[Dshield] Firewall/Spam defense

Rick Klinge rick at jaray.net
Thu Oct 23 02:54:29 GMT 2003

fwiw you could always use the free SpamAssassin
http://spamassassin.org/downloads.html .. they even have a windows 32 bit
gui i believe too.  And at http://www.famhost.com/support/pktfilter.zip is a
free packet filter too that works well with windows platforms.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of John D.
Sent: Wednesday, October 22, 2003 6:17 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Firewall/Spam defense

>In lieu of the recent RBL issues, I've recently started a research project
>on controlling spam via the firewall.  My research involves finding DHCP or
>dial-up ip addresses and blocking the for a period of time if the ip
>registers a connect on port 25.

Are you sure you want to do that?   Our Crunchbox allows this feature built
in,  but legit mail would also get blocked,  as well as not allowing anyone
within the network to send to anyone else in the blocked IP range....  Kinda
like cutting off your foot.
>As the ip address is seen in recurrence, the block out time increses.  I've
>had about a 35% seccuss ratio.  The ratio increases as my users continue to
>identify spam.

yea - We find about 10 minutes to be optimum...  but it also fills up our
firewall rule set if we don't watch it all the time.   But we never run out
of space.

We have a nice feature on our system...  it's a sudo command, and we just
type "blockmail <IP>" from the shell,  and it blocks mail coming into my
user account from that IP address.  We use that to block large IP blocks
that sends us ALL spam.   It's local to the user,  bt other user's won't be
>With the RBL's, at best we achieved about 10% effeciency and 5% loss of
>legitimate mail.
>My questions are as follows:
>1.  Is there a definitive way to get a list of dynamic IP blocks?

Yes - use Snort.  Write a rule that detects spam mail coming in....  it has
a source address (usually the same as one on the mail header).  Then modify
snort's "log.c" module to make some tests,  and return the IP to block.

Or write a script to pick out the IP address from the mail headers of the
mail you get.   a 5 line bit of python code is all that's needed.  Do a
reverse DNS on the IP's to find out which ones are coming from infected
hosts.   Mostly the ones from USA based ISP's are your good candidates.
Only problem is that once an infected host is used to send spam,  it might
not be used for several weeks,  in that case you have to ask yourself if you
want to block them that long.
>2.  I am interested in any opinions of this research.

Been there,  done that - contact me privately at crunch at shopip dot com.
>I am looking to improve my tactics in identifing dynamic IP addresses and
>also to determine the long term viability of the project.

The idea is good - but the side effects of some of the things you want to
do,  could lead to making it easy to DDOS your system,  so you need to be
aware of that.
>To date, I have determined 1.5 million dynamic addresses.

That don't surprise me...  I'm logging EVERY IP address I get from spam,
and have gathered almost 6000 infected hosts.   In 2 weeks, I shut down
about 650 of them.

Out tools for doing this,  are still in Alpha test phase,  but if everyone
had one of these,  then spammers are in for a very BAD DAY very
on.   -grin-


Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

More information about the list mailing list