Re: Virus emails
On Mon, Sep 22, 2003 at 07:18:56PM -0700, Steve Lamb wrote:
> On Mon, 22 Sep 2003 19:34:58 -0400
> "H. S. Teoh" <hsteoh@quickfur.ath.cx> wrote:
> > I've resorted to blocking port 25 to subnets from which these spams
>
> What would help is to be able to block an IP once it's been hit. Thing is
> I cannot for the life of me figure out a way to do it. Here's the first 25
> that hit me today:
>
> [12.166.16.7]
[snip]
Strange, I didn't get any from 12.0.0.0/8 at all.
> [128.143.2.219]
> [128.143.2.219]
Now *this* looks familiar.
> [128.146.216.43]
> [128.146.216.45]
> [129.82.100.130]
[snip]
Didn't see these either.
> [132.64.1.17]
Saw this one, and none of the others.
> Notice the duplicates. Now if I could enter a blacklist entry into
> shorewall after the first hit...
There is definitely a lot of duplicates, which was what drove me to ban it
at the IP level in the first place. Looking at my firewall counters, I've
had 138 attempts from 212.216.0.0/16 alone. (Granted, that was a wide
netblock, but I don't get mail from .it, and tons of virus mails were
coming from there.)
Another major source is rr.com, which not only gives me tons of Swen, but
also other spam in general. I've blacklisted rr.com in /etc/hosts.deny,
but obviously I'm missing something obvious, 'cos rr.com spam still gets
through unless I block them on the firewall.
[snip]
> root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' | sort
> | wc -l
> 743
> root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' | sort
> | uniq | wc -l
> 336
What are the exim rules you used to catch these things?
> I'd drop the load from 743 down to 336. Assuming all of those are Swen
> or some variant then it would be a savings of about 4Mb so far today.
For me, I just created a special iptables chain in the NAT table and wrote
a script to put DROP rules into it. Then I have a rule in PREROUTING that
diverts all port 25 traffic to that chain (so that other stuff doesn't
incur too much overhead---the chain is quite long and growing rapidly).
If you want to automate this more, you could write a spamassassin rule
that matches Swen mails, then use procmail to filter it (match against the
rule name in X-Spam-Status) through a script that grabs the IP address and
enters it into the firewall. Caution is advised, though---some Swen mails
are coming through the Debian lists, so you want to make sure you don't
accidentally blacklist murphy or gluck. :-)
But according to my observations from today, it's not a big deal if the
first few messages get through---all my firewall rules were hand-added
(only partially automated with some scripts), and they still catch a lot
of subsequent crap. From the looks of it, infected machines are liable to
repeatedly resend messages to the same target. The fact that you *did*
blackhole the IP or subnet probably saves you from a lot of subsequent
crap.
> Of course that's what's gotten past the IPs I've already blacklisted.
[snip]
I can literally watch the firewall counters go up every minute. Sometimes
it's 3 or 4 per second. The stuff that still gets through ends up in my
spam box at about 2-3 per 20 minutes or so. (Much better than the 120/hour
during the weekend.)
T
--
Too many people have open minds but closed eyes.
Reply to: