store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Sep 02, 2014 12:16 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: one liner to find/stop possible spam activity
Unread postPosted: Thu Dec 22, 2005 4:17 pm 
Offline
Forum User
Forum User

Joined: Thu Dec 01, 2005 11:51 pm
Posts: 14
Location: Durham, NH
This has been a problem more than once for me, so I wrote a quick one liner to help sort out trends from the /var/log/secure file.

This script will print out a list of IP addresses that have connected via smtp at least 100 times. This was very useful for me as I found two IP addressed that were filling up my queues with nearly 10,000 messages each over the span of 2 days!


Code:
grep smtp /var/log/secure | grep -oe '[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+' \
| sort | uniq -c | grep -e '^[[:space:]]*[[:digit:]]\{3,\}[[:space:]]\+[[:digit:]]'


Then all I had to do was add a line to my firewall script to block the IP and load started settling down right away. A line like this worked fine for me:

Code:
/sbin/iptables -A INPUT  -s 80.99.151.140  -j DROP


And no, I dont mind posting the IP ;)

Hope that helps somebody out there.


Last edited by mswanson on Fri Jan 13, 2006 10:57 am, edited 1 time in total.

Top
 Profile  
 
 Post subject:
Unread postPosted: Fri Dec 23, 2005 11:32 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7892
Location: earth
That rule is dropping traffic on the return side to the spammer. Which works, but you'll get better performance applying that to the INPUT table, like this:

iptables -A INPUT -s 80.99.151.140 -j DROP

Mike and I are working on adding in the TARPIT rule to ASL, which would go one step farther, rather than dropping the traffic, it would slow the session down (and drop it, so it still wont get in). The added bonus there is you effectively tie up the spamming MTA, without tieing up yours.


Top
 Profile  
 
 Post subject:
Unread postPosted: Fri Jan 13, 2006 10:56 am 
Offline
Forum User
Forum User

Joined: Thu Dec 01, 2005 11:51 pm
Posts: 14
Location: Durham, NH
scott wrote:
That rule is dropping traffic on the return side to the spammer. Which works, but you'll get better performance applying that to the INPUT table, like this:

iptables -A INPUT -s 80.99.151.140 -j DROP

Mike and I are working on adding in the TARPIT rule to ASL, which would go one step farther, rather than dropping the traffic, it would slow the session down (and drop it, so it still wont get in). The added bonus there is you effectively tie up the spamming MTA, without tieing up yours.


Typo!

Thanks for the catch :)

I actually caught it on my end but forgot to update this post. I'll edit my post above for clarity


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group