More on spamming..
Mario Valente mvalente at esoterica.pt
Wed Oct 1 16:53:49 CEST 1997
At 14:49 01-10-1997 +0200, IBS / Andre Oppermann wrote:
>Can you make this code public (for RIPE ISP's - BSD license or GPL)?
>
>Mario Valente wrote:
>-snip-
>> We have a daemon on the background scanning the mail log. We accept
>> mail from everywhere, anyplace. As long as its one message at a time
>-snip-
>
OK find at the end of this message the shell scripts that we currently use
to block spams dynamically.
Understand that this is a work in progress, begun a couple of months ago,
tailored
to our system. As such its not configurable; and its not optimized. It
should probably
be rewritten in Perl or C, commented, etc
It was partly written by me and partly by my cohort Paulo Laureano. We have
commented the code just now to help in understanding it. Some variables and
files are named in Portuguese :-) Paulo also wrote some of the comments
below.
Since several people have been asking us for these scripts, we are now
thinking
of rewriting this, comenting and optimizing.
C U!
-- Mario Valente & Paulo Laureano (looking over my shoulder)
------------------------------------------------------
This is the main script I run on the cron every 5 minutes... the value of
the "tail" numbers of lines to read should be adjusted for your own
system since this sets the amount of time a IP address is left with denyed
access to port 25 of your machine. The values of 1000 & 2000 used on my
server provide suspensions of access for 15/30 minutes depending on the
reason that caused the cut (i.e. the script checks the last 5 minutes and
cuts access to spammers it found for the next 15/30 minutes).
--- cut here (begin /usr/local/bin/lockrelayers) ---
#!/bin/sh
# script file used for real-time cut of access to port 25
# must be "chmod +s"...
#
#
# Clean up list of commands that will deny access to port 25
#
:> /usr/local/bin/cortados.new
#
# temporary file used to store IP addresses of spamming hosts
:> /tmp/spamlist
# find relayers and cut access to port 25 on ilegal ones (temporary!
# just to break the flow of incomming messages)
#
#
# findspamrelayers addresses using our server as a relay (see below)
#
/usr/local/bin/findspamrelayers_auto | cut -f3 -d"[" | cut -f1 -d"]" | sort
-u | while read endereco
do
if grep $endereco /usr/local/bin/cortados >/dev/null
# Address already in the list of denied addresses
then
echo "Relay access already cuted..." >/dev/null
else
# Add address to the list of addresses to deny
echo $endereco >>/tmp/spamlist
fi
done
# find domains started with numbers (i.e. ilegal) and
# 1- add them to list of known spammers (block'em in the future
# based on the domain name)...
# 2- deny access to port 25 for the machine that is delivering the
# messages (this is temporary just to break the flow of messages)
#
#
# find in the maillog fakedomains (started with a digit)
tail -1000 /var/log/maillog | grep "from=" | cut -f2 -d"<" | cut -f2 -d"@"
| cut -f1 -d">" | grep ^[0-9] | sort -u | while read fakedomain
do
if grep $fakedomain /etc/mailspamdomains >/dev/null
then
# Fake domain already blocked
echo $fakedomain is already blocked here >/dev/null
else
# Add domain to /etc/mailspamdomains, used by sendmail to stop spammers
echo Added $fakedomain to domains blacklist
echo $fakedomain >>/etc/mailspamdomains
fi
# Add fake domain to list of addresses to block, since they're
currently spamming
grep $fakedomain /var/log/maillog | grep "from=" | cut -f3 -d"[" | cut
-f1 -d"]" | grep "." >>/tmp/spamlist
done
# cut access to port 25 (temporary!) on anyone atempting to deliver
# messages from our list of known spammers...
cat /etc/mailspamdomains | while read spamdomain
do
# Find IP address of known spammers
tail -2000 /var/log/maillog | grep "from=" | grep $spamdomain | cut -f3
-d"[" | cut -f1 -d"]" | grep "." | while read foundip
do
# Add IP address of known spammers to list of addresses to block
echo $foundip >>/tmp/spamlist
done
done
# sort/unique the list of IP's to block so far and add them to the
# list about to loose access to the mail port...
sort -u /tmp/spamlist | while read endereco
do
# Create the script with list of commands used to block addresses
# denyaccess is a script (see below)
#
echo /usr/local/bin/denyaccess $endereco >>/usr/local/bin/cortados.new
done
rm -f /tmp/spamlist
cp /usr/local/bin/cortados.new /tmp/spamlist
# if we have three or more IP's blocked, lock ALL ip's that we know
# relay spam mail to us (have done so in the past...)! This literally
# makes esoterica unreachable to loads of people for a while and makes
# spam close to impossible by relaying mail thru major ISP's. We only
# lock the entire list on the third IP locked to allow space for a
# couple of "ilegal" relaying (some new customer not yet known to the
# mail postmaster, etc).
cat /tmp/spamlist | grep "\." | while read nome
do
let quantos=$quantos+1
echo $quantos >/dev/null
if test $quantos -eq 3
then
cat /usr/local/bin/cortados.relay >>/usr/local/bin/cortados.new
fi
done
# cut the access and log it excluding from the log the big list of
# IP's cuted because they are know relayers and the list of IP's we
# have cuted on a permanent basis...
# Run the fixed script (see below) that blocks known spammers
/usr/local/bin/cortados >/dev/null
#
# Put date into log
date >>/var/log/maillocked
#
# Run the dynamic (previously created) script that will block current spammers
/usr/local/bin/cortados.new >/dev/null 2>/dev/null
#
# Use the Linux ip firewall admin command to list the current blocks
/sbin/ipfwadm -I -l -n | grep tcp >/tmp/spamlist
# Take out of /tmp/spamlist the domains that are always blocked
grep denyaccess /usr/local/bin/cortados | cut -f2 -d" " | while read defcut
do
grep -v $defcut /tmp/spamlist >/tmp/spamlist2
mv /tmp/spamlist2 /tmp/spamlist
done
# Take out of /tmp/spamlist addresses known as using us as relay
# and log the rest of addresses (those discovered in this run of the
# script)
grep denyaccess /usr/local/bin/cortados.relay | cut -f2 -d" " | while read
defcut
do
grep -v $defcut /tmp/spamlist >/tmp/spamlist2
mv /tmp/spamlist2 /tmp/spamlist
done
cat /tmp/spamlist >>/var/log/maillocked
echo >>/var/log/maillocked
---- cut here (end /usr/local/bin/lockrelayers) ----
The script file "cortados" that follows has a list of addresses
permanently blocked from delivering mail to Esoterica ;
---- cut here (begin /usr/local/bin/cortados) ----
/sbin/ipfwadm -I -f
# exceptions (addresses that are never cuted down; my relay mail machine)
echo 194.130.254.3 >/dev/null
echo 195.22.0.33 >/dev/null
# The script denyaccess is used (see below)
#cyberpromo/savetrees
/usr/local/bin/denyaccess 204.137.223.0/24
/usr/local/bin/denyaccess 204.137.222.0/24
/usr/local/bin/denyaccess 204.137.220.0/24
#regulus.net/bulk-e-mail.com/nancynet.com,etc e um ISP para spammers...
/usr/local/bin/denyaccess 205.199.4.0/24
#mail-response.com/nancynet.com/nevwest.com/etc,etc,etc
/usr/local/bin/denyaccess 205.254.167.0/24
/usr/local/bin/denyaccess 205.254.165.0/24
/usr/local/bin/denyaccess 207.51.48.0/24
#1stfamily.com
/usr/local/bin/denyaccess 208.15.229.0/24
#kustom.on.ca
/usr/local/bin/denyaccess 204.101.226.0/24
#onlinebiz.net
/usr/local/bin/denyaccess 205.164.68.0/24
#netrecruiters.com, uniquepo,com, etc
/usr/local/bin/denyaccess 205.198.78.0/24
#asianinvestments.com.au
/usr/local/bin/denyaccess 203.32.208.0/24
#spamrelay.grandbikes.com
/usr/local/bin/denyaccess 208.219.218.0/24
---- cut here (end /usr/local/bin/cortados) ----
The file /usr/local/bin/cortados.relay has a list of IP's/pools that in
the past were used as relay to deliver junk mail to us. These addresses
are ALWAYS blocked on our secondary mail server. This is done
because if/when they were denied mail delivery to the primary mail server,
the spam would get delivered to the secondary.
This script runs if we are being bombed from
three or more IP addresses. We cut these down for a couple of minutes also
(spammers have a limited number of IP's that they can use for relay, and
we cut those in a block whenever we know about them). Since all cuts on
the main mail machine are temporary there is no problem on making
mistakes... it will delay delivery to the next mail queue processing...
only these intervals make mail bombing close to impossible!
---- cut here (begin /usr/local/bin/cortados.relay) ----
/usr/local/bin/denyaccess 12.70.46.0/24
/usr/local/bin/denyaccess 12.70.47.0/24
/usr/local/bin/denyaccess 128.148.157.0/24
/usr/local/bin/denyaccess 128.163.1.0/24
[ ... big list of address pools including machines from uunet and
other big ISPs frequently used as relay for spam ... ]
/usr/local/bin/denyaccess 208.206.112.0/24
/usr/local/bin/denyaccess 208.206.176.0/24
/usr/local/bin/denyaccess 208.6.192.0/24
/usr/local/bin/denyaccess 209.1.135.0/24
/usr/local/bin/denyaccess 209.30.0.0/24
/usr/local/bin/denyaccess 209.68.1.0/24
/usr/local/bin/denyaccess 209.75.5.0/24
---- cut here (end /usr/local/bin/cortados.relay) ----
The file /usr/local/bin/cortados.new is empty and has the executable bit
active (i.e. it is a script with content filled in real time) and called
"at the end" of "lockrelayers". It is filled dynamically with sequence of
commands
to block addresses.
A script used to find relayers by "lockrelayers" is
"/usr/local/bin/findspamrelayers"... content follows...
---- cut here (begin /usr/local/bin/cortados.relay) ----
# Find entries in maillog telling of relay use
grep relay /var/log/maillog >/tmp/xpto2
tail -600 /tmp/xpto2 >/tmp/xpto
# Extracting friendly virtual domains from the list of relayers ... those that
# we allow relaying and do mail forwarding
#
cat /etc/sendmail.cw | grep -v ^# | grep "\." | while read nome
do
grep -v $nome /tmp/xpto >/tmp/xpto2
mv /tmp/xpto2 /tmp/xpto
done
#
# Extract domains for leased line customers and expanded
# addresses from the list of relayers
#
#
cat /etc/legalrelay | grep -v ^# | grep "\." | while read nome
do
grep -v $nome /tmp/xpto >/tmp/xpto2
mv /tmp/xpto2 /tmp/xpto
done
#echo "Extracting known spammers (we already filter) from the list..."
cat /etc/mailspamdomains | while read nome
do
grep -v $nome /tmp/xpto >/tmp/xpto2
mv /tmp/xpto2 /tmp/xpto
done
# Separate maillog relay entries into two lists, to find out
# those that are currently relaying (have both a From entry and
# a To entry). Those that dont have both, are either local deliveries,
# locally originated or are coming from known spammers and were
# not delivering them (no To:)
#
cat /tmp/xpto | grep " from=" >/tmp/froms
cat /tmp/xpto | grep " to=" >/tmp/tos
# Output on stdout addresses that are in both lists (and so are
# currently relaying illegaly). The stdout will be used by other scripts
#
cat /tmp/tos | if grep " " >/dev/null
then
cat /tmp/tos | cut -f7 -d" " | while read msgid
do
grep $msgid /tmp/froms
done
else
cat /tmp/tos | cut -f6 -d" " | while read msgid
do
grep $msgid /tmp/froms
done
fi
#Cleanup
rm -f /tmp/xpto2
rm -f /tmp/xpto
rm -f /tmp/tos
rm -f /tmp/froms
---- cut here (end /usr/local/bin/findspamrelayers_auto) ----
To examine the logs on my system I run from the comand line the following
scrip called "viewspam" (every day to check spamming atempts of the last
hours)... it requires the "/etc/mailspamdomains" file to determine what
spammers to look for.
---- cut here (begin /usr/local/bin/viewspam) ----
cat /etc/mailspamdomains | while read nome
do
if grep $nome /var/log/maillog >/dev/null
then
echo $nome
echo "------------------------------------------------"
grep $nome /var/log/maillog | if grep " " >/dev/null
then
grep $nome /var/log/maillog | cut -f7 -d" " | while read msgid
do
grep " $msgid " /var/log/maillog
echo
done
echo
else
grep $nome /var/log/maillog | cut -f6 -d" " | while read msgid
do
grep " $msgid " /var/log/maillog
echo
done
echo
fi
fi
done
---- cut here (end /usr/local/bin/viewspam) ----
The denyaccess script that cuts access (/usr/local/bin/denyaccess) is;
---- cut here (begin /usr/local/bin/denyaccess) ----
# Deny TCP packets coming from source $1 into dest "Our mail server"
/sbin/ipfwadm -I -i deny -P tcp -S $1 -D 195.22.0.135 25 >/dev/null
2>/dev/null
# Same for UDP
/sbin/ipfwadm -I -i deny -P udp -S $1 -D 195.22.0.135 25 >/dev/null
2>/dev/null
# Same for ICMP
/sbin/ipfwadm -I -i deny -P icmp -S $1 -D 195.22.0.135 >/dev/null 2>/dev/null
---- cut here (end /usr/local/bin/denyaccess) ----
Hufff... now, I have some sendmail related files that are used to deny
access based on domain names on "/etc/mailspamdomains" and a list of legal
relayers (leased line customers, alias expansion that does not appear in
the logs) on "/etc/legalrelayers". My sendmail locks out delivery from/to
domains in "/etc/mailspamdomains". I got the domain based lockout scheme
for sendmail from "www.sendmail.org"... I also have installed the checking
of domains patch from the experimental anti-spam counter-measures for
sendmail; this does reverse DNS lookups to check for validity of From and
To addresses (also handy to find out your clients misconfigurations).
In short the files are;
/usr/local/bin/lockrelayers main script to do real time locking
running out of crontab
/usr/local/bin/findspamrelay_auto used by "lockrelayers" to find out
current spammers
/usr/local/bin/cortados permanently cuted IP's used by
"lockrelayers"
/usr/local/bin/cortados.new new IP's to cut; built and used by
"lockrelayers"
/usr/local/bin/cortados.relay list of machines used in the past
to relay to us... used to lock in
a block a lot of paths to esoterica
and permanently cuted on our relay
mail machines... used by
"lockrelayers"...
/usr/local/bin/viewspam look at log entries related to spam
based on /etc/mailspamdomains
/usr/local/bin/denyaccess cuts access to port 25 from and
address... used by "lockrelayers"
/etc/mailspamdomains list of domains to be cuted by sendmail
/etc/legalrelay list of domains/users we allow relay
to/from...
Ouch... this is the first time I actually atempted to explain to someone
the anti-spam measures in place here. If something fail to works as it
should just drop me a line and I'll add whatever is needed.
Basically this systems does not prevent mailspam but makes it impossible
to work (i.e. reach more than the firts few addresses) by allowing only a
small time windows of uncontrolled access, cuting access to offenders in a
three/six time larger time window, and rendering mailspamdomains unusable
for more that one time window. Also it detects when a IP address is
atempting relay thru our system and shuts it up for a while, it shuts up
knows pools of ips (for a couple of minutes only) used for relay if
attacks persist, etc.
From what I gathered some spammers are going nuts with this; they even
forged mail and placed esoterica on the headers out of revenge. The
reason is simple; they start spamming us, or using us for relay from some
dial-in on aol/whatever, it seems to work in the first few minutes (some
messages may even reach their intended destination) and then... esoterica
is no longer reachable... they can't even ping us... then, they try
another dial-in, get another IP address and... BINGO, working again for a
few minutes, but then it stops working also... on the third atempts things
repeat themselfs but then it seems that at the fourth atempt not even new
IP's get to esoterica... to make them REALLY MAD everything works again a
few minutes later; the problem is it would take hours to deliver mass mailings
thru this "less that five minutes" windows; worst than that, on the next
atempt mail has to be forged again since fake domains are blocked, etc.
Spam received/relayed by esoterica has dropped 99% in the last weeks.
[ lir-wg Archives ]