[Dshield] relect=550 actions

Bruce Campbell bruce.campbell at ripe.net
Tue Jul 16 12:36:09 GMT 2002

On Tue, 16 Jul 2002, Pieter-Bas IJdens wrote:

> Anyone know of a mail server plug-in/add-on (preferably for sendmail, but
> any other agent will do) that allows automatic action when a host generates
> too many (one? :P) 550 relaying denied errors?

Attached below is a trimmed message from Ross Wheeler that recently passed
over the aussie-isp list (should work under FreeBSD, some assembly
required otherwise).  It is external to any MTA, relying on tcpdump,
tcpshow and route.

You should be able to change the message within to match whatever message
your MTA gives out when it refuses relay attempts (the example matches on
'User unknown' in an attempt to stop dictionary attacks).  On matching
this enough times, it will null route offenders.  This could be changed to
be your choice of ipf(w|wadm|chains)? commands.

                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B             Operations/Security


 From: Ross Wheeler
 Subject: Re: [Oz-ISP] Detecting "spam slammers"....

On Mon, 15 Jul 2002, Ross Wheeler wrote:

> Am I the only one who gets sick of this sort of thing:  ??
> Jul 15 16:14:29 sendmail[82956]: <garyl at albury.net.au>... User unknown
> Jul 15 16:14:29 sendmail[82956]: <german at albury.net.au>... User unknown

A few people replied, some chatted on irc and made it automatically
de-route the offenders. (/me waves to mark).

After a little discussion, it was decided that it'd be nice to
automatically de-route offenders for a while.

Here's a working solution for for FreeBSD....

% cat find.spamming.bastards
#! /bin/sh

while [ 1 ]; do
      tcpdump -lenx -s 256 src port 25 and src host mail \
            and '( ip[2:2] > 50 and ip[2:2] < 100 )' \
            | tcpshow -cooked -w 132 -noHostNames \
            | awk '/IP:/ {IP=$4};  /User unknown/ {if(baddies[IP]++ == 10)
                      system("./fixscum "IP" 4")   }'

% cat fixscum
#! /bin/sh

# Fix (de-route) spamming scumbags
# %1 is ip address of offender
# %2 is duration in hours (defaults to 24 hours if not specified)
# Special case is if #1 is "clean", will remove expired entries
# Gets called by cron with the following entry:
# 1    *    *    *    *    root  ~rossw/fixscum clean


if [ "$1" = "clean" ]; then
        expire=`date +"%d/%b/%Y-%H"`
        for ip in `grep "^$expire " $list | awk '{print $2}'`
                echo `date +"%d/%b/%Y-%H:%M "`Re-routing $ip >> $log
                ssh mail "/sbin/route -q delete $ip >/dev/null"
        grep -v "^$expire " $list > $list.tmp
        mv $list.tmp $list
        # This forces the code to re-start every hour
        kill `ps -ax | grep "tcpdump.*port 25 and src host mail" | awk '{print $1}'`
        t=$(( ${2:-1} + 1 ))
        expire=`date -v+${t}H +"%d/%b/%Y-%H"`
        echo "$expire $1" >> $list
        echo `date +"%d/%b/%Y-%H:%M "`De-routing $1 >> $log
        ssh mail "/sbin/route -q add $1 >/dev/null" &

*** Note: you don't need the ssh if this code runs on the local mail host
of course, but my monitoring box isn't the mail box. You could use
ssh/rsh/telnet+expect to do the routing changes at your core router if you
wanted to....

An sample of the log:

%tail derouted.ip.addresses.log
16/Jul/2002-11:01 Re-routing
16/Jul/2002-11:01 Re-routing
16/Jul/2002-11:01 Re-routing
16/Jul/2002-11:01 Re-routing
16/Jul/2002-11:01 Re-routing
16/Jul/2002-11:03 De-routing
16/Jul/2002-11:04 De-routing
16/Jul/2002-11:05 De-routing
16/Jul/2002-11:07 De-routing
16/Jul/2002-11:07 De-routing
16/Jul/2002-11:09 De-routing
16/Jul/2002-11:10 De-routing
16/Jul/2002-11:11 De-routing

I was getting from 130 to 150 "unknown user" entries per minute, that's
now fallen significantly. One other chap has added 200 odd null-routes to
his mail box overnight, and as mark says:

09:50:29-16/07/02| <Mark> ross fyi i've null routed over 200 ip's since last night
09:50:46-16/07/02| <RossW> has it helped?
09:51:20-16/07/02| <Mark> only /var/log/maillog:8305 rejects so far today
09:51:32-16/07/02| <Mark> so it's helped a shitload

More information about the list mailing list