[BlueOnyx:19698] Re: e-mail flooding

"Meaulnes Legler"@MailList bluelist at waveweb.ch
Sun Jun 12 05:55:45 -05 2016 

Thank you Tigerwolf for your reply. I helped me.

On 10.06.16 16:30, Tigerwolf wrote:
>> Since the senders differ, I cannot use the apf firewall, or can I?
> The senders may vary, but the IP very likely will be all the same or within a network block.  That should be easily filtered by iptables.
> Check your mail logs for IPs in the same network range as the sample:
>           grep 138.185.239. /var/log/maillog|less

I grepped out all IPs sending those mails with

grep "from=<janis at legler.org>" /var/log/maillog > janis-legler.org_flooding.txt
grep "\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b2" janis-legler.org_flooding.txt > janis-legler.org_flooding_IPlist.txt

After reducing the duplicate 16'000 entries to a list of about 900 IP addresses, I entered them into apf. But that didn't work, I guess because apf firewalls logins only. So I tried with iptables. I created the the following script:

### iptablesMassDrop.sh ###
if [ -f "$1" ] ; then # argument is a file
         IPlist="$1"
fi
# filter list for valid IPs only
IPregex="((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
IPsList=$(grep -E $IPregex "$IPlist")
# use iptables
for i in $IPsList ; do
	iptables -A INPUT -s $i -j DROP -v
done
###

First, that didn't help either, the mailings were still pouring in... Until I guessed that I had to restart iptables with

/etc/rc.d/init.d/iptables reload (or restart)

Now, the flooding stopped. Hallelujah. Wonder how long it takes until they come up with new IPs...

> Use SpamHaus.  The BX GUI for mail should have a choice to to enable DNS blocklists (DNSBL) with SpamHaus blocking.  SpamHaus usually are quick to spot sources of floods and blocks the source IPs.  It works by having sendmail do a DNS lookup to SpamHaus when there's incoming mail, and the results that is returned determines if mail is accepted or, if it's a known spammer source, stopped immediately.

Thanks for that hint, I'll look into it.

Meaulnes Legler
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ http://www.WaveWeb.ch ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~  Zurich, Switzerland  ~
~  +41\0 44 260 16 60   ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

More information about the Blueonyx mailing list