Notes on new IPBlock code, 4.25-11

Jeff A. Earickson jaearick at COLBY.EDU
Mon Dec 1 19:47:14 GMT 2003 

Gang,

   Julian introduced a newer, faster, cooler version of IPBlock
(see CustomConfig.pm) in version 4.25-11.  The new version allows
you to dynamically block connections from rogue/spam machines in
your sendmail access.db file in real time.  IPBlock counts mail
messages (good, bad, spam) from IP numbers, tracks these connection
numbers in a DB file, and modifies your sendmail access.db file
if the number of connections exceeds thresholds that you configure.

The major new feature in IPBlock is that the config file understands CIDR
netblocks, so you can set different thresholds for different netblocks.
You can literally "rule the world" with about 30 lines in your config
file, see:

http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html

for the details of how I set up things at my site.  I have been running
with this ruleset for about a week now, plus additional rulesets for
my own domain -- admin offices get one setting and dorm rooms get a
lower setting.  I had asked Julian a couple of weeks ago if IPBlock could
user Net::CIDR because my site has been getting hit with student computers
that contain spam trojans.  Julian graciously modified IPBlock to use
CIDR and I tested it last week.  When a spam trojan fires off, it can bury
my mail server very quickly.  IPBlock gives me a tool to fight this.

The Good News and Bad News...  Good News:  The new IPBlock works as
advertised.  It will modify access.db and block a rogue site according
to the config file, and the CIDR configs work.  The Bad News: not that
much happens, even with very low settings for my dorm networks, and my
"world domination" CIDR settings for the planet.  In one week, only three
off-campus sites ended up in the access.db file, with zero emails actually
blocked after the access.db changes.

Last night was the acid test with an on-campus spam trojan.  The rogue
machine came alive at 00:01:32 last night.  With a config limit of 100
messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent
connections blocked out.  But, the rogue machine had flooded my mqueue.in
with several thousand messages in those 13 minutes, and it took nearly
two hours for this flood to be processed by my server.  A lot of these
messages were subsequently deleted as high-spam by Spamassassin and MS,
or doublebounced, or were blocked by AOL (the target site).  Some got
delivered.  The tsunami of spam was already on my mail server by the
time MS shut the door, since IPBlock is run last in the MS process.

Summary: IPBlock is useful against spam trojans, but not as useful as
I had hoped. YMMV.

Sendmail Note: sendmail 8.13.0 is on the horizon, see

http://www.sendmail.org/8.13.0.PreAlpha4.html

One new feature buried there is connection rate control, see the ChangeLog.
This may aid in blocking rogue machines too.

--- Jeff Earickson
    Colby College

More information about the MailScanner mailing list