[TheForge] off-topic: request
Gabriel Cain
[email protected]
Tue Jun 25 23:16:09 2002
Terry L. Ridder wrote:
> hello;
>
> i have received many suggestions concerning my
> request and have written up the below explaination.
>
> <begin explaination>
> the dns blackholes are not working. plus they
> are heavy hits on dns servers and bandwidth.
>
> currently, in monitoring just two t1s 15 to 20
> percent of the traffic is spammers, crackers,
> virus, porn peddlers, and other lower-life forms.
> ( trash )
Understandable.
> the 'we' is three isps in the northern illinois
> and southern wisconsin area and myself. the customers
> of the isps want the isp to filter out the trash.
> i want it gone since 23 percent of my wireless t1
> is trash.
Ouch. :-(
> what we are building up is a database of spammers,
> crackers, virus, porn peddlers, etc. from this
> database, firewall and router access lists will be
> generated.
>
> primary target linux:
> ipchains and iproute2
> iptables and iproute2
>
> secondary target:
> cisco pix firewall
> cisco routers
Very cool. I do sysadmin myself, so I know what you're dealing
with. It's no fun at all.
> currently the database is being built using tcpdump log
> files and iptables statistics.
> i started by monitoring entire ip address blocks for
> countries like korea, china, thailand, indonesia, russia.
> once i had the statistics of what ip address blocks where
> attempting to send spam, i broke those ip adddress blocks
> out into smaller ip address blocks.
Block all of the Asia pacific block and europe to SMTP traffic. Really.
It'll drop your spam load by about 90%. It's what we do where I work -- block
all of APNIC, and allow some through (those customers who request it.)
> example:
> 211.160.0.0/16 covers all ip addresses from
> 211.160.0.0 through 211.160.255.255
>
> 211.160.0.0/17 covers all ip addresses from
> 211.160.0.0 through 211.160.127.255
>
> 211.160.128.0/17 covers all ip addresses from
> 211.160.128.0 through 211.160.255.255
>
> once i have narrowed done the ip address block
> those ip addresses end up in the database.
>
> so instead of blocking all of korea just block
> the korean ip address blocks which are sending
> the spam.
Which is most of them, or so it seems.
iptables -A FORWARD -s 210.0.0.0/8 -p tcp --dport 25 -j REJECT is my friend.
> iptables statistics and tcpdump log files are
> processed each day to update the database. this
> is to remove the ip addresses which are no longer
> being used for trash and add new ones.
Sounds like fun with perl and mysql. I know that game.
> using the database e-mail messages are generated
> to the isps who are assigned the blocked ip address
> blocks explaining why they are being blocked. each
> e-mail message contains the tcpdump log files and
> iptables statistics for their ip address blocks.
*nods*
> the goal is to block the spammers, crackers, virus,
> porn peddlers before they ever get into the network
> and also to prevent them from routing through the
> network. basically, isolate them from portions of
> the internet.
Right.
> e-mail spam with full e-mail headers makes the task
> of narrowing down ip address blocks faster. we are
> also using 'spam traps' to find the spammers.
[Smirk]
> 'spam traps' are valid e-mail addresses embedded in
> a web page which the normal web surfer would never see.
Right, like this: <!-- [email protected] -->
> spammers which scan web pages for e-mail addresses would
> however see them. they send e-mail to the address and
>
> the valid e-mail does not belong to a real end-user but
> rather is just forwarded to a program which processed the
> spam and their ip address ends up in the database.
I've often thought about implementing such a thing, but, alas, it
(that method) is not considered high priority. C'est la vie.
> the database currently contains nearly 10,000 entries.
Only 10k? ;-)
Good luck. Sounds like you're doing well.
--
Gabriel Cain
Amateur Smith / Systems Administrator / Tinkerer
[email protected]
Free image space for theForge members is available. Contact me.