Topic: Deny IP addresses for SPAM ?

[gman]

I have searched the forum and came up with this link:

http://forums.contribs.org/index.php?topic=12716.msg47777#msg47777

Has anyone performed this and if so what was the results ?  Where do I make this modification ?  "hosts.deny" ?

Thanks,

G

[Nathan Fowler]

These go in smtp_check_rules, which applies to SME Pre 5.5.  If you run pre-5.5 I can assist you.

[Gman]

Well, currently I run 5.5 update2, however next weekend I will be upgrading to 5.6. Is there any other way to just block "bad" IP blocks/subnets from connecting to the SME server ?  I know I can use "hosts.deny", however I do not want to completely block them, only from attaching to my mail server.

Thanks for replying !

G

[Bill Talcott]

Will http://myezserver.com/downloads/mitel/contrib/Mailrules/ work? FYI, I got this installed on 5.5 with an updated version of mailfront. I did need to expand a file manually, and it wants to see 5.6's files for a default install. I'm not sure if it's working though...

[Nathan Fowler]

Easiest way would be to use ipchains to block the CIDR noted addresses, just like in smtpd_check_rules.

Syntax:
ipchains -A input -p tcp --dport 25 --source /CIDR -j DENY

Example:
/sbin/ipchains -A input -p tcp --dport 25 --source 216.0.0.0/8 -j DENY

This would deny the range access to TCP 25, which is SMTP, which basically would accomplish the same thing.  I don't believe you can do CIDR notation in /etc/hosts.deny (please correct me if I am wrong).

I'm not exactly sure if 5.5/5.6 is using IPTables, if it is, I believe that you may still use the ipchains syntax to create iptable rules.  I don't know a great deal about iptables, so it may be necessary for you to translate the chain rule to iptables.  If you can use CIDR notation in /etc/hosts.deny and ipchains doesn't exist on your system then hosts.deny would be a good fall-back as well.

Thanks,
Nathan

[Nathan Fowler]

Note that I would also be more than happy to provide my rules, which in my eyes are more accurate that the previous posted rules, and also include LACNIC (Latin America) as well as RIPE and APNIC hosts.

[Bill Talcott]

Nathan Fowler wrote:
>
> I'm not exactly sure if 5.5/5.6 is using IPTables, if it is,
> I believe that you may still use the ipchains syntax to
> create iptable rules.  I don't know a great deal about
> iptables, so it may be necessary for you to translate the
> chain rule to iptables.  If you can use CIDR notation in
> /etc/hosts.deny and ipchains doesn't exist on your system
> then hosts.deny would be a good fall-back as well.

5.5 still uses the 2.2 kernel and ipchains. 5.6 uses 2.4 and iptables. I'm still using 5.5, but from what little I've seen the iptables syntax is very similar to ipchains, though not exactly the same.

[Bill Talcott]

Bill Talcott wrote:
>
> Will http://myezserver.com/downloads/mitel/contrib/Mailrules/
> work? FYI, I got this installed on 5.5 with an updated
> version of mailfront. I did need to expand a file manually,
> and it wants to see 5.6's files for a default install. I'm
> not sure if it's working though...

This doesn't appear to be working. I don't have the time and knowledge to really figure out why. If you've got the updated version of mailfront installed on 5.5, it probably shouldn't be too hard to make work, I would think...

[Charlie Brady]

Nathan Fowler wrote:

> I'm not exactly sure if 5.5/5.6 is using IPTables

5.5 isn't, 5.6 is.

You might want to look at my e-smith-mailfront contrib. It allows you to use multiple RBLs. Should work with 5.5 and 5.6.

Charlie

[Steve Bush]

Great addition Charlie...thanks
I installed with
rpm -Uvh e-smith-mailfront-1.0.0-01rbl.noarch.rpm
I then ran the following (not sure I needed to)
service smtpfront-qmail restart

Since I get quite a bit of SPAM..I waited a few minutes and checked the log file using:
more /var/log/smtpfront-qmail/current |grep rblsmtpd

I noticed I have already gotten 4 blocks....

The rpm defaults to using the list at:
lists.dsbl.org

I haven't tried adding other services to it yet...though it appears to go in the following file:
/var/service/smtpfront-qmail/rblsmtpd.conf

I hope this helps anyone else interested in installing it...

[Bill Talcott]

How would one go about adding other servers to the list, or removing the default? I can figure out how to change the default to something else, but what about using <>1 list?

[Charlie Brady]

Bill Talcott wrote:
>
> How would one go about adding other servers to the list, or
> removing the default? I can figure out how to change the
> default to something else, but what about using <>1 list?

http://cr.yp.to/ucspi-tcp/rblsmtpd.html

You probably want "-r rbl.one -r rbl.two ....". Templating rblsmtpd.conf to use a db to generate the list would be easy.

Charlie

[Bill Talcott]

Thanks for the link. I already made a template from the default file, so that I could make my customizations without worrying about screwing stuff up. =) If you were to fancy it up a bit, and even make a Server Manager panel for modifying blacklists, that would be cool. Perhaps a bit of overkill, but I like making things as idiot-proof as possible...

[Steve Bush]

I noticed that there are quite a few retries when rblsmtpd denies a smtp transaction.  There also appears to be an option to return a hard error of 533 or bounce immediately as opposed to the soft error of 451 or try again later.

Is there any reason we wouldn't want to include the option to bounce "-b -C" instead of the default try again later "-B -C" ?

[Steve Bush]

I have added:
spews.relays.osirusoft.com to my rbl list and changed the default action to reject email by using the -b (lowercase) switch.

RBLARGS="$RBLARGS -b -C -r list.dsbl.org -r spews.relays.osirusoft.com"

The above is on one line....