On Mon, 11 Aug 1997, Bruce Perens wrote:
> I'm building a spam blocking package for Debian. While that is going on,
i notice that the latest sendmail package includes Claus Aßmann's
anti-spam stuff. I've been using them for several months now, and
they're quite good. not perfect, but they do work.
> then you already have "tcpd" filtering your mail connections. If that's
> not the case, read the man page on "tcpd". Once "tcpd" is set up, you can
> add the following text to the beginning of /etc/hosts.allow . This blocks
> connections from AGIS, a haven for spammers. I'd be interested in hearing
> about other IP addresses that should be blocked.
I have ip firewalling enabled in the kernel and just packet filter
them - it's easier to maintain a list of spam nets for distribution to
several machines (around 6 major gateways and moderately large mail
relays at the moment) than it is to distribute /etc/hosts.deny.
here are the addresses that I block. i'm seriously considering blocking all
AGIS-related networks.
208.9.64.0/24 # Cyber Promotions (Sprint)
207.14.212.0/24 # Financial Connections, Inc
208.1.117.0/24 # I can't remember (somewhere in Sprint)
205.199.212.0/24 # Cyber Promotions (AGIS)
205.199.2.0/24 # Cyber Promotions (AGIS)
208.12.112.0/23 # MakeItSo, Inc
205.199.4.0/24 # nancynet - added 970529
the sprint cyberpromo network is probably long obsolete - they got booted
from there ages ago.
> My final version will not simply deny the connections, but will output
> an SMTP error to them which will cause an immediate mail bounce at their
> end.
firewalling them holds the mail in their queue for a few days and then
bounces it - slowing down their mail delivery systems at the minor price
of having their system attempt a connection every so often.
firewalling is also much less work for my system to do than forking tcpd
and checking the hosts_access rules.
there's advantages and disadvantages to both ways of doing it.
> # The following net blocks are denied e-mail access because they belong to
> # sites that have not yet established an effective anti-spam policy.
>
> # AGIS provides net connectivity to most of the well-known spammers.
> tcp-env qmail-smtpd in.smtpd in-smtpd smtpd sendmail smail exim: \
I'd convert this to an /etc/mail/SpamNets file like so:
# /etc/mail/SpamNets
# can be network/netmask (eg 1.2.3.4/255.255.255.0) or
# network/bits (eg 1.2.3.4/24)
205.254.160.0/255.255.224.0 # optional comment - who, why, when, etc
206.82.252.0/255.255.255.0 #
207.142.0.0/255.255.0.0 #
207.15.68.0/255.255.252.0 #
208.18.18.0/255.255.255.0 #
208.18.4.0/255.255.252.0 #
209.14.0.0/255.255.0.0 #
204.68.252.0/255.255.255.0 #
204.137.128.0/255.255.128.0 #
205.164.0.0/255.255.0.0 #
206.62.0.0/255.255.0.0 #
205.198.0.0/255.254.0.0 #
206.42.0.0/255.254.0.0 #
206.148.0.0/255.254.0.0 #
206.185.0.0/255.255.0.0 #
206.248.0.0/255.252.0.0 #
206.84.0.0/255.254.0.0 #
204.157.0.0/255.255.0.0 #
208.9.64.0/24 # Cyber Promotions (Sprint)
207.14.212.0/24 # Financial Connections, Inc
208.1.117.0/24 # I can't remember (somewhere in Sprint)
205.199.212.0/24 # Cyber Promotions (AGIS)
205.199.2.0/24 # Cyber Promotions (AGIS)
208.12.112.0/23 # MakeItSo, Inc
205.199.4.0/24 # nancynet - added 970529
(thanks for these network addresses, btw. i'll check out who they belong
to and add them to my spamnets file)
This could be processed at boot time with a script like the following:
#! /bin/sh
ANYWHERE=0.0.0.0/0
PORTS=25
# uncomment the following if you want blocked spam packets logged
# (requires ip firewall logging enabled in the kernel)
#
#LOG="-o"
# read in /etc/mail/SpamNets for host/network addresses to firewall,
# ignoring comments.
JUNKMAIL=`sed -e '/^#/d' -e '/^$/d' -e 's/#.*$//' /etc/mail/SpamNets`
# block out junkmailing scumbags
for i in $JUNKMAIL ; do
/sbin/ipfwadm -I -a reject $LOG -P tcp -S $i -D $ANYWHERE $PORTS
done
I use this on several mail machines/gateways.
One of the systems using this is a freebsd system - the ipfw utility
is similar to but significantly different from the linux ipfwadm
utility....no problem, i just use a slightly different wrapper script.
it should also be easy enough to produce firewalling commands for
Ciscos and other routers. It would also be easy to put a web or gui
front-end onto the script for "easy" (hah! nothing's easier than vi :-)
maintainence of the list.
craig
--
craig sanders
networking consultant Available for casual or contract
temporary autonomous zone system administration tasks.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
