Topic: How to block email from an IP address?

[aghlords]

Hi there,

I am running an SME 6.0.1 in server only mode as a web and email server in a DMZ.

I have a firewall between the SME and the internet, but the firewall deny rules do not apply to the DMZ.

I am getting hammered to the extent that the SME box has virtually stoped, due to these spammed emails.

They are all coming from 1 IP address.

Is there some sort of panel that can be installed in the Server Manager to block access to an IP address?

Failing this, does anyone have any suggestions?

Any help will be much appreciated.

-AH.

[funkusmunkus]

have a look here
http://forums.contribs.org/index.php?topic=27127.0

and you should also look into this
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

hope that helps
cheers

[kruhm]

To get real serious about blocking from the IP or the IP range, make a customized template in tcprules to drop all traffic.

-mkdir /etc/e-smith/templates-custom/etc/tcprules/tcp.smtp/
-start a new file called 85customdeny with the following:

Code: [Select]


{
    $OUT  = "theipyouwanttoblock:deny\n";
    $OUT .= "theiprangeyouwanttoblock:deny\n";
}

-rebuild the file with a: /sbin/e-smith/expand-template /etc/tcprules/tcp.smtp
-pickup the changes with a: /sbin/e-smith/signal-event email-update

That's it, this will block all traffic from that IP. To find who is responsible for the IP, use one of the whois lookups for a certain region here; http://www.iana.org/faqs/abuse-faq.htm

If you want to see what a highly customized tcp.smtp file looks like visit: http://web.greens.org/etc/r.txt

[smeghead]

.. of course there is always my standard option of blocking the IP at the router infront of the SME box (as I always use a double NAT'd setup with router & SME in gateway mode)

A lot less messing around for those not comfortable with templates or the command line.

HTH

[aghlords]

Hi again,

Thanks very much to everyone who offered help and/or suggestions.

I ran with the following:

To get real serious about blocking from the IP or the IP range, make a customized template in tcprules to drop all traffic.

-mkdir /etc/e-smith/templates-custom/etc/tcprules/tcp.smtp/
-start a new file called 85customdeny with the following:

Code: [Select]


{
    $OUT  = "x.x.x.x:deny\n";
}

-rebuild the file with a: /sbin/e-smith/expand-template /etc/tcprules/tcp.smtp
-pickup the changes with a: /sbin/e-smith/signal-event email-update

So far, this seems to have done the trick!
Does anyone know where (or if) any events denied by this rule would be logged?

My SME box is the mail & webserver. It is sitting in a DMZ, so the firewall that sits in front of it simply exposes it to the world.
The box was grinding to a halt (like a Dos situation) because some infected PC is (was ??) flooding it with spoofed emails. Spamassassin and the virus scanner were processing them, but bringing the box to a virtual standstill.
I have contacted the ISP of the offending PC, but they were "less than helpful" !

Hoping for the best,
-AH.

[kruhm]

deny's are located in the smtpfront-qmail logs. Filter by deny or ipa if needed.

[command line]
You can check all of your logs by:

-cd /var/log
-grep -r "casesensitivesearch" *

I'm think about creating a panel for this since its proving to be effective and it doesn't seem to be a difficult edit. But i've never created a panel before.

Options would be 1-adding the ip 2-what type of block either :DENY or :ALLOW,RBLSMTPD then 3-a message field.

i usually get a list of ip's/domains by packet sniffing the traffic to the sme and filtering out the smtp packets.

[Brenno]

Not sure if this will work for an IP address (I block those at the port level on my firewall,) but I use the mailblocking contrib from dungog.net to do something similar for users who get a lot of crap email from one or two consistent domains.  Setting up the rules is easy: you specify the incoming address and the destination address, and it blocks away with a custom refusal message!  Since you can use wildcards in the rules, it's very flexible and has reduced my Spam volume by about 16% overnight.

The link is at the bottom of this page:

http://www.dungog.net/sme/files/index.php

[kruhm]

The mailblocking contrib is great. But it doesn't work with ip addresses, only domain names.

This works great against the guy at cisco who keeps on trying to bother me to buy his crap but it doesn't work against most spammers. Domain names are a dime a dozen. I captured more than 12000 names in a few hours. Names like:

202.57.145.57.rev-ip.isp-thailand.com
la02-net02-45.ohthatsfunny.com
ep61.sweeps-at-stake.com

As many web hosting company cram domains onto one box (up to thousands), IP blocking is one of the only effective ways to stop spam. It blocks against a compromised box or an ISP/hosting company that has less than ideal standards.

Even better, with IP blocking, instead of blocking just the one address above from our friends in Bangkok, we can block their whole range
202.57.128-191.

[Black]

I tried that below and it didn't work.

"To get real serious about blocking from the IP or the IP range, make a customized template in tcprules to drop all traffic.

-mkdir /etc/e-smith/templates-custom/etc/tcprules/tcp.smtp/
-start a new file called 85customdeny with the following:

Code:   

{
    $OUT  = "x.x.x.x:deny\n";
}
   

-rebuild the file with a: /sbin/e-smith/expand-template /etc/tcprules/tcp.smtp
-pickup the changes with a: /sbin/e-smith/signal-event email-update"


It had a problem with this step:

"rebuild the file with a: /sbin/e-smith/expand-template /etc/tcprules/tcp.smtp
-pickup the changes with a: /sbin/e-smith/signal-event email-update"

[kruhm]

I tried that below and it didn't work.

Then you're doing something wrong.
Be sure of the ip address is correct that you're blocking.