Ramprasad wrote:
Marc Perkel wrote:
There's people out there who are better and faster programmers than I
am. I need a simple utility written We can post it on the SA Wiki
when we're done.
I don't care what it's written in but I'm thinking that xinetd might
be easiest. What I want is something to record the IP address of any
host connection to port 25. Then going to need it to run a one line
script file that runc netcat (nc) and sends me data. Basically I just
need te IP address. I have a collector program listening that feeds
the blacklist system. The collector is.
echo "$*" | nc -w 2 <host> <port>
exit 0
You mean you need a script will listen to port 25 instead of a smtpd
daemon ?
Will be a trivial thing to do?
What should this do , just log to syslog the IP's and break connection
immediately after connect
Yes - the idea being that you have some service, like a name server,
that there is no reason at all that anything should be connecting to
port 25 on and everything that attempts to connect on it is spam. So
it's not an MTA but just a script (xinetd -> shel script - or perl) that
closes the connection immediately and sends the IP to a central
collector that accumulates information and builds blacklists that can be
used by Spamassassin.
The idea of this project is to collect hits on port 25 of computers
that shouldn't be hit on port 25. Thses hits would be 100% spambots
and hackers. They hit it - they get listed.
I'll share my collector code, which is a one line script.
socat -u TCP4-LISTEN:<port>,reuseaddr,fork OPEN:/logfile &
The pair of these programs can be used to collect any kind of data
base on trouble makers hitting port that shouldn't be hit. This could
be used for ssh attempts - anything. These programs feed IP
collection systems and then some task manages the list, rotates it,
and generates DNS blacklists.
I'm thinking such a system might be really useful.
Yes , I think that would give a zero fp blacklist on ip's
Any real MTA would mx lookup ,
IMO If mail is sent on non mx ips the mail is spam and the ip is of a
spammer
(internal misconfigured transport relays need to be excluded )
Yep - you got it.
