On Mon, 22 Sep 2003 22:44:50 -0400
"H. S. Teoh" <hsteoh@quickfur.ath.cx> wrote:
> Another major source is rr.com, which not only gives me tons of Swen, but
> also other spam in general. I've blacklisted rr.com in /etc/hosts.deny,
> but obviously I'm missing something obvious, 'cos rr.com spam still gets
> through unless I block them on the firewall.
rr.com pisses me off. They RBL other ISP provider's customer blocks so we
can't complain about their mess. Pathetic.
> [snip]
> > root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' |
> > sort| wc -l
> > 743
> > root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' |
> > sort| uniq | wc -l
> > 336
> What are the exim rules you used to catch these things?
exiscan-acl calling clamav and dropping it with a 550. A full log line
would be:
2003-09-22 07:38:05 1A1RpB-0007Xd-Of H=(smtp21.singnet.com.sg)
[165.21.101.201] F=<josen@mbox3.singnet.com.sg> rejected after DATA: This
message contains a viru s or other malware (Worm.Gibe.F).
> For me, I just created a special iptables chain in the NAT table and wrote
> a script to put DROP rules into it. Then I have a rule in PREROUTING that
> diverts all port 25 traffic to that chain (so that other stuff doesn't
> incur too much overhead---the chain is quite long and growing rapidly).
True. I'm just doing a blanket blacklist since I figure if they're
infected with this, what else will they hit?
> If you want to automate this more, you could write a spamassassin rule
> that matches Swen mails, then use procmail to filter it (match against the
> rule name in X-Spam-Status) through a script that grabs the IP address and
> enters it into the firewall.
Except it never hits SA nor do I even have procmail installed. Can't
stand the ugly beast.
> Caution is advised, though---some Swen mails are coming through the Debian
> lists, so you want to make sure you don't accidentally blacklist murphy or
> gluck. :-)
... Carp, so much for that idea, eh? :/
> But according to my observations from today, it's not a big deal if the
> first few messages get through---all my firewall rules were hand-added
> (only partially automated with some scripts), and they still catch a lot
> of subsequent crap. From the looks of it, infected machines are liable to
> repeatedly resend messages to the same target. The fact that you *did*
> blackhole the IP or subnet probably saves you from a lot of subsequent
> crap.
True. Right now I'm just adding IPs by awking out the IPs, cleaning off
the brackets and tacking it onto the end of shorewall's blacklist.
> I can literally watch the firewall counters go up every minute. Sometimes
> it's 3 or 4 per second. The stuff that still gets through ends up in my
> spam box at about 2-3 per 20 minutes or so. (Much better than the 120/hour
> during the weekend.)
Ahhh, here's an interesting tidbit. From shorewall's status.
Chain blacklst (2 references)
pkts bytes target prot opt in out source destination
40 2400 DROP all -- * * 128.118.141.31 0.0.0.0/0
48 2880 DROP all -- * * 128.118.141.35 0.0.0.0/0
0 0 DROP all -- * * 128.83.126.136 0.0.0.0/0
1087 52176 DROP all -- * * 129.79.1.71 0.0.0.0/0
686 32928 DROP all -- * * 129.79.1.72 0.0.0.0/0
This in interesting. Some of these are hitting me a LOT and others have
not hit at all. I guess this means I can drop the ones with a 0 count, reset
the counts and let it go. This would, in theory, weed out the cleaned up
hosts while leaving in the infected, no?
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
Attachment:
pgpcvzTxlviQN.pgp
Description: PGP signature