Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

scrottie (4167)

scrottie
  scott@slowass.net
http://slowass.net/

My email address is scott@slowass.net. Spam me harder! *moan*

Journal of scrottie (4167)

Sunday November 14, 2004
02:30 AM

The Russian Spam Mafia Wants Me Probed

[ #21843 ]
I'm not sure exactly what I did - if I reported some fraudulent spam and they figured it out, or (more likely) while working for a client, I clogged a formmail.pl hole, or if they're just convinced that my machine is a major ISP with thousands of users, but thousands and thousands of Russian and non Russian machines are mounting a massive, coordinated attack to probe me. That is, they're trying to deliver mail to every user name anyone has seen anywhere - at @illogics.org.

I'm not just talking about a lot of machines probing me - I'm talking about a massive, carefully coordinated probing. About 5 machines go at it at once - as soon as one of them is firewalled, another immediately takes its place. After putting up with this for a while it started to clog incoming mail, so I wrote a little script to go through the postscript log (as soon as I dumped sendmail, which only logs useless information), finds repeated attempts from hosts to deliver to non-existant users, and writes out firewall rules I can add to my firewall config file for NetBSD. I would run this every few days when the moon hit me, but it was completely ineffective - the firewalled machines were immediately replaced with new ones. Hundreds of machines went by this way before I set cron to run a version of the script on the hour that automatically added the new rules to the firewall. Now hundreds of thousands of machines have been firewalled for this reason. To make the grade, 3 delivery attempts to non-existant users (and postfix species non-existant users as a fatal error so there is no excuse) in an hour gets you firewalled on port 25. With hundreds of thousands of firewall rules, the machine was spending most of its time in the kernel processing firewall rules before I set it to only do that on connections to port 25 (which are, by definition, new connections), and that helped greatly. And there's no end in sight. I'll have to start running the script more often - perhaps daemonize it and make it follow the log and ban things in real time. At this point, I'm curious how many zombie machines these Russians have. Anyway, for your reading pleasure, here's the portion of my firewall that's automatically generated from this anti-user-probing script. Let me know if you want the script and I'll post a copy (too lazy). Oh - I almost forgot the kicker - I'm running fingerd, so anyone could easily finger the machine and see who the users are.

-scott
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • other than /32

    I know you said you have hundreds of thousands, but the sample spamreport.txt only has a little over 20K. Even still, doing just a cursory glance you would be a lot better off not blocking individual IPs.

    #!/usr/bin/perl
    use strict;
    use warnings;

    my $spam = $ARGV[0] || 'spamreport.txt';
    open (SPAM, '<', $spam) or die "Unable to open $spam for reading : $!";

    print
    map { $_->[4] }
    sort { $a->[0] <=> $b->[0] || $a->[1] <=> $b->[1]
             

  • Ah, yes, I should have been more careful with my numbers. And language. Hundreds of thousands of IPs have been banned but not by that script and thus not in that output; they were banned by another script that (guess what) hit ARIN and blocked the entire netblock. I don't want to do this too hastily (in other words, I don't wnat to do this automatically) so the automatic script is doing /32's. Since there is some interest in passing from someone (even if that interest is just stimulating a clarification), h
    • Okay, the code tags didn't do what I wanted... let's try pre! #!/usr/bin/perl use bigint; my $count = 0; while(my $ip = ) { chomp $ip; my $mask; ($ip, $mask) = $ip =~ m{block in (?:proto tcp )?quick from ([0-9.]+)/([0-9]+) to any} or print "can't parse: $ip\n"; next unless $ip and $mask; my $numhosts = 1 And then... #!/usr/bin/perl use IO::Handle; use POSIX; # process all bans for the recently passed out (10 minutes ago) my $timestamp = strftime "%b %e %H:", localtime(time() - 600); #
      • Okay, the code tags didn't do what I wanted... let's try pre!

        Yuck! Don't people have a "preview" button any more? Or read the help text under the textarea, when entering their post?

        Try "<ecode>", it'll preserve your formatting.