Re: Virus emails
On Mon, Sep 22, 2003 at 08:46:15PM -0700, Steve Lamb wrote:
> On Mon, 22 Sep 2003 22:44:50 -0400
> "H. S. Teoh" <email@example.com> wrote:
> > Another major source is rr.com, which not only gives me tons of Swen, but
> > also other spam in general. I've blacklisted rr.com in /etc/hosts.deny,
> > but obviously I'm missing something obvious, 'cos rr.com spam still gets
> > through unless I block them on the firewall.
> rr.com pisses me off. They RBL other ISP provider's customer blocks so
> we can't complain about their mess. Pathetic.
Apparently rr.com has a reputation for being a spamhaus since years ago,
in spite of their advertisements to the contrary.
> > What are the exim rules you used to catch these things?
> exiscan-acl calling clamav and dropping it with a 550. A full log line
> would be:
> 2003-09-22 07:38:05 1A1RpB-0007Xd-Of H=(smtp21.singnet.com.sg)
> [184.108.40.206] F=<firstname.lastname@example.org> rejected after DATA: This
> message contains a viru s or other malware (Worm.Gibe.F).
I see. Thanks for the info, I'll look it up.
> > For me, I just created a special iptables chain in the NAT table and wrote
> > a script to put DROP rules into it. Then I have a rule in PREROUTING that
> > diverts all port 25 traffic to that chain (so that other stuff doesn't
> > incur too much overhead---the chain is quite long and growing rapidly).
> True. I'm just doing a blanket blacklist since I figure if they're
> infected with this, what else will they hit?
So far, I haven't got anything except port 25 connections from infected
hosts. But then again, I have very few open ports on my machine, so who
> > If you want to automate this more, you could write a spamassassin rule
> > that matches Swen mails, then use procmail to filter it (match against the
> > rule name in X-Spam-Status) through a script that grabs the IP address and
> > enters it into the firewall.
> Except it never hits SA nor do I even have procmail installed. Can't
> stand the ugly beast.
It never hits SA? Almost all Swen mails I got were caught by my bogofilter
+ SA setup. (It only missed like 2-3 out of at least 5000 per day.)
> > But according to my observations from today, it's not a big deal if the
> > first few messages get through---all my firewall rules were hand-added
> > (only partially automated with some scripts), and they still catch a lot
> > of subsequent crap. From the looks of it, infected machines are liable to
> > repeatedly resend messages to the same target. The fact that you *did*
> > blackhole the IP or subnet probably saves you from a lot of subsequent
> > crap.
> True. Right now I'm just adding IPs by awking out the IPs, cleaning off
> the brackets and tacking it onto the end of shorewall's blacklist.
I've resorted to blocking wide subnets. 220.127.116.11/24 alone has had 3858
hits since yesterday, and still counting. Last night alone (about the past
8 hours or so) the firewall blocked about 6000+ port 25 connections, and
shows no sign of slowing down. In fact, the rate seems to be increasing
from the per minute scale and approaching the per second scale.
> Ahhh, here's an interesting tidbit. From shorewall's status.
> Chain blacklst (2 references)
> pkts bytes target prot opt in out source destination
> 40 2400 DROP all -- * * 18.104.22.168 0.0.0.0/0
> 48 2880 DROP all -- * * 22.214.171.124 0.0.0.0/0
> 0 0 DROP all -- * * 126.96.36.199 0.0.0.0/0
> 1087 52176 DROP all -- * * 188.8.131.52 0.0.0.0/0
> 686 32928 DROP all -- * * 184.108.40.206 0.0.0.0/0
> This in interesting. Some of these are hitting me a LOT and others have
> not hit at all. I guess this means I can drop the ones with a 0 count, reset
> the counts and let it go. This would, in theory, weed out the cleaned up
> hosts while leaving in the infected, no?
I noticed this also. However, I found that some of the subnets I blocked
"rested" for several hours, and then started bombarding me again. So I'm
leaving the rules in for at least a couple o' days before cleaning out
those with 0 count.
To err is human; to forgive is not our policy. -- Samuel Adler