Re: Virus emails

To: debian-devel@lists.debian.org
Subject: Re: Virus emails
From: "H. S. Teoh" <hsteoh@quickfur.ath.cx>
Date: Tue, 23 Sep 2003 08:39:02 -0400
Message-id: <[🔎] 20030923123902.GA22038@crystal>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030922204615.693444b3.grey@dmiyu.org>
References: <[🔎] 87znh0yesj.fsf@volatile.central.fluidsignal.com> <[🔎] 20030919154146.GB2390@heim-d.uni-sb.de> <[🔎] 200309191814.46619.mh@glandium.org> <[🔎] pan.2003.09.22.14.53.14.808010@smurf.noris.de> <[🔎] 20030922233458.GA13678@crystal> <[🔎] 20030922191856.3e121295.grey@dmiyu.org> <[🔎] 20030923024450.GA15809@crystal> <[🔎] 20030922204615.693444b3.grey@dmiyu.org>

On Mon, Sep 22, 2003 at 08:46:15PM -0700, Steve Lamb wrote:
> On Mon, 22 Sep 2003 22:44:50 -0400
> "H. S. Teoh" <hsteoh@quickfur.ath.cx> wrote:
> > Another major source is rr.com, which not only gives me tons of Swen, but
> > also other spam in general. I've blacklisted rr.com in /etc/hosts.deny,
> > but obviously I'm missing something obvious, 'cos rr.com spam still gets
> > through unless I block them on the firewall.
> 
> rr.com pisses me off.  They RBL other ISP provider's customer blocks so
> we can't complain about their mess.  Pathetic. 

Apparently rr.com has a reputation for being a spamhaus since years ago,
in spite of their advertisements to the contrary.

[snip]
> > What are the exim rules you used to catch these things?
> 
>     exiscan-acl calling clamav and dropping it with a 550.  A full log line
> would be:
> 
> 2003-09-22 07:38:05 1A1RpB-0007Xd-Of H=(smtp21.singnet.com.sg)
> [165.21.101.201] F=<josen@mbox3.singnet.com.sg> rejected after DATA: This
> message contains a viru s or other malware (Worm.Gibe.F).

I see. Thanks for the info, I'll look it up.

[snip]
> > For me, I just created a special iptables chain in the NAT table and wrote
> > a script to put DROP rules into it. Then I have a rule in PREROUTING that
> > diverts all port 25 traffic to that chain (so that other stuff doesn't
> > incur too much overhead---the chain is quite long and growing rapidly). 
> 
>     True.  I'm just doing a blanket blacklist since I figure if they're
> infected with this, what else will they hit?

So far, I haven't got anything except port 25 connections from infected
hosts. But then again, I have very few open ports on my machine, so who
knows.

> > If you want to automate this more, you could write a spamassassin rule
> > that matches Swen mails, then use procmail to filter it (match against the
> > rule name in X-Spam-Status) through a script that grabs the IP address and
> > enters it into the firewall.
> 
>     Except it never hits SA nor do I even have procmail installed.  Can't
> stand the ugly beast.

It never hits SA? Almost all Swen mails I got were caught by my bogofilter
+ SA setup. (It only missed like 2-3 out of at least 5000 per day.)

[snip]
> > But according to my observations from today, it's not a big deal if the
> > first few messages get through---all my firewall rules were hand-added
> > (only partially automated with some scripts), and they still catch a lot
> > of subsequent crap. From the looks of it, infected machines are liable to
> > repeatedly resend messages to the same target. The fact that you *did*
> > blackhole the IP or subnet probably saves you from a lot of subsequent
> > crap.
> 
>     True.  Right now I'm just adding IPs by awking out the IPs, cleaning off
> the brackets and tacking it onto the end of shorewall's blacklist.

I've resorted to blocking wide subnets. 202.248.37.0/24 alone has had 3858
hits since yesterday, and still counting. Last night alone (about the past
8 hours or so) the firewall blocked about 6000+ port 25 connections, and
shows no sign of slowing down. In fact, the rate seems to be increasing
from the per minute scale and approaching the per second scale. 

[snip]
>     Ahhh, here's an interesting tidbit.  From shorewall's status.
> 
> Chain blacklst (2 references)
>  pkts bytes target     prot opt in     out     source              destination
>    40  2400 DROP       all  --  *      *       128.118.141.31       0.0.0.0/0
>    48  2880 DROP       all  --  *      *       128.118.141.35       0.0.0.0/0
>     0     0 DROP       all  --  *      *       128.83.126.136       0.0.0.0/0
>  1087 52176 DROP       all  --  *      *       129.79.1.71          0.0.0.0/0
>   686 32928 DROP       all  --  *      *       129.79.1.72          0.0.0.0/0
> 
>     This in interesting.  Some of these are hitting me a LOT and others have
> not hit at all.  I guess this means I can drop the ones with a 0 count, reset
> the counts and let it go.  This would, in theory, weed out the cleaned up
> hosts while leaving in the infected, no?
[snip]

I noticed this also. However, I found that some of the subnets I blocked
"rested" for several hours, and then started bombarding me again. So I'm
leaving the rules in for at least a couple o' days before cleaning out
those with 0 count.


T

-- 
To err is human; to forgive is not our policy. -- Samuel Adler

Reply to:

Follow-Ups:
- Re: Virus emails
  - From: Josip Rodin <joy@srce.hr>
- Re: Virus emails
  - From: Steve Lamb <grey@dmiyu.org>

References:
- Virus emails
  - From: Andrés Roldán <aroldan@fluidsignal.com>
- Re: Virus emails
  - From: Christoph Berg <cb@df7cb.de>
- Re: Virus emails
  - From: Mike Hommey <mh@glandium.org>
- Re: Virus emails
  - From: Matthias Urlichs <smurf@smurf.noris.de>
- Re: Virus emails
  - From: "H. S. Teoh" <hsteoh@quickfur.ath.cx>
- Re: Virus emails
  - From: Steve Lamb <grey@dmiyu.org>
- Re: Virus emails
  - From: "H. S. Teoh" <hsteoh@quickfur.ath.cx>
- Re: Virus emails
  - From: Steve Lamb <grey@dmiyu.org>

Prev by Date: Re: Virus emails
Next by Date: Re: Virus emails
Previous by thread: Re: Virus emails
Next by thread: Re: Virus emails
Index(es):
- Date
- Thread