On Fri, 27 Sep 2002, Federico Sevilla III wrote: .. > I have absolutely no advice to give on the iptables rules, but I wonder: > what do you think about something of a community database of these bad > boys (and girls)? I for one would like to ally with trustable folk like > you, blocking them off completely. I haven't begun to think of the > technology we'd need to keep in-sync with each other and handle address > additions, since I'd rather start with knowing what you (and everyone > else) thinks of the concept. :)
I *HAVE* given thought to that idea: something like a community blacklist. I have some software here which interfaces with SpamAssassin and keeps a list of "known good" and "known bad" IP's in MySQL. This is updated in REALTIME as every mail comes in. (I classify "good" and "bad" according to SpamAssassin, but with a high threshold). This allows me to maintain a "dynamic blacklist." In addition, I also have a static blocklist which I manually maintain. mysql> desc blacklist; +------------+---------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +------------+---------------+------+-----+---------+-------+ | ipaddress | varchar(20) | | PRI | | | | count | int(11) | YES | | NULL | | | lastupdate | timestamp(14) | YES | | NULL | | +------------+---------------+------+-----+---------+-------+ 3 rows in set (0.03 sec) I also have a "whitelist" table with the same fields. Basically, if an incoming mail is tagged as spam (by SpamAssassin) I incremebt the "count" of the relevant IP address. The "lastupdate" field is automagically updated. Then, I do a join between "whitelist" and "blacklist" so that I know how many spams and non-spams a given IP address has emitted (e.g. we don't want to blacklist Yahoo even though they send a lot of spam). Then, an IP address which has emitted at least 90% spam gets added to my /etc/postfix/access and to my iptables block, IF its lastupdate was within the current day (I retire entries after one day). You'll note that if an IP gets non-blacklisted and sends spam AGAIN, the "lastupdate" field will be updated to the current date, and the IP will be automagically blacklisted AGAIN (for another day). The reason we need to retire is because if we DON'T retire, an IP that gets blacklisted will remain blacklisted FOREVER (because it can no longer send mails to us, its goodness/badness score will never be updated). So my spam solution consists of: 1) DNSBL via ORDBS, Spamhaus, DSBL 2) hacked "avcheck" which talks to spamd to mark spams as a virus 3) the hacked "avcheck" also updates a MySQL database based on EVERY mail that goes through the system This solution "kinda" works. Meaning it can handle our current mail traffic of about 700k messages/day. However, in the past when we came under spam DoS the queue would grow (right now a 500-mail queue is normal for us). But hopefully, now that i'm blocking via iptables (to avoid smtpd's getting hung) this will be less of an issue. On a side note: when our mail servers are heavily loaded, i use gerard java's "iptraf" to look at which IP's are hosing the servers. easy to detect DoS that way.. --- Orlando Andico <[EMAIL PROTECTED]> Mosaic Communications, Inc. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
