one liner to find/stop possible spam activity

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
mswanson
Forum User
Forum User
Posts: 14
Joined: Thu Dec 01, 2005 11:51 pm
Location: Durham, NH

one liner to find/stop possible spam activity

Unread post by mswanson »

This has been a problem more than once for me, so I wrote a quick one liner to help sort out trends from the /var/log/secure file.

This script will print out a list of IP addresses that have connected via smtp at least 100 times. This was very useful for me as I found two IP addressed that were filling up my queues with nearly 10,000 messages each over the span of 2 days!

Code: Select all

grep smtp /var/log/secure | grep -oe '[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+' \
| sort | uniq -c | grep -e '^[[:space:]]*[[:digit:]]\{3,\}[[:space:]]\+[[:digit:]]'
Then all I had to do was add a line to my firewall script to block the IP and load started settling down right away. A line like this worked fine for me:

Code: Select all

/sbin/iptables -A INPUT  -s 80.99.151.140  -j DROP
And no, I dont mind posting the IP ;)

Hope that helps somebody out there.
Last edited by mswanson on Fri Jan 13, 2006 10:57 am, edited 1 time in total.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Unread post by scott »

That rule is dropping traffic on the return side to the spammer. Which works, but you'll get better performance applying that to the INPUT table, like this:

iptables -A INPUT -s 80.99.151.140 -j DROP

Mike and I are working on adding in the TARPIT rule to ASL, which would go one step farther, rather than dropping the traffic, it would slow the session down (and drop it, so it still wont get in). The added bonus there is you effectively tie up the spamming MTA, without tieing up yours.
mswanson
Forum User
Forum User
Posts: 14
Joined: Thu Dec 01, 2005 11:51 pm
Location: Durham, NH

Unread post by mswanson »

scott wrote:That rule is dropping traffic on the return side to the spammer. Which works, but you'll get better performance applying that to the INPUT table, like this:

iptables -A INPUT -s 80.99.151.140 -j DROP

Mike and I are working on adding in the TARPIT rule to ASL, which would go one step farther, rather than dropping the traffic, it would slow the session down (and drop it, so it still wont get in). The added bonus there is you effectively tie up the spamming MTA, without tieing up yours.
Typo!

Thanks for the catch :)

I actually caught it on my end but forgot to update this post. I'll edit my post above for clarity
Post Reply