>When looking at the output of ghba.sh its hard to pinpoint my business
>customers using smtp auth vs legit servers vs the ones that are bad about
>dictionary attacks.
I haven't found too hard. In fact, wiht obvious, nearly always
recognizabel exceptions like big ISPs and list servers (news, weather,
bank, very much like the SAV whitelist items), anvil is proving very
effective in identifying reliably abusive senders.
>I have put a couple of slight modifications to your ghba.sh to count the
>number of rejects per IP and the number of successful messages (reject: &
>client= log entries) into the same report text, making it helpful to tell
>what each IP is doing when its not anviled.
>I hope you don't mind me sharing my changes.
of course not. more info always helps in decision making. here's one nasty
IMGate report through midday Wed:
%less /var/tmp/anvil_ptr_sort.txt
=================================================
Wed Mar 3 13:19:38 CST 2004
Quantity of anvil blocks per IP
smtpd_client_connection_rate_limit = 10
client_rate_time_unit = 1800
=================================================
Anvils Reject Recvd IPAddr Revdns
33 0 9
141.151.169.135 pool-141-151-169-135.pitt.east.verizon.net.
1 0 10 69.25.5.184 INAP40.pinnaclemark.com.
38 0 22 216.109.118.185 web60402.mail.yahoo.com.
11 0 23 198.87.25.13 mx03.keen.com.
2 0 24 198.31.62.33 mta.explore1.llbean.com.
2 0 25 198.31.62.19 mta.email.orbitz.com.
7 0 36 63.237.28.59 icsrv16.intercerve.com.
2 1 0 12.167.64.140
7 1 18 198.186.229.5
11 2 0 65.214.161.85
1 2 7 218.1.78.5
1 2 7 218.12.45.26
1 2 7 24.122.55.87 55-87.vf.cgocable.ca.
2 3 0 65.214.161.215
4 3 0 65.214.161.242
1 3 6 203.210.200.88 localhost.
1 3 6 203.210.200.88 localhost.
1 3 6 218.15.30.242
5 5 0 65.214.161.207
37 5 11 68.185.248.76 D7QDK721.cpe.alex.al.charter.com.
2 8 0 65.214.161.87
1 8 0 65.214.161.95
6 8 1 4.4.210.241 PPPa20-City-3R7105.dialinx.net.
1 9 0 142.151.180.99 user80-99.chestnut.utoronto.ca.
1 9 0 159.226.138.132 lipap.lzb.ac.cn.
13 9 0 210.245.34.94
1 9 0 216.204.150.39 smtp.maill.com.
1 9 0 216.82.155.35 MPagel.dsl.DesertLINC.com.
1 9 0 218.104.201.51
1 9 0 218.160.79.184 218-160-79-184.HINET-IP.hinet.net.
1 9 0 218.4.190.25
6 9 0 61.132.88.5
1 9 0 67.82.224.89 ool-4352e059.dyn.optonline.net.
1 9 0 68.114.230.128 c68.114.230.128.fdl.wi.charter.com.
14 9 0 68.185.150.161 000C414E2589.cpe.mtgry.al.charter.com.
23 10 0 12.111.149.202 dblt-sn202.gtcom.net.
26 10 0 12.219.74.213 12-219-74-213.client.mchsi.com.
2 10 0 12.223.100.86 12-223-100-86.client.insightbb.com.
14 10 0 151.198.189.131 client-151-198-189-131.belmar.k12.nj.us.
20 10 0 198.213.188.80 pc080.chi-omega-iota.org.
161 10 0 207.157.69.126 126.domain.tld.
1 10 0 210.82.186.2
1 10 0 212.171.178.221 host221-178.pool212171.interbusiness.it.
6 10 0 24.218.168.52 h000b069376f9.ne.client2.attbi.com.
3 10 0 61.171.119.13
6 10 0 62.36.30.74
2 10 0 64.140.13.99
8 10 0 65.214.161.203
3 10 0 66.151.40.212 consumer-marketplace.com.
5 10 0 66.151.40.218 consumer-marketplace.com.
1 10 0 66.151.40.40 consumer-marketplace.com.
1 10 0 66.151.41.19 consumer-marketplace.com.
2 10 0 66.7.137.33 66-7-137-33.progressivedeals.com.
5 10 0 68.118.8.118 cpe-68-118-8-118.hol.nc.charter.com.
5 10 0 68.185.157.33 wilsonlaw.cpe.alex.al.charter.com.
3 10 0 80.48.192.67
3 10 0 81.208.60.200
2 10 2 165.155.176.67 host.176.nat.nycboe.org.
2 10 6 68.191.105.193 kathymcc.cpe.hoov.al.charter.com.
20 10 8 209.192.92.210 mail.sylacauga.k12.al.us.
8 10 9 69.2.64.179 69-2-64-179.wan.networktel.net.
1 11 0 69.42.104.101
4 12 0 210.0.141.229
1 12 0 24.126.162.61 c-24-126-162-61.we.client2.attbi.com.
8 12 0 65.105.133.4 alice.emf0.com.
2 13 0 68.113.95.228
6 14 0 65.214.161.238
220 14 5 68.220.253.199 adsl-220-253-199.bhm.bellsouth.net.
1 15 0 192.216.159.232 mx2.learningera.com.
2 15 0 64.56.194.119 mail26.travelzoo.com.
8 16 0 216.136.183.44 mail43.travelzoo.com.
1 16 0 216.180.48.33
1 16 0 65.214.161.74
1 17 0 24.127.65.130 c-24-127-65-130.we.client2.attbi.com.
88 17 3 24.214.249.232 user-24-214-249-232.knology.net.
3 18 0
68.120.53.86 adsl-68-120-53-86.dsl.lsan03.pacbell.net.
1 19 0 65.214.161.59
6 20 0 203.210.201.108 localhost.
6 20 0 218.81.180.58
1 20 0 218.81.182.54
1 20 0 61.61.179.140
2 20 0 63.218.84.107
1 20 0 65.105.133.6 dumper.emailfactory.com.
1 20 0 66.117.21.20 host20.try4free.net.
48 20 0
67.118.25.130 adsl-67-118-25-130.dsl.sntc01.pacbell.net.
16 20 0 68.218.128.122 adsl-218-128-122.jax.bellsouth.net.
4 20 6 66.168.249.217
2 21 0 64.201.120.244 host244.extremepricecuts.net.
9 21 0 65.214.161.79
1 21 0 66.117.21.19 host19.try4free.net.
1 21 0 66.117.30.125 host125.samplesdirect.net.
2 21 0 68.186.253.75 cpe-68-186-253-75.ma.charter.com.
1 22 0 209.51.212.34
11 22 0 216.170.81.174
3 22 0 61.80.37.120
4 22 0 62.118.40.210
1 22 0 66.111.233.205 mail2.mailrouter1.com.
2 23 0 4.8.227.127 wbar3.lax1-4-8-227-127.dsl-verizon.net.
1 23 0 66.111.231.27 hs231-111-66.ftl-nj.webhostplus.com.
34 23 13 68.117.179.181 2D7PB01.cpe.ozrk.al.charter.com.
9 24 0 209.66.76.133 augustus.velvettooth.net.
3 24 0 24.124.98.62 62.98.cm.sunflower.com.
1 24 0 63.147.79.3 3.gdaol.com.
5 24 0 65.28.230.242 woh-65-28-230-242.woh.rr.com.
4 24 2 64.144.244.10 64-144-244-10.client.dsl.net.
4 24 2 64.144.244.10 64-144-244-10.client.dsl.net.
4 25 0 12.166.81.125
4 25 0 209.40.117.3 mailha-cs2.heardabouttown.com.
2 25 0 66.169.233.101 ts46-01-qdr2405.mdfrd.or.charter.com.
2 25 0 68.113.85.94 BLAIR.cpe.alex.al.charter.com.
1 26 0 198.65.163.25 pacific15.optinmailbox.com.
60 26 0 66.28.35.130 cyclops.emf0.com.
2 27 0 66.63.164.163 mailer4.txmar.com.
1 28 0 64.201.120.246 host246.extremepricecuts.net.
1 28 0 68.117.187.44 D74SY211.cpe.alex.al.charter.com.
11 28 0 69.60.104.220
1 29 0 218.91.102.220
11 29 4 216.83.247.117 216-83-247-117.wan.networktel.net.
12 30 0 216.170.77.162 station.abc3340.com.
1 30 0 65.214.161.70
36 30 0 66.129.77.2
3 30 0 66.63.164.165 mailer5.txmar.com.
54 30 2 68.184.59.3 KAM.cpe.alex.al.charter.com.
129 30 24 68.185.248.35 JMO-3002.cpe.alex.al.charter.com.
3 31 0 209.247.221.120 sj01-net02-120.wotch.com.
3 31 0 66.35.244.6 om-vistaprint.rgc3.net.
61 32 0 24.214.167.187 user-24-214-167-187.knology.net.
3 32 0 63.218.84.205
1 35 0 69.59.145.214 srv1.krawa.com.
2 36 0 66.111.231.28 rom5.romanseven.com.
2 36 3 68.113.86.23 00062570F892.cpe.alex.al.charter.com.
2 37 0 63.218.84.208
15 37 0 66.148.68.19 server19.enter7.com.
2 38 0 65.208.171.19 vt219.superbonkers.com.
4 40 0 63.218.84.213
1 43 0 65.208.171.38 vt338.yippieya.com.
299 43 3 68.113.85.80 M5B2J2.cpe.alex.al.charter.com.
5 44 0 209.51.212.2
2 50 0 64.124.100.54 mail3.ldygdv.com.
1 54 0 207.218.65.13 gcb13.lnk2c.com.
3 54 0 61.128.175.71
17 59 0 216.108.233.9 q009.q4mail.com.
5 59 0 64.201.103.59 host59.erationalnews.com.
1 60 0 218.106.97.42
9 64 0 69.59.167.173 mail1.thisisadomainallright.com.
3 66 0 209.51.212.18
105 79 0 210.105.95.221
5 79 0 65.121.78.26 sender3.overstock.com.
4 80 0 63.251.51.234 callisto.mailznet.com.
137 82 0 68.185.248.67 Athlon.cpe.alex.al.charter.com.
3 87 0 61.180.25.110
1 88 0 65.121.78.17 sender2.overstock.com.
6 90 0 64.41.183.130 em1.proffiliates.com.
8 92 0 66.9.5.17 genesis.thirteen.org.
6 98 0 66.111.233.126 wire1.local-newswire.com.
7 113 0 200.223.214.24 server24.lightspeed66.com.
23 118 0 157.151.53.156
1 132 0 63.240.145.139 lynx.mscc2.com.
4 139 1 66.163.170.80 smtp810.mail.sc5.yahoo.com.
491 214 1 209.225.28.224 mxsf24.cluster1.charter.net.
7 263 0 64.62.133.205
There are 2 decsions to make:
1. add an ip to the anvil exception list. This is not too pressing since
legit servers that get anvilled are not totally rejected, just delivery
rate limited. They can get <smtpd_client_connection_rate_limit> delivered
every 1800 minutes to legit users, and in nearly all cases this
suffices. Furthermore, in the case list servers, each of the SMTP
connection can be delivering multiple recipients per STMP session. So
legit servers very rarely show up in anvil, and after being anvilled, if
they have reasonable backoff interval, their IP will expire from anvil.
Their next connect will be able to deliver another dose
of <smtpd_client_connection_rate_limit> before being re-anvilled. So what
legit recipients experience (but probably don't notice) is a delay in
receiving their msgs, not total reject or failure.
2. add an anvilled IP to TCP blocking, like nul route or firewall. This
decision of course requires more precision. One tactic is not to bother
TCP blocking the ankle biters, and reserve the TCP blocking only for IPs
that hits many 100s or 1000s of anvil rejects, which is exactly the
original target of anvil, to be immune against DoS level of attacks.
Thanks for the improved script. very helpful
Len
