[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)

If I remember right (and someone correct me if I'm wrong) a mail server doesn't have to have an MX record. If no MX record exists then the sending server drops back to normal host records and this is perfectly legitimate. So the MX record checking may not work so well

Pulu 'Anau wrote:

To kind of get back to the ISP world a little bit, has anyone used this in the
way that's being recommended?  (Using the OS Fingerprint Netfilter patch to
block Windows machines sending to port 25).

We're currently getting slammed by Windows viruses and have thought about doing
exactly that, but it seemed to us that there are enough people using Exchange or
Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this
would block legitimate mail almost instantly.

We've just been blocking hosts manually after the first virus.  I'm thinking
about writing a little script to:

1.  Get the offending IP address from amavis's logfile
2.  Check against a whitelist (like our own backup mx's)
3.  Do something like tcpping to the IP to see if it is a valid mx host
4.  If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours

Other than the 72 hour checks it's pretty straightforward and seems (at least to
me) very unlikely to stop legitimate mail, while cutting those guys who send
40-50 viruses a day down to 1 every three.
Does anyone see any problems with the above?  The major issue is bandwidth, some
of our customers host their mail servers on 32K links with 200+ users.

Sorry, it's not really about the spam issue discussed before, but it's strange
the synchronicity (os fingerprinting anyway) between my work and this list


Afe.to ANTS
POB 1478
Nuku'alofa, Tonga
Ph: Country code 676 - 27946 or 878-1332

Quoting Russell Coker <russell@coker.com.au>:

On Fri, 9 Apr 2004 21:32, Arnt Karlsen <arnt@c2i.net> wrote:
On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message

See the section on "osf" in the above URL for a better solution.
Simply block Windows machines from accessing your port 25.
..if only all isp's did it...
Not all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to.

If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian

kernel-patch package for it so that other Debian users can conveniently use

it.  The more accessible you make this to Debian people the closer it comes

to being installed on Debian list servers...

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

This mail sent from Tonga's Premiere Internet Cafe
Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php
generic info @  http://www.tongatapu.net.to

Reply to: