[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Virus emails

On Mon, Sep 22, 2003 at 08:46:15PM -0700, Steve Lamb wrote:
> On Mon, 22 Sep 2003 22:44:50 -0400
> "H. S. Teoh" <hsteoh@quickfur.ath.cx> wrote:
> > Another major source is rr.com, which not only gives me tons of Swen, but
> > also other spam in general. I've blacklisted rr.com in /etc/hosts.deny,
> > but obviously I'm missing something obvious, 'cos rr.com spam still gets
> > through unless I block them on the firewall.
> rr.com pisses me off.  They RBL other ISP provider's customer blocks so
> we can't complain about their mess.  Pathetic. 

Apparently rr.com has a reputation for being a spamhaus since years ago,
in spite of their advertisements to the contrary.

> > What are the exim rules you used to catch these things?
>     exiscan-acl calling clamav and dropping it with a 550.  A full log line
> would be:
> 2003-09-22 07:38:05 1A1RpB-0007Xd-Of H=(smtp21.singnet.com.sg)
> [] F=<josen@mbox3.singnet.com.sg> rejected after DATA: This
> message contains a viru s or other malware (Worm.Gibe.F).

I see. Thanks for the info, I'll look it up.

> > For me, I just created a special iptables chain in the NAT table and wrote
> > a script to put DROP rules into it. Then I have a rule in PREROUTING that
> > diverts all port 25 traffic to that chain (so that other stuff doesn't
> > incur too much overhead---the chain is quite long and growing rapidly). 
>     True.  I'm just doing a blanket blacklist since I figure if they're
> infected with this, what else will they hit?

So far, I haven't got anything except port 25 connections from infected
hosts. But then again, I have very few open ports on my machine, so who

> > If you want to automate this more, you could write a spamassassin rule
> > that matches Swen mails, then use procmail to filter it (match against the
> > rule name in X-Spam-Status) through a script that grabs the IP address and
> > enters it into the firewall.
>     Except it never hits SA nor do I even have procmail installed.  Can't
> stand the ugly beast.

It never hits SA? Almost all Swen mails I got were caught by my bogofilter
+ SA setup. (It only missed like 2-3 out of at least 5000 per day.)

> > But according to my observations from today, it's not a big deal if the
> > first few messages get through---all my firewall rules were hand-added
> > (only partially automated with some scripts), and they still catch a lot
> > of subsequent crap. From the looks of it, infected machines are liable to
> > repeatedly resend messages to the same target. The fact that you *did*
> > blackhole the IP or subnet probably saves you from a lot of subsequent
> > crap.
>     True.  Right now I'm just adding IPs by awking out the IPs, cleaning off
> the brackets and tacking it onto the end of shorewall's blacklist.

I've resorted to blocking wide subnets. alone has had 3858
hits since yesterday, and still counting. Last night alone (about the past
8 hours or so) the firewall blocked about 6000+ port 25 connections, and
shows no sign of slowing down. In fact, the rate seems to be increasing
from the per minute scale and approaching the per second scale. 

>     Ahhh, here's an interesting tidbit.  From shorewall's status.
> Chain blacklst (2 references)
>  pkts bytes target     prot opt in     out     source              destination
>    40  2400 DROP       all  --  *      *
>    48  2880 DROP       all  --  *      *
>     0     0 DROP       all  --  *      *
>  1087 52176 DROP       all  --  *      *
>   686 32928 DROP       all  --  *      *
>     This in interesting.  Some of these are hitting me a LOT and others have
> not hit at all.  I guess this means I can drop the ones with a 0 count, reset
> the counts and let it go.  This would, in theory, weed out the cleaned up
> hosts while leaving in the infected, no?

I noticed this also. However, I found that some of the subnets I blocked
"rested" for several hours, and then started bombarding me again. So I'm
leaving the rules in for at least a couple o' days before cleaning out
those with 0 count.


To err is human; to forgive is not our policy. -- Samuel Adler

Reply to: