Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

merlyn (47)

AOL IM: realmerlyn (Add Buddy, Send Message)
Yahoo! ID: realmerlyn (Add User, Send Message)

See my home page [].

Journal of merlyn (47)

Saturday April 24, 2004
11:21 AM

back to blocking IPs again

[ #18464 ]
So, having been fed up with spam and virus mail again, pushing my monthly bandwidth up and over my 30GB/month purchased limit (which is supposed to be for web, not email!), I reenabled my dynamic rolling block.

I block mail at various levels. Postfix lets me block mail during the SMTP handshake for hosts that don't have an A or MX record, and for delivery to addresses that are known spamtraps within the mail domain. Then, the mail goes to amavis, which uses SpamAssassin to block mail that looks very spammy (I have this set fairly high to avoid false positives). Then, $ mail gets delivered to my procmailrc for sorting, and I do further checks for simple mydoom and sobig patterns, and finally I call clamscan looking for known virus payloads. Altogether, I've got about 10 log files being written in two different formats (/var/log/maillog vs rfc822 headers).

But, POE to the rescue. I set up tail watchers on all the various log files, extract the offending IPs of the hop prior to my box, and then issue simple pfctl commands to add and delete those from a block list in my OpenBSD pf firewall. The address goes in, and 2 hours later, comes back out.

At the moment, I have nearly 2000 addresses in my list that have assaulted me within the last two hours, and get about 300 attempts a minute to reconnect. Using tcpdump with openbsd's passive fingerprinting, I can see that most of the block reattempts are repeated hits from windows boxes on cable or DSL, very likely worm-infected machines that would be much better recycled than online.

The result is that my loadaverage has now returned to sensible values, and my total bandwidth due to mail is back down to a reasonable 5GB/month average. Yeay!

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • If your focus in on saving the bandwidth (man, that's a lotta e-mail!), then you need to do as much upfront testing as possible (before the client gets to the "data" section of their e-mail). You may also not want to REJECT, which would double the bandwidth with bouncebacks (not sure if the original message is bounced back, too).

    I love Postfix -- they have some really great UCE [] measures. I had some problems with "A or MX record" thing (reject_unknown_client?) -- that would block things like stories that
    • For Postfix, I reject during the SMTP handshake, not bouncing it with checks later. Amavis doesn't bounce it either... we just swallow the spam. And I don't bounce anything from my procmail tests or clamscan tests. The only bounces I generate are $ (provided they aren't a spammed-to-death address).
      • Randal L. Schwartz
      • Stonehenge
  • If you want an rbl feed of this list, or a URL to a private text file containing the IPs (both updated once a minute), please let me know (

    The caveat is that there might be false positives. It's useful as an outright smtp block, or at a place where you can return "try again later" to an incoming SMTP connection, but not at a point where you've already accepted the mail. You want a legit mailer to retry, but the bad guys mailers will not.

    • Randal L. Schwartz
    • Stonehenge