Re: Blocking spam by IP number

[Craig Sanders <cas@taz.net.au>]

On Mon, 11 Aug 1997, Bruce Perens wrote:

> I'm building a spam blocking package for Debian. While that is going on,

i notice that the latest sendmail package includes Claus Aßmann's
anti-spam stuff.  I've been using them for several months now, and
they're quite good. not perfect, but they do work.

> then you already have "tcpd" filtering your mail connections. If that's
> not the case, read the man page on "tcpd". Once "tcpd" is set up, you can
> add the following text to the beginning of /etc/hosts.allow . This blocks
> connections from AGIS, a haven for spammers. I'd be interested in hearing
> about other IP addresses that should be blocked.

I have ip firewalling enabled in the kernel and just packet filter
them - it's easier to maintain a list of spam nets for distribution to
several machines (around 6 major gateways and moderately large mail
relays at the moment) than it is to distribute /etc/hosts.deny.  

here are the addresses that I block.  i'm seriously considering blocking all
AGIS-related networks.


    208.9.64.0/24           # Cyber Promotions (Sprint)
    207.14.212.0/24         # Financial Connections, Inc
    208.1.117.0/24          # I can't remember (somewhere in Sprint)
    205.199.212.0/24        # Cyber Promotions (AGIS)
    205.199.2.0/24          # Cyber Promotions (AGIS)
    208.12.112.0/23         # MakeItSo, Inc
    205.199.4.0/24          # nancynet - added 970529

the sprint cyberpromo network is probably long obsolete - they got booted
from there ages ago.

> My final version will not simply deny the connections, but will output
> an SMTP error to them which will cause an immediate mail bounce at their
> end.

firewalling them holds the mail in their queue for a few days and then
bounces it - slowing down their mail delivery systems at the minor price
of having their system attempt a connection every so often.  

firewalling is also much less work for my system to do than forking tcpd
and checking the hosts_access rules.

there's advantages and disadvantages to both ways of doing it.


> # The following net blocks are denied e-mail access because they belong to
> # sites that have not yet established an effective anti-spam policy.
> 
> # AGIS provides net connectivity to most of the well-known spammers.
> tcp-env qmail-smtpd in.smtpd in-smtpd smtpd sendmail smail exim: \

I'd convert this to an /etc/mail/SpamNets file like so:

    # /etc/mail/SpamNets

    # can be network/netmask (eg 1.2.3.4/255.255.255.0) or 
    # network/bits (eg 1.2.3.4/24)

    205.254.160.0/255.255.224.0     # optional comment - who, why, when, etc
    206.82.252.0/255.255.255.0      #
    207.142.0.0/255.255.0.0         #
    207.15.68.0/255.255.252.0       #
    208.18.18.0/255.255.255.0       #
    208.18.4.0/255.255.252.0        #
    209.14.0.0/255.255.0.0          #
    204.68.252.0/255.255.255.0      #
    204.137.128.0/255.255.128.0     #
    205.164.0.0/255.255.0.0         #
    206.62.0.0/255.255.0.0          #
    205.198.0.0/255.254.0.0         #
    206.42.0.0/255.254.0.0          #
    206.148.0.0/255.254.0.0         #
    206.185.0.0/255.255.0.0         #
    206.248.0.0/255.252.0.0         #
    206.84.0.0/255.254.0.0          #
    204.157.0.0/255.255.0.0         #
    208.9.64.0/24                   # Cyber Promotions (Sprint)
    207.14.212.0/24                 # Financial Connections, Inc
    208.1.117.0/24                  # I can't remember (somewhere in Sprint)
    205.199.212.0/24                # Cyber Promotions (AGIS)
    205.199.2.0/24                  # Cyber Promotions (AGIS)
    208.12.112.0/23                 # MakeItSo, Inc
    205.199.4.0/24                  # nancynet - added 970529

(thanks for these network addresses, btw. i'll check out who they belong
to and add them to my spamnets file)

This could be processed at boot time with a script like the following: 

    #! /bin/sh

    ANYWHERE=0.0.0.0/0
    PORTS=25

    # uncomment the following if you want blocked spam packets logged
    # (requires ip firewall logging enabled in the kernel)
    #
    #LOG="-o"
     
    # read in /etc/mail/SpamNets for host/network addresses to firewall,
    # ignoring comments.
    JUNKMAIL=`sed -e '/^#/d' -e '/^$/d' -e 's/#.*$//' /etc/mail/SpamNets`

    # block out junkmailing scumbags
    for i in $JUNKMAIL ; do
        /sbin/ipfwadm -I -a reject $LOG -P tcp -S $i -D $ANYWHERE $PORTS
    done

I use this on several mail machines/gateways.  

One of the systems using this is a freebsd system - the ipfw utility
is similar to but significantly different from the linux ipfwadm
utility....no problem, i just use a slightly different wrapper script.
it should also be easy enough to produce firewalling commands for
Ciscos and other routers.  It would also be easy to put a web or gui
front-end onto the script for "easy" (hah! nothing's easier than vi :-)
maintainence of the list.


craig


--
craig sanders
networking consultant                  Available for casual or contract
temporary autonomous zone              system administration tasks.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .