Re: [Exim] Columbian Spammer

Top Page
Delete this message
Reply to this message
Author: James P. Roberts
Date:  
To: Ron McKeating
CC: exim-users
Subject: Re: [Exim] Columbian Spammer
----- Original Message -----
From: "Ron McKeating" <R.J.Mckeating@???>
To: "Exim-Users (E-mail)" <exim-users@???>
Sent: Monday, November 03, 2003 5:34 AM
Subject: [Exim] Columbian Spammer


> For the past few weeks every night we are getting thousands of spams
> trying to route through one of our mail servers. Here is a sample log
> entry
>
> 2003-11-03 00:01:27 H=(compaq-1.epm.net.co) [200.116.23.169]
> F=<utvegaya@???> rejected RCPT <csevillano@???>:
> relay not permitted
>
> Why they bother to continue I do not know as they never get anywhere. I
> have complained to abuse@??? and their postmaster but not had any
> response.
>
> Where would be the best place to put an acl that would simply disconnect
> them every time they tried to connect to our site?
>
> Ron
>


In your firewall.

I keep a couple of handy scripts lying around to quickly add and remove IP's
from my firewall. I present them here in case anyone might find them useful.
Please note the VERY IMPORTANT step of setting the correct rule numbers for
your site, in the ipblack_add script. If you are really unsure, use "1", to
make the blacklist rules always come first. I happen to put them at position
6 (INPUT) and 3 (FORWARD), but that is unique to my own firewall ruleset.
YMMV

------------------------------------------------
#! /bin/bash

# filename: /etc/sysconfig/ipblack_add
# inserts an IP address into iptables firewall blacklist
# *** ABSOLUTELY MUST BE UPDATED IF INPUT OR FORWARD CHAINS ARE MODIFIED ***
# *** THIS IS CUSTOM HARD-CODED TO INSERT RULES AT SPECIFIC LOCATIONS ***
# J.P.Roberts - 12-Sep-2003

# add to currently running firewall
iptables -I INPUT 6 -p all -s $1 -j DROP
iptables -I FORWARD 3 -p all -s $1 -j DROP

# save new iptables rules (in case of reboot)
/etc/init.d/iptables save

# add to blacklist file
echo "iptables -A INPUT -p all -s $1 -j DROP"
>>/etc/sysconfig/iptables_blacklist

echo "iptables -A FORWARD -p all -s $1 -j DROP"
>>/etc/sysconfig/iptables_blacklist


# end

------------------------------------------------

#! /bin/bash

# filename: /etc/sysconfig/ipblack_remove
# removes IP address from iptables firewall blacklist
# *** SPECIFICALLY REMOVES RULES ADDED BY "ipblack_add" SCRIPT ***
# J.P.Roberts - 12-Sep-2003

# remove from currently running firewall
iptables -D INPUT -p all -s $1 -j DROP
iptables -D FORWARD -p all -s $1 -j DROP

# save new iptables rules (in case of reboot)
/etc/init.d/iptables save

# remove from blacklist file
grep -v "$1" /etc/sysconfig/iptables_blacklist >black.tmp
chmod 750 black.tmp
mv -f black.tmp /etc/sysconfig/iptables_blacklist

# end

------------------------------------------------

Note, in addition to these two scripts, I also include the contents of the
"iptables_blacklist" file, at the appropriate spot, inside the script that
loads my full set of firewall rules. This way, I have a convenient list of
the current blacklisted IPs. I also can reboot, or reload the firewall from
scratch, without losing my list. And I don't have to mess with the main
firewall script just to change the blacklist.

I hope this is helpful.

I have not tried it yet, but I believe $run could be used from within an Exim
ACL to execute either of these scripts, to create a real-time black-listing
function.

YMMV.

Regards,
Jim Roberts
Punster Productions, Inc.