Hello,
Thanks All for your reply.
This discussion made me think of this problem from another angle.
Lets look at the following headers of one of such virus mails I get:
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <[EMAIL PROTECTED]>
Received: from htwuac.gov (85-250-51-131.bb.netvision.net.il [85.250.51.131])
by mydomain.haifa.ac.il (Postfix) with SMTP id ED5E61B3C7;
Thu, 1 Dec 2005 14:54:41 +0200 (IST)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Thu, 01 Dec 2005 12:51:51 GMT
Subject: Your IP was logged
Importance: Normal
X-Mailer: SpeedMail_V2.37
X-Priority: 3 (Normal)
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====80c2818aace8.222"
Content-Transfer-Encoding: 7bit
-------------------------- END HEADERS ------------------------------
Why just not to check if 85.250.51.131 has an MX record?
If it has MX record it's probably ISP and we won't block it.
If it has no MX record lets block it for 24 hours.
What do you think?
Regards,
Leon Kolchinsky
-----Original Message-----
From: Keith Dunnett [mailto:[EMAIL PROTECTED]
Sent: Thu 01.12.2005 15:36
To: ???? ????'?????
Cc: amavis-new
Subject: Re: [AMaViS-user] Temporary blocking IP of virus senders
[EMAIL PROTECTED] wrote:
>But I'm seeking automatic solution, to make IP addition to client_checks file
>and running postmap hash:client_checks afterwards.
>
>If anyone have some script/solution for that matter I'd be glad to get one :)
>
The obvious solution is to parse your mail log for amavis notices (from
cron) and generate iptables rules
on the fly. I don't have a script to do that, but here is an equivalent
which I use to block those who try to
log into sshd with illegal user names. Customise as needed.
#!/bin/sh
/sbin/iptables -L SSHBLOCK -v -n > .tmp1
change=0
# Parse auth.log for any Illegal user messages from SSHD and add to the
SSHBLOCK chain
for ip in `cat /var/log/auth.log* | grep "sshd.*Illegal user" | awk
{'print $10'} | sort -un`; do
test=`cat .tmp1 | grep $ip`;
if [ -z "$test" ]; then
change=1
echo "Blocking all SSH access to $ip";
/sbin/iptables -I SSHBLOCK 1 -s $ip -j DROP;
fi;
done;
rm -f .tmp1
if [ $change == 1 ]; then
# Limit the ruleset to the last 50 attacking IPs
/sbin/iptables -D SSHBLOCK 51 >/dev/null 2>&1
echo "";
/sbin/iptables -L SSHBLOCK -v;
fi
This runs every minute from cron, and assumes that the chain already
exists. You could no doubt customise
it to recognise virus notices from your mail log.
However, there is another option which might save you the hassle. See
http://virbl.bit.nl/ for more details.
This will block some of them at Postfix level before they even arrive :-)
HTH,
Keith
>
>
>Best Regards,
>Leon Kolchinsky
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems? Stop! Download the new AJAX search engine that makes
>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
>_______________________________________________
>AMaViS-user mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/amavis-user
>AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
>AMaViS-HowTos:http://www.amavis.org/howto/
>
>
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
