct email prefix.

I greylist, some 450's are ok.  None of these are though.
I think a lot of these could be stopped with a spamtrap.
I'm wondering if I really need to get debian up to
implement one of those or if I can do this under Linux
on my existing Postfix relays?  A spamtrap is a high
numbered exchanger that 554's anybody who tries to
send email to it so long as the lower numbered exchangers
are available.  There's an RFC on this, though I'm certain
it's not 2505.  I could use the spam trap to generate 
ip block lists, not every spammer uses the same system
every time.  

I'm trying to do three strikes and you're out, but it 
might take days for the same ip to blow it three times 
and I only have one level of ip filtering, a three day 
level.  If you reoffend, maybe you should be ignored 
for three weeks that second time, and 9 weeks a third 
time, followed by a three month blackout for a fourth 
offense.  Longer blackouts raise the probability
of false positives, but surely I'll have to block some 
people long enough to get anywhere.  My algorithm 
should probably have a permanently blocked level, but 
I'm trying to be dynamic.  

One thought is to keep track of matching helos as well 
as ip and implement a bulk blocking trick.  The
secret is to get all of the ip's the offender is using
blocked at the same time.  Unfortunately, a lot of
spammers are smart enough to not use the same helo.

I've attached my first version of ip_block for iptables
and postfix-2.1.1.  It doesn't run as part of postfix,
but a cron job seems to do the trick.  I run it every 

six hours, but that was just a guess.  I would it to
work as a daemon instead.  I don't keep track of the
day a 5xx is recorded for possible ip blocking because
that would involve a full blown calendar, but the time
it takes to get someone blocked should probabbly be
used to determine how long they should stay blocked.

I'm after how to tune ip_block, whether to include some of
the 450's, and what difference getting a spamtrap up
might make?

     --  Michael C. Robinson

----


Oct  5 05:03:48 xerxes postfix/smtpd[20695]: NOQUEUE: reject: RCPT from unknown[217.44.189.37]: 450 <217.44.189.37>: Helo command rejected: Host not found; from=<zgodkuvjmjfjhua at unix-consult.com> to=<michael at goose.robinson-west.com> proto=SMTP helo=<217.44.189.37>
Oct  5 08:09:23 xerxes postfix/smtpd[20748]: NOQUEUE: reject: RCPT from unknown[212.159.67.173]: 450 <212.159.67.173>: Helo command rejected: Host not found; from=<grekaqhgrbm at piwh.org> to=<michael at ns1.robinson-west.com> proto=SMTP helo=<212.159.67.173>
Oct  5 09:34:27 xerxes postfix/smtpd[20771]: NOQUEUE: reject: RCPT from unknown[218.191.74.42]: 450 <209.210.202.171>: Helo command rejected: Host not found; from=<reminder at computeradmin.org> to=<697.camel at goose.robinson-west.com> proto=SMTP helo=<209.210.202.171>
Oct  5 09:42:27 xerxes postfix/smtpd[20773]: NOQUEUE: reject: RCPT from unknown[65.87.160.197]: 450 <ael at ns1.robinson-west.com>: Recipient address rejected: Domain not found; from=<reminder at computeradmin.org> to=<ael at ns1.robinson-west.com> proto=SMTP helo=<user-10lf865.cable.mindspring.com>
Oct  5 09:42:28 xerxes postfix/smtpd[20773]: NOQUEUE: reject: RCPT from unknown[65.87.160.197]: 450 <ichael at ns1.robinson-west.com>: Recipient address rejected: Domain not found; from=<reminder at computeradmin.org> to=<ichael at ns1.robinson-west.com> proto=SMTP helo=<user-10lf865.cable.mindspring.com>
----


#!/bin/bash
#
# The purpose of this is to temporarily packet filter ip addresses that
# are getting 504's, 554's, 550's, or 555's on this Postfix relay.



file504="/root/firewall/mail_504/file504"

top_count=1
count_list=`cat /var/log/maillog | grep ' 5[0-9][0-9] ' | cut -d '[' -f3 | cut -d ']' -f1 | wc -l`
list=`cat /var/log/maillog | grep ' 5[0-9][0-9] '`
list_ip=`cat /var/log/maillog | grep ' 5[0-9][0-9] ' | cut -d '[' -f3 | cut -d ']' -f1`
list_date=`cat /var/log/maillog | grep ' 5[0-9][0-9] ' | cut -d ' ' -f4`
date_today=`date +%A`
prefix="/root/firewall/mail_504"
blocks_needed=/root/firewall/mail_504/blocks_needed.$date_today
blocks_Mon="$prefix/blocks_needed.Monday"
blocks_Tue="$prefix/blocks_needed.Tuesday"
blocks_Wed="$prefix/blocks_needed.Wendsday"
blocks_Thu="$prefix/blocks_needed.Thursday"
blocks_Fri="$prefix/blocks_needed.Friday"
blocks_Sat="$prefix/blocks_needed.Saturday"
blocks_Sun="$prefix//blocks_needed.Sunday"
all_blocks="/root/firewall/temp"



while [ "$top_count" -le  "$count_list" ];
do
        curr_ip=`echo $list_ip | cut -d ' ' -f $top_count`
        list_date_aa=`echo $list_date | cut -d ' ' -f $top_count`
        testing=`cat $file504 2>/dev/null | grep $curr_ip | grep $list_date_aa` 
        # Make sure this ip and date not already recorded...
        if [ ! "$testing" ];then
             
             count_this_ip=`cat $file504 2>/dev/null | grep $curr_ip |wc -l`
             echo "$curr_ip $list_date_aa" >> $file504 2>/dev/null
                if [ $count_this_ip -ge 2 ];then
                     cat $prefix/blocks_needed.* 2>/dev/null \
                          > $all_blocks
                     testing=`cat /root/firewall/temp|grep $curr_ip`
                     if [ ! "$testing" ];then
                          echo "$curr_ip" >> $blocks_needed
                     fi
                fi 
             fi    

        let top_count+=1
done



remove_blocks()
{ # Remove blocked ip's from bad_maili and bad_mailo...

     total_blocks_removing=`cat $block_switch | wc -l`
     top_list=1

     while [ $top_list -le $total_blocks_removing ];
     do
        
             curr_ip_to_remove=`cat $block_switch | tail -n $top_list | head -n1`

             /sbin/iptables -nL bad_maili --line-numbers > $prefix/temp_maili
             chmod 600 $prefix/temp_maili
             /sbin/iptables -nL bad_mailo --line-numbers > $prefix/temp_mailo
             chmod 600 $prefix/temp_mailo

             close_number=`cat temp_mailo | grep $curr_ip_to_remove`

             if [ $close_number ];then
                  /sbin/iptables -D bad_mailo $close_number
             fi

             close_number=`cat temp_maili | grep $curr_ip_to_remove`
             if [ $close_number ];then
                  /sbin/iptables -D bad_maili $close_number
             fi

             let top_list+=1
     done
}



if [ $date_today == "Thursday" ];then
     if [ -e $blocks_Mon ];then
          echo "hello"
          lines_to_cover_day=`cat $blocks_Mon | wc -l`
          block_switch=$blocks_Mon
          remove_blocks
          rm -f $blocks_Mon
     fi
fi

if [ $date_today == "Friday" ];then
     if [ -e $blocks_Tue ];then
          lines_to_cover_day=`cat $blocks_Tue | wc -l`
          block_switch=$blocks_Tue
          remove_blocks 
          rm -f $blocks_Tue
     fi
fi

if [ $date_today == "Saturday" ];then
     if [ -e $blocks_Wed ];then
          lines_to_cover_day=`cat $blocks_Wed | wc -l`
          block_switch=$blocks_Wed
          remove_blocks 
          rm -f $blocks_Wed
     fi
fi

if [ $date_today == "Sunday" ];then
     if [ -e $blocks_Thu ];then
          lines_to_cover_day=`cat $blocks_Thu | wc -l`
          block_switch=$blocks_Thu
          remove_blocks 
          rm -f $blocks_Thu
     fi
fi

if [ $date_today == "Monday" ];then
     if [ -e $blocks_Fri ];then
          lines_to_cover_day=`cat $blocks_Fri | wc -l`
          block_switch=$blocks_Fri
          remove_blocks 
          rm -f $blocks_Fri
     fi
fi

if [ $date_today == "Tuesday" ];then
     if [ -e $blocks_Sat ];then
          lines_to_cover_day=`cat $blocks_Sat | wc -l`
          block_switch=$blocks_Sat
          remove_blocks 
          rm -f $blocks_Sat
     fi
fi

if [ $date_today == "Wendsday" ];then
     if [ -e $blocks_Sun ];then
          lines_to_cover_day=`cat $blocks_Sun | wc -l`
          block_switch=$blocks_Sun
          remove_blocks
          rm -f $blocks_Sun
     fi
fi



      


# If 3000 recorded 5[0-9][0-9], dump them...
length_file_504=`cat $file504|wc -l`

if [ $length_file_504 -ge 3000 ];then
     rm -f $file504 2> /dev/null
     touch $file504
     chmod 600 $file504
fi



# If there's a file called all blocks, then there are
# probably new drops to be added to maili and mailo.
if [ -e $all_blocks ];then

all_blocks_length=`cat $all_blocks|wc -l`

top_count=1

while [ $top_count -le $all_blocks_length ];
do

       current_block_ip=`cat $all_blocks | tail -n $top_count | head -n1`

       testing=`/sbin/iptables -nL bad_desti|grep $current_block_ip`

       if [ ! "$testing" ];then

       /sbin/iptables -A bad_maili -p tcp -s  $current_block_ip --dport 25 -j DROP
       /sbin/iptables -A bad_maili -p udp -s  $current_block_ip --dport 25 -j DROP
       /sbin/iptables -A bad_maili -p tcp -s  $current_block_ip --dport 465 -j DROP
 
       /sbin/iptables -A bad_mailo -p tcp -d  $current_block_ip --dport 25 -j DROP
       /sbin/iptables -A bad_mailo -p udp -d  $current_block_ip --dport 25 -j DROP
       /sbin/iptables -A bad_mailo -p tcp -d  $current_block_ip --dport 465 -j DROP

       fi

       let top_count+=1

done

fi

rm -f $all_blocks

More information about the PLUG mailing list