[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Virus emails

On Mon, 22 Sep 2003 22:44:50 -0400
"H. S. Teoh" <hsteoh@quickfur.ath.cx> wrote:
> Another major source is rr.com, which not only gives me tons of Swen, but
> also other spam in general. I've blacklisted rr.com in /etc/hosts.deny,
> but obviously I'm missing something obvious, 'cos rr.com spam still gets
> through unless I block them on the firewall.

    rr.com pisses me off.  They RBL other ISP provider's customer blocks so we
can't complain about their mess.  Pathetic.
> [snip]
> > root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' |
> > sort| wc -l
> >  743
> > root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' |
> > sort| uniq | wc -l
> >  336
> What are the exim rules you used to catch these things?

    exiscan-acl calling clamav and dropping it with a 550.  A full log line
would be:

2003-09-22 07:38:05 1A1RpB-0007Xd-Of H=(smtp21.singnet.com.sg)
[] F=<josen@mbox3.singnet.com.sg> rejected after DATA: This
message contains a viru s or other malware (Worm.Gibe.F).

> For me, I just created a special iptables chain in the NAT table and wrote
> a script to put DROP rules into it. Then I have a rule in PREROUTING that
> diverts all port 25 traffic to that chain (so that other stuff doesn't
> incur too much overhead---the chain is quite long and growing rapidly). 

    True.  I'm just doing a blanket blacklist since I figure if they're
infected with this, what else will they hit?
> If you want to automate this more, you could write a spamassassin rule
> that matches Swen mails, then use procmail to filter it (match against the
> rule name in X-Spam-Status) through a script that grabs the IP address and
> enters it into the firewall.

    Except it never hits SA nor do I even have procmail installed.  Can't
stand the ugly beast.

> Caution is advised, though---some Swen mails are coming through the Debian
> lists, so you want to make sure you don't accidentally blacklist murphy or
> gluck. :-)

    ...  Carp, so much for that idea, eh?  :/

> But according to my observations from today, it's not a big deal if the
> first few messages get through---all my firewall rules were hand-added
> (only partially automated with some scripts), and they still catch a lot
> of subsequent crap. From the looks of it, infected machines are liable to
> repeatedly resend messages to the same target. The fact that you *did*
> blackhole the IP or subnet probably saves you from a lot of subsequent
> crap.

    True.  Right now I'm just adding IPs by awking out the IPs, cleaning off
the brackets and tacking it onto the end of shorewall's blacklist.
> I can literally watch the firewall counters go up every minute. Sometimes
> it's 3 or 4 per second. The stuff that still gets through ends up in my
> spam box at about 2-3 per 20 minutes or so. (Much better than the 120/hour
> during the weekend.)

    Ahhh, here's an interesting tidbit.  From shorewall's status.

Chain blacklst (2 references)
 pkts bytes target     prot opt in     out     source              destination
   40  2400 DROP       all  --  *      *
   48  2880 DROP       all  --  *      *
    0     0 DROP       all  --  *      *
 1087 52176 DROP       all  --  *      *
  686 32928 DROP       all  --  *      *

    This in interesting.  Some of these are hitting me a LOT and others have
not hit at all.  I guess this means I can drop the ones with a 0 count, reset
the counts and let it go.  This would, in theory, weed out the cleaned up
hosts while leaving in the infected, no?

         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
       PGP Key: 8B6E99C5       | main connection to the switchboard of souls.

Attachment: pgpLEzbODvOlg.pgp
Description: PGP signature

Reply to: