Notes on new IPBlock code, 4.25-11

Kevin Anderson andersjk at SOL-INVICTUS.ORG
Tue Dec 2 09:07:41 GMT 2003 

I actually wrote a script that parses the mail log script looking for tell
tale signs of a dictionary attack (yes I like reinventing the wheel mainly
for my own lack of programming talent that needs refreshing :) it looks
for grep "\.\.\. User unknown" then grep "lost input channel" which then
gets the sendmail tag hxxxxxxxxxx from that I get a ip address which then
chucks it into the access database, at the moment there are 50k ip's in
there... would anyone like this db? I also log the ip addresses, culprits
like comcast, rr.com, wanadoo.fr and a lot more show up.  The program runs
every hour from cron.

thanks,
kevin anderson



On Mon, 1 Dec 2003, Jeff A. Earickson wrote:

> Gang,
>
>    Julian introduced a newer, faster, cooler version of IPBlock
> (see CustomConfig.pm) in version 4.25-11.  The new version allows
> you to dynamically block connections from rogue/spam machines in
> your sendmail access.db file in real time.  IPBlock counts mail
> messages (good, bad, spam) from IP numbers, tracks these connection
> numbers in a DB file, and modifies your sendmail access.db file
> if the number of connections exceeds thresholds that you configure.
>
> The major new feature in IPBlock is that the config file understands CIDR
> netblocks, so you can set different thresholds for different netblocks.
> You can literally "rule the world" with about 30 lines in your config
> file, see:
>
> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html
>
> for the details of how I set up things at my site.  I have been running
> with this ruleset for about a week now, plus additional rulesets for
> my own domain -- admin offices get one setting and dorm rooms get a
> lower setting.  I had asked Julian a couple of weeks ago if IPBlock could
> user Net::CIDR because my site has been getting hit with student computers
> that contain spam trojans.  Julian graciously modified IPBlock to use
> CIDR and I tested it last week.  When a spam trojan fires off, it can bury
> my mail server very quickly.  IPBlock gives me a tool to fight this.
>
> The Good News and Bad News...  Good News:  The new IPBlock works as
> advertised.  It will modify access.db and block a rogue site according
> to the config file, and the CIDR configs work.  The Bad News: not that
> much happens, even with very low settings for my dorm networks, and my
> "world domination" CIDR settings for the planet.  In one week, only three
> off-campus sites ended up in the access.db file, with zero emails actually
> blocked after the access.db changes.
>
> Last night was the acid test with an on-campus spam trojan.  The rogue
> machine came alive at 00:01:32 last night.  With a config limit of 100
> messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent
> connections blocked out.  But, the rogue machine had flooded my mqueue.in
> with several thousand messages in those 13 minutes, and it took nearly
> two hours for this flood to be processed by my server.  A lot of these
> messages were subsequently deleted as high-spam by Spamassassin and MS,
> or doublebounced, or were blocked by AOL (the target site).  Some got
> delivered.  The tsunami of spam was already on my mail server by the
> time MS shut the door, since IPBlock is run last in the MS process.
>
> Summary: IPBlock is useful against spam trojans, but not as useful as
> I had hoped. YMMV.
>
> Sendmail Note: sendmail 8.13.0 is on the horizon, see
>
> http://www.sendmail.org/8.13.0.PreAlpha4.html
>
> One new feature buried there is connection rate control, see the ChangeLog.
> This may aid in blocking rogue machines too.
>
> --- Jeff Earickson
>     Colby College
>

--
@
_____________________________________________
chaos, panic and disorder... my job is done...

More information about the MailScanner mailing list