Topic: Spam/Virus filtering by IP

[Rogue]

Is it possible to reject email based on the source IP either via Qmail or Spam Assassin?

I have 3 obviously compromised servers sending a large volume of spam and virii my direction every day, and the relevant ISPs seem incapable of doing anything to rectify the problem. The IP addresses are always the same, so I just need to find a way to blacklist those IP addresses.

[raem]

Have you tried these methods.

The "compromised" servers are likely to be blacklisted and therefore mail from them will be rejected using RBL. This method has been incorporated into the more recent spamassassin contribs.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

As for virii, then as long as you are happy to reject messages with executables, then this method will reject just about all messages with virus infected attachments.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

[Rogue]

Thanks for the reply Ray.

I'm currently running the latest version of the Swerts-Knudsen SpamAssassin & ClamAV installs, and using the RBL functionality through his Server Manager page. This has gotten rid of several regular offenders, but not these three. I am also unable to block executable content as several of the users regularly get sent scripts and small executable applications - retraining the users is not a viable option (under a management directive). [Read this as the boss of the small firm is technology illiterate, and has a hard enough time as it is, without changing the way he and his staff do things]

I have reported the emails to the ISP, SpamCop, etc but rather than wait any longer for the IP to be added to an RBL, I want to be able to manually add IP addresses myself.

After reviewing the SA documentation, it should be possible to do it that way, so now it's just a case of working out the finer details. If I can work out a viable solution before someone can provide an answer, I'll post it here.

FWIW it seems that the compromised PCs owners' were all attendees of a recent school reunion, and had their email addresses published on a public website in good faith. We only tracked this down because several of the spam emails contained addresses remarkably similar to those of other attendees, and the ISPs & locations seem to match up too well to be coincidence. Pity that none of these folk seem to respond to emails either...

[raem]

Rogue

> I am also unable to block executable content as
> several of the users regularly get sent scripts
> and small executable applications.....

Using pattern matching you can still send executable attachments etc but they need to be sent as zip files, which users should be doing anyway to use email efficiently. Once the zip program is installed it's a right click to zip and a right click to unzip files, not at all hard or time consuming. Receiving exe files directly is just too dangerous.

I think you should tell that boss that one day they will get badly stung by a virus infection, I'm sure after that they won't hesitate to implement stronger virus blocking measures.


>...... but rather than wait any longer for the IP to be added to an RBL......

Just out of interest what is the offending IP ?

[chris burnat]

I wonder if SNORT + mitel-trevor-guardian would be of assistance.  Once installed, one can add an IP in the blocking list.

[raem]

burnat

> .....SNORT + mitel-trevor-guardian.....add an IP in the blocking list

I aware of SNORT but what is mitel-trevor-guardian ?
I assume it's an rpm, where do you get it & what does it do ?

Thanks

[byte]

You can find it here Ray http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/snort/

Not sure what additional features it gives you though

[raem]

Thanks, will have a look.

[dalex]

Sorry to tell (IMHO), but thats exactly a job for a proper firewall. I always put a firewall in front of sme. I use smoothwall or ipcop which are perfect candidates.

Why add such a raw and harsh job to a server doing complex things? Smoothwall has proven as a firewall demanding only a cheap pc to run. I use an industrial pc board (geode 300 with 128 mbytes, an old 1.6 gb hd and 3 eth, green/red/dmz). Put sme in dmz/green combination and forward selectively every port you _use_ to sme, 80, 25, 443 and so on. You can also use dhcp from smooth (i never use squid, sme is far better). Smooth can also be the dns resolver but only for the green zone, sme in dmz uses his own tinydns.

You have of course web administration of the firewall. Then you can filter any ip combinations on smoothwall and sleep quiet!

I have put as many as 3 sme servers behind an ipcop serving all needs of 2 domains, and had no problems. For instance changing web service to a backup server is changing ONE entry in port forwarding in the firewall...

Some time an extra h/w solves many problems...

[chris burnat]

Ray, guardian analyses alerts detected by snort and blocks offending IP for a preset period of time, after which they are unblocked, check http://www.chaotic.org/guardian/

There are two files (guardian_block.sh and guardian_unblock.sh) in which one can enter an IP to manually control access. Also an "ignore" file, but this does not appear to be working.

all required rpms can be found at:
http://www.keane.co.nz/downloads/Snort%20Acid%20Guardian/

This download area includes two modified files which seems to work rather well. I am still in the process of testing this, so far, judging by the logs, it looks very promising except that snort is detecting an alert when accessing contribs.org from Mozilla in RHE3 - with the result that guardian blocks access to the site - ironic isn't it...  I have included 69.9.12.50 in the unblock list, and now all is well. My thanks go to Tony for his kind assistance over the past few days.

  Please let me know how you go.  Rgds. chris.

[gzartman]

There are several ways this can be done, but probably one of the easiest is with Mailfront mailrules.  Darrell May put on a pretty nice contri to define custom mail rules.  Have a look in his contrib are here at contribs.

Greg

[bobway54]

I have the same problem. The IP addresses that I am fighting with are Road Runner and dsl addresses.

I just loaded up the e-smith-masq-manager contrib and am going to try it to filter out offending IP addresses on port 25. It looks like it will do it but I haven't configured it yet. I use our SME server in the gateway configuration.

I'll check back in a couple days and let you know how it works.

Here is the link to it - http://no.longer.valid/mylinks/singlelink.php?cid=123&lid=372