SpamHaus DROP list

Tue Oct 16 05:53:23 IST 2007

clacroix at cegep-ste-foy.qc.ca wrote:
> Using the perl script that was posted here earlier, and this simple
> awk/sed pipe abuse i bet you can archive what you want quite easily, but
> why would you want to block at the firewall level, it's so much cleaner to
> do at the mta level, at least it won't fall back to your secondary MX.
>
>   
I'd like to block for the following reasons:

1. "Best block, no be there, OK?" - Pat Morita as Mr. Miyagi in one of 
the Karate Kid movies.
A server getting hammered by the russian mafia botnets can have several 
hundred (if not thousands) of connections per minute coming from their 
shady networks. This uses up valuable instances of sendmail or TCP 
SYN/ACK packets that count towards bandwidth and/or download/upload 
caps. I'd rather use the DROP list on BOTH the main server and the 
backup MX in order to protect them, if I can trust the list to be close 
to 0 in regards to false positives. In this regard, and IMHO, it's much 
cleaner to do it at the firewall level for my particular situation, and 
from my point of view (I see how one could arrive at the same conclusion 
you did, even though I'd rather do it the other way).
2. Failing to put these on a backup MX because it's not under my 
control, I could still generate, for example, greylisting or SA scores 
or milters or whatever based on the DROP list. I'd still benefit from 
knowing "it came from the shady part of the internet".
3. Infected machines inside the network (there are the occasional 
guests) that tried to "phone home" to one of the many IRC-powered botnet 
controllers would have a more difficult (I know, some of them use 
distributed nets and scanning, so it's not impossible) time getting 
commands from the "russian mother ship". Noninfected machines would, for 
example, find it difficult to get to the many phishing websites hosted 
in those networks (most of them knowingly), or the kiddie pr0n, or 
whatever. The point is it would be difficult "to get there from here".

So while I agree in most circumstances it's better (and more polite too) 
to reject at the MTA level with a very concise but accurate explanation 
of the reason, and (where possible) a URL to go to for more information, 
the DROP list warrants (in my case, maybe others find similar situations 
where they work) use at the firewall or router.
> cat spamhaus-droplist |awk '{print $1}' | sed -e 's/^/iptables -I INPUT -i
> ethX -s /' | sed -e 's/$/-d 0\/0 -j DROP/'
>
> I guess you can make some shell script that will
> 1 take the old file and generate equivalent delete rules
> 2 run the perl script found on this list earlier today
> 3 run the cmd above
>
>
> anyways, i hope this can help you.
>
>
>   
Anything at all helps. Remember, you can only learn what you almost 
already know. A good nudge in the right direction and I'll probably get 
it to work - and report back with the results, and you guys will 
probably contribute your own 2c, and so on. The beauty of collaborative 
environments like OSS. Too bad *other* projects don't have as nice 
people running and contributing the lists ;-)
>
>   
>> Michael Mansour wrote:
>>     
>>> Hi Alex,
>>>
>>> */Alex Neuman van der Hans <alex at nkpanama.com>/* wrote:
>>>
>>>     Anybody here had any success/horror stories regarding the
>>>     implementation
>>>     of the SpamHaus DROP list? I've been getting a lot of crap (spam and
>>>     other assorted network nonsense) from places in the DROP list and
>>> I'd
>>>     like to know if it's worth implementing at the firewall level. Any
>>>     info
>>>     on false positives would be good too, specially if there are any
>>>     otherwise legit servers in that "rough network neighborhood".
>>>
>>> I've been using the droplist for years and have never had any issues
>>> with it.
>>>
>>> I have a script which runs which queries the site for new updates,
>>> then applies to the blocklist and runs a shorewall refresh
>>> automatically.
>>>
>>> I've never had complaints from anyone from getting blocked from those
>>> IP's, since they are IP's which have been hijacked.
>>>
>>>       
>> By "new updates" do you "wget" or "curl" the drop.lasso file (whatever
>> the name is) and "diff" the existing file? I'm looking to write a simple
>> script using iptables that'll do that, unless somebody's already
>> invented the wheel.
>>     
>>> Regards,
>>>
>>> Michael.
>>>
>>>     --
>>>     MailScanner mailing list
>>>     mailscanner at lists.mailscanner.info
>>>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>     Before posting, read http://wiki.mailscanner.info/posting
>>>
>>>     Support MailScanner development - buy the book off the website!
>>>
>>>
>>> ------------------------------------------------------------------------
>>> Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage.
>>> Get it now
>>> <http://au.rd.yahoo.com/mail/taglines/default_all/storage/*http://au.docs.yahoo.com/mail/unlimitedstorage.html>.
>>>       
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>     
>
>
>   