Notes on new IPBlock code, 4.25-11

Michael Baird mike at TC3NET.COM
Mon Dec 1 20:19:33 GMT 2003 

I run a cron script, based on software from 1997 that I found that was
called "SpamShield", I run this every 3 minutes it counts the amount of
recipients in that span, and if they are over the threshhold I've set it
ads the deny. I realized this would be a problem to do in mailscanner,
because the mail is received before mailscanner calculates it's
statistics. I would expect the MailScanner blocks to be more effective
as long term throttles, rather then instant spam flood stops. The
MailStats.pl guy has something similar to the script I use to stop these
spam storms, his might be more ready for other users then mine.

Regards
MIKE

> Gang,
>
>    Julian introduced a newer, faster, cooler version of IPBlock
> (see CustomConfig.pm) in version 4.25-11.  The new version allows
> you to dynamically block connections from rogue/spam machines in
> your sendmail access.db file in real time.  IPBlock counts mail
> messages (good, bad, spam) from IP numbers, tracks these connection
> numbers in a DB file, and modifies your sendmail access.db file
> if the number of connections exceeds thresholds that you configure.
>
> The major new feature in IPBlock is that the config file understands CIDR
> netblocks, so you can set different thresholds for different netblocks.
> You can literally "rule the world" with about 30 lines in your config
> file, see:
>
> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html
>
> for the details of how I set up things at my site.  I have been running
> with this ruleset for about a week now, plus additional rulesets for
> my own domain -- admin offices get one setting and dorm rooms get a
> lower setting.  I had asked Julian a couple of weeks ago if IPBlock could
> user Net::CIDR because my site has been getting hit with student computers
> that contain spam trojans.  Julian graciously modified IPBlock to use
> CIDR and I tested it last week.  When a spam trojan fires off, it can bury
> my mail server very quickly.  IPBlock gives me a tool to fight this.
>
> The Good News and Bad News...  Good News:  The new IPBlock works as
> advertised.  It will modify access.db and block a rogue site according
> to the config file, and the CIDR configs work.  The Bad News: not that
> much happens, even with very low settings for my dorm networks, and my
> "world domination" CIDR settings for the planet.  In one week, only three
> off-campus sites ended up in the access.db file, with zero emails actually
> blocked after the access.db changes.
>
> Last night was the acid test with an on-campus spam trojan.  The rogue
> machine came alive at 00:01:32 last night.  With a config limit of 100
> messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent
> connections blocked out.  But, the rogue machine had flooded my mqueue.in
> with several thousand messages in those 13 minutes, and it took nearly
> two hours for this flood to be processed by my server.  A lot of these
> messages were subsequently deleted as high-spam by Spamassassin and MS,
> or doublebounced, or were blocked by AOL (the target site).  Some got
> delivered.  The tsunami of spam was already on my mail server by the
> time MS shut the door, since IPBlock is run last in the MS process.
>
> Summary: IPBlock is useful against spam trojans, but not as useful as
> I had hoped. YMMV.
>
> Sendmail Note: sendmail 8.13.0 is on the horizon, see
>
> http://www.sendmail.org/8.13.0.PreAlpha4.html
>
> One new feature buried there is connection rate control, see the ChangeLog.
> This may aid in blocking rogue machines too.
>
> --- Jeff Earickson
>     Colby College
>

More information about the MailScanner mailing list