Stopping Directory Harvest Attacks

Brad Beckenhauer Brad at beckenhauer.com
Wed Mar 29 00:31:09 IST 2006 

Yes, They are similar.
The IPBlock code allows you to specify the ip address/net blocks in
advance and blocks them at the MTA (and it works very well). 

The concept behind this script is to sample your mail logs via a cron
job for Directory Harvest Attacks (DHA's) in progress ( The harvester
might not be in the IPBlock database) and then block them via iptables.
You could adapt the code to add an entry to the MTA.

On Tue, 2006-03-28 at 17:33 -0500, Jeff A. Earickson wrote:
> Doesn't Julian's IPBlock feature kind of do the same thing???
> 
> Jeff Earickson
> Colby College
> 
> On Mon, 27 Mar 2006, Brad Beckenhauer wrote:
> 
> > Date: Mon, 27 Mar 2006 22:08:49 -0600
> > From: Brad Beckenhauer <Brad at beckenhauer.com>
> > Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> > To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> > Subject: Stopping Directory Harvest Attacks
> > 
> > Hello all,
> >
> > First off my disclaimer...  I'm not a programmer and this script is one
> > of my first perl writing ventures. A guys gotta start somewhere!  I was
> > getting hammered with DHA (Directory Harvest Attacks) and decided to
> > write my own.  Given that stopping DHA attacks has come up a couple of
> > times on this forum, I hope that some of you will find this useful and
> > a starting place to develop this script further.
> >
> > Julian,  I thought it would be cool to use some of your phishing logic
> > to re-write the code to use a database instead.
> >
> > This perl script parses the mail.logs looking for multiple rejections
> > from the same IP Address. Presume this is a Directory harvest Attack if
> > the number of occurances of an IP Address is above the user defined
> > limit of $SCORE, then create an iptables DROP statement for that IP
> > Address.  Each time the script is run, it will remove the previous
> > iptables entries, rescan the mail.log and add new entries.  If an IP
> > offender no longer appears in the mail.log, then they are dropped off
> > the blocked "list".  This works great a a cron job every hour and if you
> > roll your mail logs daily the offending IP address is dropped off the
> > list.
> >
> > Again, it's far from perfect, feel free to adapt it if you like it, but
> > please share with the rest of us.
> >
> > #!/usr/bin/perl
> > #
> > # harvest.pl
> > #
> > # version 1.0
> > # Date: 10 September 2005
> > #
> > # Find possible email "directory harvest attacks" from mail.logs
> > #
> > # Copyright:
> > # This program is free software; you can redistribute it
> > # and modify it under the terms of the GNU General Public
> > # License as published by the Free Software Foundation.
> > #
> > # This program is distributed WITHOUT ANY WARRANTY; without even
> > # the implied warranty of MERCHANTABILITY or FITNESS FOR A
> > # PARTICULAR PURPOSE.
> > #
> > # Purpose:
> > # Parses the mail.logs looking for multiple rejections from the same
> > # IP Address. Presume this is a Directory harvest Attack if the
> > # number of occurances of an IP Address is above the
> > # user defined limit of $SCORE, then create an iptables DROP
> > # statement for that IP Address.  Each time the script is run, it will
> > # remove the previous iptables entries, rescan the mail.log and add
> > # new entries.  If an IP offender no longer appears in the mail.log,
> > # then they are dropped off the blocked "list".
> > #
> > # Rotating your email logs Daily helps keep the list cleaner.
> > #
> > # When executed, this perl script 'harvest.pl will create two output
> > # files in the current directory:
> > #
> > # iptables.sh      Contains the iptables entires to be added to iptables
> > # iptables-undo.sh Removes all entries created in the last run.
> > #
> > #
> > #  Idea and initial code by: Brad Beckenhauer
> > #
> > #  Credits: David Kirby.
> > #
> > #
> >
> > # This is the threshhold for the number of times an
> > # IP Address with a 550 error can occur in the mail logs before
> > # being added to the block list.
> > # SCORE should be set high enough that deleted user accounts
> > # on your system do not "trigger" a false block.
> > $SCORE=10;
> >
> > # Turn on console output, Shows what IP Addresses will be blocked.
> > $DEBUG=1;
> >
> > # read input from the /var/log/mail.log file
> > foreach $log (</var/log/mail.log >) {
> >   open(FILE,$log);
> >   while (<FILE>) {
> >      chomp;    # Remove newlines
> >      # create list of 55x errors
> >      # 554 needs to be fixed to make sure that 'found' is numeric
> >      if (/\]: 554 Service unavail/) { push @found, $_; }
> >      # create list of 450 errors
> >      if (/\]: 450 Client host rejected\</) { push @found, $_; }
> >   }
> >   close(FILE);
> > }
> >
> > # parse list of 55x errors, extracting each IP
> > foreach $entry (@found) {
> >   ($ip)=$entry=~/.*\[.+?\].*\[(.*)\]/;
> >   $iplist{$ip}++;   # count each IP found
> > }
> >
> > # sort list of IPs ascending by number of occurances
> > @iplist=sort { $iplist{$a} <=> $iplist{$b}; } (keys %iplist);
> >
> > # Print a report to console
> > if ( $DEBUG ) {
> >   printf "%-15s %-5s\n","\nIP Address"," Count";
> >   printf "%-15s %-5s\n","---------------","-----";
> > }
> >
> > open( OUT,  ">>/usr/local/sbin/dha.sh" );
> > if ( \! -f "/usr/local/sbin/dha-undo.sh" ) {
> >   print OUT "#!/bin/sh\n";
> > }
> > close(OUT);
> >
> > # if the undo file exists, do this routine
> > if ( -f "/usr/local/sbin/dha-undo.sh" ){
> > #   if ( $DEBUG ) { print " Undo file exists, reading it\n"; }
> >   open(UNDO, "/usr/local/sbin/dha-undo.sh") || die " can't open
> > iptables-undo.sh";
> >   open(OUT, ">/usr/local/sbin/dha.sh") || die " can't open
> > iptables.sh";
> >
> > # read in the undo file and send it to the OUT file
> >   while ( <UNDO> ) {
> >      # need to SKIP the first two lines of the input
> >      # as they contain header
> >      print OUT $_ ;
> >   }
> >   close(UNDO);
> >   close(OUT);
> > } else {
> >   if ( $DEBUG ) { print "Undo file does not exist, creating\n"; }
> > }
> >
> > # create a new BLANK file w/headers to "undo" the
> > # new entries added to the table
> > open( OUT, ">/usr/local/sbin/dha-undo.sh" );
> > print OUT "#!/bin/sh\n";
> > close(OUT);
> >
> > # open for append the iptables file for new IPs that exceed SCORE
> > open( NEW,  ">>/usr/local/s/dha.sh" );
> > open( UNDO, ">>/usr/local/sbin/dha-undo.sh" );
> >
> > # loop for each IP address found and add it to the tables.
> > foreach $ip (@iplist) {
> >  if ($iplist{$ip} >= $SCORE ) {
> >     print NEW  "iptables -A INPUT -s $ip -p tcp -m tcp --dport 25 -j
> > DROP\n";
> >     print UNDO "iptables -D INPUT -s $ip -p tcp -m tcp --dport 25 -j
> > DROP\n";
> >     if ( $DEBUG ) { printf "%15s\t%5d\n",$ip,$iplist{$ip};  }
> >  }
> > }
> >
> > if ( $DEBUG ) {
> >   printf "\nrun /usr/local/sbin/dha.sh to ADD these entries to the
> > firewall\n";
> >   printf "run /usr/local/sbin/dha-undo.sh to REMOVE all entries from
> > the firewall\n\n";
> > }
> >
> > close(NEW);
> > close(UNDO);
> > chmod 0755, '/usr/local/sbin/dha-undo.sh';
> > chmod 0755, '/usr/local/sbin/dha.sh';
> >
> >
> >
> > -- 
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >

More information about the MailScanner mailing list