Re: Spammers hammering our mail servers

To: "Nathan Ridge" <ridgey@mackay.matilda.net.au>, <debian-isp@lists.debian.org>
Subject: Re: Spammers hammering our mail servers
From: "Andrew Tait" <andrewt@cnl.com.au>
Date: Mon, 4 Mar 2002 15:05:57 +1100
Message-id: <[🔎] 00ab01c1c331$e32fd0a0$034e15cb@cnl.com.au>
References: <2389A368-2F21-11D6-8C0D-0005020907EE@mackay.matilda.net.au>

I was looking more for a real time solution, either by and exim system
filter, or by a log watcher program (ie, the logtail package).

I'll clarify my questions a bit more.

Is the exim filter language capable of such a task? From what I have seen so
far, no, but my eXPerience with that is limited. (ie, am I wasting my time
try to do it with a system filter).

Or should I use a script being run every 5 minutes, in conjunction with a
program like logtail.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: andrewt@cnl.com.au
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix

----- Original Message -----
From: "Nathan Ridge" <ridgey@mackay.matilda.net.au>
To: "Andrew Tait" <andrewt@cnl.com.au>
Sent: Monday, March 04, 2002 2:37 PM
Subject: Re: Spammers hammering our mail servers


> Luckily we have not been hit that hard yet,  but I can't see it being
> that hard to write a script, even something simple that runs once per
> hour off cron that gets the ip addresses out of rejectlog
>
> now im no code junky , even something simple like:
>
> cat rejectlog |awk -F[ {'print $2'} |awk -F] {'print $1'} >>
> /home/blah/rejectips.txt
>
> cat /home/blah/rejectips.txt |while read IP
> do
> NUM=`cat /home/blah/rejectips.txt |grep $IP |wc -l`
> if [ "$NUM" -gt "3" ]
> then
> ipchains REJECT blah tcp 25
> fi
> done
>
> this is not tested, just top of my head
>
> what do you think?
>
> Regards
> Nathan
>
>
>
>
>
> On Monday, March 4, 2002, at 01:06 PM, Andrew Tait wrote:
>
> > Hi All,
> >
> > I'm sure this effects just about everyone out there who runs a mail
> > server.
> >
> > Every so often we have spammers hammering our mail servers (running
> > Exim)
> > attempting to relay messages. They fail of course, however they sit
> > there,
> > some times for several weeks, attempting e-mail address after e-mail
> > address.
> >
> > This of course wastes our bandwidth, server resources, and fills our
> > rejectlog with thousands of failed attempts.
> >
> > What I would like to do, is after three attempted message relays, the IP
> > address gets blocked via ipchains/iptables so it can no longer access
> > port
> > 25.
> >
> > The two options I can see so far are either a program monitoring the
> > rejectlog file to detect abuse, or an exim filter.
> >
> > Has anyone attempted to or setup a system like this?
> >
> > I await your thoughts.
> >
> > Andrew Tait
> > System Administrator
> > Country NetLink Pty, Ltd
> > E-Mail: andrewt@cnl.com.au
> > WWW: http://www.cnl.com.au
> > 30 Bank St Cobram, VIC 3644, Australia
> > Ph: +61 (03) 58 711 000
> > Fax: +61 (03) 58 711 874
> >
> > "It's the smell! If there is such a thing." Agent Smith - The Matrix
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
>
>

Reply to:

Follow-Ups:
- Re: Spammers hammering our mail servers
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Spammers hammering our mail servers
Next by Date: Unidentified subject!
Previous by thread: Re: Spammers hammering our mail servers
Next by thread: Re: Spammers hammering our mail servers
Index(es):
- Date
- Thread