[Dshield] Firewall/Spam defense

John D. lists at webcrunchers.com
Wed Oct 22 23:17:02 GMT 2003

>In lieu of the recent RBL issues, I've recently started a research project 
>on controlling spam via the firewall.  My research involves finding DHCP or 
>dial-up ip addresses and blocking the for a period of time if the ip 
>registers a connect on port 25. 

Are you sure you want to do that?   Our Crunchbox allows this feature built in,  but legit mail would also get blocked,  as well as not allowing anyone within the network to send to anyone else in the blocked IP range....  Kinda like cutting off your foot.
>As the ip address is seen in recurrence, the block out time increses.  I've 
>had about a 35% seccuss ratio.  The ratio increases as my users continue to 
>identify spam. 

yea - We find about 10 minutes to be optimum...  but it also fills up our firewall rule set if we don't watch it all the time.   But we never run out of space.

We have a nice feature on our system...  it's a sudo command, and we just type "blockmail <IP>" from the shell,  and it blocks mail coming into my user account from that IP address.  We use that to block large IP blocks that sends us ALL spam.   It's local to the user,  bt other user's won't be blocked.
>With the RBL's, at best we achieved about 10% effeciency and 5% loss of 
>legitimate mail. 
>My questions are as follows: 
>1.  Is there a definitive way to get a list of dynamic IP blocks? 

Yes - use Snort.  Write a rule that detects spam mail coming in....  it has a source address (usually the same as one on the mail header).  Then modify snort's "log.c" module to make some tests,  and return the IP to block.

Or write a script to pick out the IP address from the mail headers of the mail you get.   a 5 line bit of python code is all that's needed.  Do a reverse DNS on the IP's to find out which ones are coming from infected hosts.   Mostly the ones from USA based ISP's are your good candidates.   Only problem is that once an infected host is used to send spam,  it might not be used for several weeks,  in that case you have to ask yourself if you want to block them that long.
>2.  I am interested in any opinions of this research. 

Been there,  done that - contact me privately at crunch at shopip dot com.
>I am looking to improve my tactics in identifing dynamic IP addresses and 
>also to determine the long term viability of the project. 

The idea is good - but the side effects of some of the things you want to do,  could lead to making it easy to DDOS your system,  so you need to be aware of that.
>To date, I have determined 1.5 million dynamic addresses. 

That don't surprise me...  I'm logging EVERY IP address I get from spam,  and have gathered almost 6000 infected hosts.   In 2 weeks, I shut down about 650 of them.

Out tools for doing this,  are still in Alpha test phase,  but if everyone had one of these,  then spammers are in for a very BAD DAY very soon.   -grin-


More information about the list mailing list