[exim] slowing spammers with iptables -m recent

Página Inicial
Delete this message
Reply to this message
Autor: Tony Godshall
Data:  
Para: Exim users list
Assunto: [exim] slowing spammers with iptables -m recent

Hi folks.

I asked this over on debian-user and got some response but
nothing specific. So I joined this list and perused its
archives. Interesting stuff but nothing close. Here
goes...

I've been using Exim since I started doing e-mail on my
Debian box many years ago. But I never was able to really
get into its configs- the docs are kind of hard to grok for
me. And the exim4 configs really make my brain hurt... I
can't tell where the settings are without doing a 'grep ptn
/etc/default/exim* /etc/exim4.config $(find /etc/exim4/.
-type f)' and event then I have trouble. Thank goodness
the dpkg reconfigure does a good job.

Anyhow, I've had a domain for a decade where my hosting svc
used to forward *all* e-mail to me, and spammers made up
usernames and passed them around. Ultimately the load
became too heavy for his servers and he wasn't inclined to
fix the config, so I pointed the MX to my DSL line and took
it inhouse- Exim handles it very well.

Symptom: tons of "Unroutable address" logs like this in
my /var/log/exim4/mainlog...

2005-11-22 12:34:53 H=adsl-63-195-120-242.dsl.snfc21.pacbell.net (thesitefights.com) [63.195.120.242] F=<connie.cisneros_qx@???> rejected RCPT <middleton@???>: Unrouteable address

iptables rule:

  #reject for 40 seconds each time we get a smtp_penalty_box hit
  iptables -A INPUT \
    -m recent --name smtp_penalty_box --rcheck --seconds 40 \
    -j DROP


commandline to detect offending IP addr (a bit delayed, sadly)
and put IP address on list for iptables rule to reject.

  tail -f /var/log/exim4/mainlog\
  |perl -e '
  use strict;
  use POSIX qw(strftime);
  while (<>)
  {
    if(m{\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\].*Unrouteable address})
    {
      open(OUTPUT, ">/proc/net/ipt_recent/smtp_penalty_box");
      print OUTPUT "$1\n";
      close(OUTPUT);
      my $disptime=strftime("%m-%d %H:%M:%S",localtime time);
      print "$disptime: penalty $1\n";
    }
  }'


I also have been noticing that some IP addresses come in
with multiple connections with randomized HELO identities.
These are clearly spammers, if not denial of service
attackers, so I want to blacklist them longer, if not
permanently.

Symptom: eximon says...
703 handling incoming connection from (dbzgtlegacy.com) [219.129.109.10]
704 handling incoming connection from (guide55.every1.net) [219.129.109.10]
705 handling incoming connection from (free2.every1.net) [219.129.109.10]
706 handling incoming connection from (minitruckmail.com) [219.129.109.10]
707 handling incoming connection from (vegemail.com) [219.129.109.10]
708 handling incoming connection from (africansisters.com) [219.129.109.10]
709 handling incoming connection from (faza.ru) [219.129.109.10]

iptables rule:
  # block any IP on this list till it's quiet for five minutes
  iptables -A INPUT \
    -m recent --name smtp_multiple_idents --update --seconds 600 \
    -j DROP


put IP address on list that iptables sees...

  # detect IPs that are claiming to be multiple domains and
  # put them in the smtp_multiple_idents list
  while /bin/true
  do
    exiwhat \
    |tee ~/exiwhat.out && \
    for ip in $( \
      cat ~/exiwhat.out\
      | tee ~/exiwhat.out\
      | perl -e '
        use strict;
        while(<>)
        {
          if(m{\(([^()]+)\) \[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]})
          {
            print "$2 $1\n"
          }
        }' \
      | sort | uniq | cut -d' ' -f1 | uniq -c \
      | perl -ne 'if(m{^[ \t]+([0-9]+)[ \t]+([^ \t].*)}&&$1>1){print "$2\n"}'
    )
    do
      echo $ip > /proc/net/ipt_recent/smtp_multiple_idents
      echo "multiple identities- $ip"
    done
    date
    sleep 15
  done


My real question is: how can I trigger the commandline
checks above from within exim?

Best regards,

Tony