Re: grokking exim4 and slowing spammers with iptables -m recent

To: Ralph Katz <ralph.katz@rcn.com>
Cc: debian-user@lists.debian.org
Subject: Re: grokking exim4 and slowing spammers with iptables -m recent
From: Tony Godshall <togo@of.net>
Date: Wed, 23 Nov 2005 14:30:08 -0800
Message-id: <[🔎] 20051123223008.GA27936@of.net>
Reply-to: Tony Godshall <togo@of.net>
In-reply-to: <[🔎] 43848001.9040501@rcn.com>
References: <5bVmS-6Xa-7@gated-at.bofh.it> <[🔎] 43848001.9040501@rcn.com>

...
> > So my question is...  Can you tell me or point me toward where I
> > would put my "echo to the penalty box" in the Exim4 configs?
> > 
> > Best Regards,
> > 
> > Tony
> 
> Just a guess:  Use fail2ban, point it to exim4/mainlog, set
> /etc/fail2ban.conf to trigger 'Unrouteable' to ban the offending IP
> (uses iptables).

Thanks for the idea.  Actually, though, I'd like to do it
immediately, not when it hits the logfile, since the delay
is enough to let a few messages through before penalty kicks
in.  But it would certainly save me from restarting my
little scripty bit when logrotate kicks in.  These are two
I'm experimenting with now: Any comments welcome.  

Penalty box (short timeout) for bad dest addresses:

  #reject for 40 seconds each time we get a smtp_penalty_box hit
  iptables -A INPUT \
    -m recent --name smtp_penalty_box --rcheck --seconds 40 \
    -j REJECT

  #put ip addrs into smtp_penalty_box list when we get a bad addr
  tail -f /var/log/exim4/mainlog\
  |perl -e '
  use strict;
  use POSIX qw(strftime);
  while (<>)
  {
    if(m{\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\].*Unrouteable address})
    {
      open(OUTPUT, ">/proc/net/ipt_recent/smtp_penalty_box");
      print OUTPUT "$1\n";
      close(OUTPUT);
      my $disptime=strftime("%m-%d %H:%M:%S",localtime time);
      print "$disptime: penalty $1\n";
    }
  }'

Blacklist any ip who is coming in in parallel multiple identities...

  # block any IP on this list till it's quiet for five minutes
  iptables -A INPUT \
    -m recent --name smtp_multiple_idents --update --seconds 600 \
    -j DROP

  # detect IPs that are claiming to be multiple domains and
  # put them in the smtp_multiple_idents list
  while /bin/true
  do 
    exiwhat \
    |tee ~/exiwhat.out && \
    for ip in $( \
      cat ~/exiwhat.out\
      | tee ~/exiwhat.out\
      | perl -e '
        use strict;
        while(<>)
        {
          if(m{\(([^()]+)\) \[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]})
          {
            print "$2 $1\n"
          }
        }' \
      | sort | uniq | cut -d' ' -f1 | uniq -c \
      | perl -ne 'if(m{^[ \t]+([0-9]+)[ \t]+([^ \t].*)}&&$1>1){print "$2\n"}'
    )
    do 
      echo $ip > /proc/net/ipt_recent/smtp_multiple_idents
      echo "multiple identities- $ip"
    done
    date
    sleep 15
  done

Best regards,

Tony

Reply to:

References:
- Re: grokking exim4 and slowing spammers with iptables -m recent
  - From: Ralph Katz <ralph.katz@rcn.com>

Prev by Date: Re: Request to remove Information
Next by Date: (solved) usb HP printer etch usblp
Previous by thread: Re: grokking exim4 and slowing spammers with iptables -m recent
Next by thread: question about "write " in bash
Index(es):
- Date
- Thread