More on spamming..
Mario Valente mvalente at esoterica.pt
Wed Oct 1 16:53:49 CEST 1997
At 14:49 01-10-1997 +0200, IBS / Andre Oppermann wrote: >Can you make this code public (for RIPE ISP's - BSD license or GPL)? > >Mario Valente wrote: >-snip- >> We have a daemon on the background scanning the mail log. We accept >> mail from everywhere, anyplace. As long as its one message at a time >-snip- > OK find at the end of this message the shell scripts that we currently use to block spams dynamically. Understand that this is a work in progress, begun a couple of months ago, tailored to our system. As such its not configurable; and its not optimized. It should probably be rewritten in Perl or C, commented, etc It was partly written by me and partly by my cohort Paulo Laureano. We have commented the code just now to help in understanding it. Some variables and files are named in Portuguese :-) Paulo also wrote some of the comments below. Since several people have been asking us for these scripts, we are now thinking of rewriting this, comenting and optimizing. C U! -- Mario Valente & Paulo Laureano (looking over my shoulder) ------------------------------------------------------ This is the main script I run on the cron every 5 minutes... the value of the "tail" numbers of lines to read should be adjusted for your own system since this sets the amount of time a IP address is left with denyed access to port 25 of your machine. The values of 1000 & 2000 used on my server provide suspensions of access for 15/30 minutes depending on the reason that caused the cut (i.e. the script checks the last 5 minutes and cuts access to spammers it found for the next 15/30 minutes). --- cut here (begin /usr/local/bin/lockrelayers) --- #!/bin/sh # script file used for real-time cut of access to port 25 # must be "chmod +s"... # # # Clean up list of commands that will deny access to port 25 # :> /usr/local/bin/cortados.new # # temporary file used to store IP addresses of spamming hosts :> /tmp/spamlist # find relayers and cut access to port 25 on ilegal ones (temporary! # just to break the flow of incomming messages) # # # findspamrelayers addresses using our server as a relay (see below) # /usr/local/bin/findspamrelayers_auto | cut -f3 -d"[" | cut -f1 -d"]" | sort -u | while read endereco do if grep $endereco /usr/local/bin/cortados >/dev/null # Address already in the list of denied addresses then echo "Relay access already cuted..." >/dev/null else # Add address to the list of addresses to deny echo $endereco >>/tmp/spamlist fi done # find domains started with numbers (i.e. ilegal) and # 1- add them to list of known spammers (block'em in the future # based on the domain name)... # 2- deny access to port 25 for the machine that is delivering the # messages (this is temporary just to break the flow of messages) # # # find in the maillog fakedomains (started with a digit) tail -1000 /var/log/maillog | grep "from=" | cut -f2 -d"<" | cut -f2 -d"@" | cut -f1 -d">" | grep ^[0-9] | sort -u | while read fakedomain do if grep $fakedomain /etc/mailspamdomains >/dev/null then # Fake domain already blocked echo $fakedomain is already blocked here >/dev/null else # Add domain to /etc/mailspamdomains, used by sendmail to stop spammers echo Added $fakedomain to domains blacklist echo $fakedomain >>/etc/mailspamdomains fi # Add fake domain to list of addresses to block, since they're currently spamming grep $fakedomain /var/log/maillog | grep "from=" | cut -f3 -d"[" | cut -f1 -d"]" | grep "." >>/tmp/spamlist done # cut access to port 25 (temporary!) on anyone atempting to deliver # messages from our list of known spammers... cat /etc/mailspamdomains | while read spamdomain do # Find IP address of known spammers tail -2000 /var/log/maillog | grep "from=" | grep $spamdomain | cut -f3 -d"[" | cut -f1 -d"]" | grep "." | while read foundip do # Add IP address of known spammers to list of addresses to block echo $foundip >>/tmp/spamlist done done # sort/unique the list of IP's to block so far and add them to the # list about to loose access to the mail port... sort -u /tmp/spamlist | while read endereco do # Create the script with list of commands used to block addresses # denyaccess is a script (see below) # echo /usr/local/bin/denyaccess $endereco >>/usr/local/bin/cortados.new done rm -f /tmp/spamlist cp /usr/local/bin/cortados.new /tmp/spamlist # if we have three or more IP's blocked, lock ALL ip's that we know # relay spam mail to us (have done so in the past...)! This literally # makes esoterica unreachable to loads of people for a while and makes # spam close to impossible by relaying mail thru major ISP's. We only # lock the entire list on the third IP locked to allow space for a # couple of "ilegal" relaying (some new customer not yet known to the # mail postmaster, etc). cat /tmp/spamlist | grep "\." | while read nome do let quantos=$quantos+1 echo $quantos >/dev/null if test $quantos -eq 3 then cat /usr/local/bin/cortados.relay >>/usr/local/bin/cortados.new fi done # cut the access and log it excluding from the log the big list of # IP's cuted because they are know relayers and the list of IP's we # have cuted on a permanent basis... # Run the fixed script (see below) that blocks known spammers /usr/local/bin/cortados >/dev/null # # Put date into log date >>/var/log/maillocked # # Run the dynamic (previously created) script that will block current spammers /usr/local/bin/cortados.new >/dev/null 2>/dev/null # # Use the Linux ip firewall admin command to list the current blocks /sbin/ipfwadm -I -l -n | grep tcp >/tmp/spamlist # Take out of /tmp/spamlist the domains that are always blocked grep denyaccess /usr/local/bin/cortados | cut -f2 -d" " | while read defcut do grep -v $defcut /tmp/spamlist >/tmp/spamlist2 mv /tmp/spamlist2 /tmp/spamlist done # Take out of /tmp/spamlist addresses known as using us as relay # and log the rest of addresses (those discovered in this run of the # script) grep denyaccess /usr/local/bin/cortados.relay | cut -f2 -d" " | while read defcut do grep -v $defcut /tmp/spamlist >/tmp/spamlist2 mv /tmp/spamlist2 /tmp/spamlist done cat /tmp/spamlist >>/var/log/maillocked echo >>/var/log/maillocked ---- cut here (end /usr/local/bin/lockrelayers) ---- The script file "cortados" that follows has a list of addresses permanently blocked from delivering mail to Esoterica ; ---- cut here (begin /usr/local/bin/cortados) ---- /sbin/ipfwadm -I -f # exceptions (addresses that are never cuted down; my relay mail machine) echo 188.8.131.52 >/dev/null echo 184.108.40.206 >/dev/null # The script denyaccess is used (see below) #cyberpromo/savetrees /usr/local/bin/denyaccess 220.127.116.11/24 /usr/local/bin/denyaccess 18.104.22.168/24 /usr/local/bin/denyaccess 22.214.171.124/24 #regulus.net/bulk-e-mail.com/nancynet.com,etc e um ISP para spammers... /usr/local/bin/denyaccess 126.96.36.199/24 #mail-response.com/nancynet.com/nevwest.com/etc,etc,etc /usr/local/bin/denyaccess 188.8.131.52/24 /usr/local/bin/denyaccess 184.108.40.206/24 /usr/local/bin/denyaccess 220.127.116.11/24 #1stfamily.com /usr/local/bin/denyaccess 18.104.22.168/24 #kustom.on.ca /usr/local/bin/denyaccess 22.214.171.124/24 #onlinebiz.net /usr/local/bin/denyaccess 126.96.36.199/24 #netrecruiters.com, uniquepo,com, etc /usr/local/bin/denyaccess 188.8.131.52/24 #asianinvestments.com.au /usr/local/bin/denyaccess 184.108.40.206/24 #spamrelay.grandbikes.com /usr/local/bin/denyaccess 220.127.116.11/24 ---- cut here (end /usr/local/bin/cortados) ---- The file /usr/local/bin/cortados.relay has a list of IP's/pools that in the past were used as relay to deliver junk mail to us. These addresses are ALWAYS blocked on our secondary mail server. This is done because if/when they were denied mail delivery to the primary mail server, the spam would get delivered to the secondary. This script runs if we are being bombed from three or more IP addresses. We cut these down for a couple of minutes also (spammers have a limited number of IP's that they can use for relay, and we cut those in a block whenever we know about them). Since all cuts on the main mail machine are temporary there is no problem on making mistakes... it will delay delivery to the next mail queue processing... only these intervals make mail bombing close to impossible! ---- cut here (begin /usr/local/bin/cortados.relay) ---- /usr/local/bin/denyaccess 18.104.22.168/24 /usr/local/bin/denyaccess 22.214.171.124/24 /usr/local/bin/denyaccess 126.96.36.199/24 /usr/local/bin/denyaccess 188.8.131.52/24 [ ... big list of address pools including machines from uunet and other big ISPs frequently used as relay for spam ... ] /usr/local/bin/denyaccess 184.108.40.206/24 /usr/local/bin/denyaccess 220.127.116.11/24 /usr/local/bin/denyaccess 18.104.22.168/24 /usr/local/bin/denyaccess 22.214.171.124/24 /usr/local/bin/denyaccess 126.96.36.199/24 /usr/local/bin/denyaccess 188.8.131.52/24 /usr/local/bin/denyaccess 184.108.40.206/24 ---- cut here (end /usr/local/bin/cortados.relay) ---- The file /usr/local/bin/cortados.new is empty and has the executable bit active (i.e. it is a script with content filled in real time) and called "at the end" of "lockrelayers". It is filled dynamically with sequence of commands to block addresses. A script used to find relayers by "lockrelayers" is "/usr/local/bin/findspamrelayers"... content follows... ---- cut here (begin /usr/local/bin/cortados.relay) ---- # Find entries in maillog telling of relay use grep relay /var/log/maillog >/tmp/xpto2 tail -600 /tmp/xpto2 >/tmp/xpto # Extracting friendly virtual domains from the list of relayers ... those that # we allow relaying and do mail forwarding # cat /etc/sendmail.cw | grep -v ^# | grep "\." | while read nome do grep -v $nome /tmp/xpto >/tmp/xpto2 mv /tmp/xpto2 /tmp/xpto done # # Extract domains for leased line customers and expanded # addresses from the list of relayers # # cat /etc/legalrelay | grep -v ^# | grep "\." | while read nome do grep -v $nome /tmp/xpto >/tmp/xpto2 mv /tmp/xpto2 /tmp/xpto done #echo "Extracting known spammers (we already filter) from the list..." cat /etc/mailspamdomains | while read nome do grep -v $nome /tmp/xpto >/tmp/xpto2 mv /tmp/xpto2 /tmp/xpto done # Separate maillog relay entries into two lists, to find out # those that are currently relaying (have both a From entry and # a To entry). Those that dont have both, are either local deliveries, # locally originated or are coming from known spammers and were # not delivering them (no To:) # cat /tmp/xpto | grep " from=" >/tmp/froms cat /tmp/xpto | grep " to=" >/tmp/tos # Output on stdout addresses that are in both lists (and so are # currently relaying illegaly). The stdout will be used by other scripts # cat /tmp/tos | if grep " " >/dev/null then cat /tmp/tos | cut -f7 -d" " | while read msgid do grep $msgid /tmp/froms done else cat /tmp/tos | cut -f6 -d" " | while read msgid do grep $msgid /tmp/froms done fi #Cleanup rm -f /tmp/xpto2 rm -f /tmp/xpto rm -f /tmp/tos rm -f /tmp/froms ---- cut here (end /usr/local/bin/findspamrelayers_auto) ---- To examine the logs on my system I run from the comand line the following scrip called "viewspam" (every day to check spamming atempts of the last hours)... it requires the "/etc/mailspamdomains" file to determine what spammers to look for. ---- cut here (begin /usr/local/bin/viewspam) ---- cat /etc/mailspamdomains | while read nome do if grep $nome /var/log/maillog >/dev/null then echo $nome echo "------------------------------------------------" grep $nome /var/log/maillog | if grep " " >/dev/null then grep $nome /var/log/maillog | cut -f7 -d" " | while read msgid do grep " $msgid " /var/log/maillog echo done echo else grep $nome /var/log/maillog | cut -f6 -d" " | while read msgid do grep " $msgid " /var/log/maillog echo done echo fi fi done ---- cut here (end /usr/local/bin/viewspam) ---- The denyaccess script that cuts access (/usr/local/bin/denyaccess) is; ---- cut here (begin /usr/local/bin/denyaccess) ---- # Deny TCP packets coming from source $1 into dest "Our mail server" /sbin/ipfwadm -I -i deny -P tcp -S $1 -D 220.127.116.11 25 >/dev/null 2>/dev/null # Same for UDP /sbin/ipfwadm -I -i deny -P udp -S $1 -D 18.104.22.168 25 >/dev/null 2>/dev/null # Same for ICMP /sbin/ipfwadm -I -i deny -P icmp -S $1 -D 22.214.171.124 >/dev/null 2>/dev/null ---- cut here (end /usr/local/bin/denyaccess) ---- Hufff... now, I have some sendmail related files that are used to deny access based on domain names on "/etc/mailspamdomains" and a list of legal relayers (leased line customers, alias expansion that does not appear in the logs) on "/etc/legalrelayers". My sendmail locks out delivery from/to domains in "/etc/mailspamdomains". I got the domain based lockout scheme for sendmail from "www.sendmail.org"... I also have installed the checking of domains patch from the experimental anti-spam counter-measures for sendmail; this does reverse DNS lookups to check for validity of From and To addresses (also handy to find out your clients misconfigurations). In short the files are; /usr/local/bin/lockrelayers main script to do real time locking running out of crontab /usr/local/bin/findspamrelay_auto used by "lockrelayers" to find out current spammers /usr/local/bin/cortados permanently cuted IP's used by "lockrelayers" /usr/local/bin/cortados.new new IP's to cut; built and used by "lockrelayers" /usr/local/bin/cortados.relay list of machines used in the past to relay to us... used to lock in a block a lot of paths to esoterica and permanently cuted on our relay mail machines... used by "lockrelayers"... /usr/local/bin/viewspam look at log entries related to spam based on /etc/mailspamdomains /usr/local/bin/denyaccess cuts access to port 25 from and address... used by "lockrelayers" /etc/mailspamdomains list of domains to be cuted by sendmail /etc/legalrelay list of domains/users we allow relay to/from... Ouch... this is the first time I actually atempted to explain to someone the anti-spam measures in place here. If something fail to works as it should just drop me a line and I'll add whatever is needed. Basically this systems does not prevent mailspam but makes it impossible to work (i.e. reach more than the firts few addresses) by allowing only a small time windows of uncontrolled access, cuting access to offenders in a three/six time larger time window, and rendering mailspamdomains unusable for more that one time window. Also it detects when a IP address is atempting relay thru our system and shuts it up for a while, it shuts up knows pools of ips (for a couple of minutes only) used for relay if attacks persist, etc. From what I gathered some spammers are going nuts with this; they even forged mail and placed esoterica on the headers out of revenge. The reason is simple; they start spamming us, or using us for relay from some dial-in on aol/whatever, it seems to work in the first few minutes (some messages may even reach their intended destination) and then... esoterica is no longer reachable... they can't even ping us... then, they try another dial-in, get another IP address and... BINGO, working again for a few minutes, but then it stops working also... on the third atempts things repeat themselfs but then it seems that at the fourth atempt not even new IP's get to esoterica... to make them REALLY MAD everything works again a few minutes later; the problem is it would take hours to deliver mass mailings thru this "less that five minutes" windows; worst than that, on the next atempt mail has to be forged again since fake domains are blocked, etc. Spam received/relayed by esoterica has dropped 99% in the last weeks.
[ lir-wg Archives ]