Mailing List Archive: How to block brute force mail address scans?

How to block brute force mail address scans?

Mar 15, 2004, 1:08 PM

Post #1 of 8 (837 views)

Hello all,

I know this question might not be directly spamassassin related, but I
can't think of any group who might know the answer to my question better
than you:

How can I block brute force mail address scans?

The best thing is if there are any ways to make sendmail, and/or a
active trafic monitor detect that one or several email are sent to
multiple addresses from the same ip address, and if X number of mail
addresses does not exist, then send IP address to be processed by other
aplication. (I.e. iptables DROP IP address).

I am looking for solutions for blocking one mail with multiple incorrect
recipients as well as solutions that can block repetitive bad entries
from a particualar ip address.

Any ideas?

Re: How to block brute force mail address scans? [ In reply to ]

spamassassin at troutpocket

Mar 15, 2004, 1:32 PM

Post #2 of 8 (826 views)

Permalink

Kenneth Andresen wrote:
> How can I block brute force mail address scans?

Exactly the same thing is happening to a server I admin. I get 100's per
minute entries like the following:

Mar 15 12:15:43 mail courieresmtpd:
error,relay=::ffff:aaa.bbb.ccc.ddd,from=<1558pomeroy@t-dialin.net>,to=<ryanjackson@insertdomainhere.com>:

550 User unknown.

My friend wrote a great perl script which scans for these entries and creates
an iptables entry like:

/sbin/iptables -I INPUT --protocol tcp -i eth0 -s %ip --dport 25 -j DROP

I reload it every 5 hours and it appends any new IPs to the iptables list.
So far it's dropped my server load from 20+ to 0.4ish. I have 17,000ish
entries now.

I attached the script, modification might be necessary, YMMV

-Scott

Re: How to block brute force mail address scans? [ In reply to ]

syuroff at hiebing

Mar 15, 2004, 2:33 PM

Post #3 of 8 (830 views)

Permalink

I'll just expose my complete inability to accurately interpret perl
here with this question: Does this script set up a DROP rule the first
time a host gets a 550 user unknown?
If not the first, how many 550s are needed before the drop is in effect?

Thanks,

Steve.

On Mar 15, 2004, at 2:32 PM, Scott wrote:

> Kenneth Andresen wrote:
>> How can I block brute force mail address scans?
>
> Exactly the same thing is happening to a server I admin. I get 100's
> per
> minute entries like the following:
>
> Mar 15 12:15:43 mail courieresmtpd:
> error,relay=::ffff:aaa.bbb.ccc.ddd,from=<1558pomeroy@t-
> dialin.net>,to=<ryanjackson@insertdomainhere.com>:
>
> 550 User unknown.
>
> My friend wrote a great perl script which scans for these entries and
> creates
> an iptables entry like:
>
> /sbin/iptables -I INPUT --protocol tcp -i eth0 -s %ip --dport 25 -j
> DROP
>
> I reload it every 5 hours and it appends any new IPs to the iptables
> list.
> So far it's dropped my server load from 20+ to 0.4ish. I have
> 17,000ish
> entries now.
>
> I attached the script, modification might be necessary, YMMV
>
> -Scott
>
>
> #!/usr/bin/perl -w
> #Last Updated: 2003.00.00 (xris)
> #
> # mailblock.pl
> #
> # Scans a mail log file and runs iptables to block IP's that are
> submitting
> # messages to unknown users.
> #
>
> # The path to the input log file
> my $input_file = '/var/log/maillog';
>
> # The path to the output log file
> my $output_file = '/tmp/mailblocked.txt';
>
> # The command to run iptables - use %ip to represent the ip address
> parsed from the log
> my $iptables = '/sbin/iptables -I INPUT --protocol tcp -i eth0 -s %ip
> --dport 25 -j DROP';
> # IP's listed in this array will be ignored
> my %ignore = (
> '123.123.123.123' => 1,
> );
>
> # If debug is set to a true value, the iptables command will not be
> executed
> $debug = 0;
>
> ############# DO NOT EDIT BELOW THIS LINE #############
>
> #Scan for a line like:
> # Mar 5 23:13:07 mail courieresmtpd:
> error,relay=::ffff:
> aaa.bbb.ccc.ddd,from=<gmaehpqyx@pcom.net>,to=<jantonio@yourdomainhere.c
> om>: .
>
> # Keep track of duplicates so we don't create more rules than we need
> to
> my %found;
>
> # Used to keep track of whether or not we need to flush the rule set
> my $flush = 0;
>
> # Load any old rules that might exist
> if (-e $output_file) {
> my $count = 0;
> (my $scan = $iptables) =~ s/%ip/(\\d+\\.\\d+\\.\\d+\\.\\d+)/;
> $scan = qr/$scan/;
> open(IN, $output_file) or die "Can't read $output_file: $!\n\n";
> while (<IN>) {
> next unless (/$scan/);
> $found{$1} = 1;
> $count++;
> }
> close IN;
> print STDERR "Imported $count old records.\n";
> }
> # Output file doesn't exist? Make sure we write the flush command
> else {
> $flush = 1;
> }
>
> # Open the output file for writing
> open(OUT, ">>$output_file") or die "Can't write to $output_file:
> $!\n\n";
>
> # Insert the flush command?
> if ($flush) {
> print OUT "/sbin/iptables -F INPUT\n";
> system('/sbin/iptables -F INPUT');
> }
>
> # Open the input file
> $count = 0;
> open(IN, $input_file) or die "Can't read $input_file: $!\n\n";
> while (<IN>) {
> # Skip ahead unless there is a match
> next unless
> (/relay=::ffff:(\d+\.\d+\.\d+\.\d+),from.+550\sUser\sunknown/);
> my $ip = $1;
> # Ignored IP?
> next if ($ignore{$ip});
> # Have we seen this IP already?
> next if ($found{$ip});
> # Remember this IP
> $found{$ip} = 1;
> $count++;
> # Build the command
> (my $command = $iptables) =~ s/%ip/$ip/sg;
> # Print out the command
> print "$command\n";
> # Log the command
> print OUT "$command\n";
> # Execute the command
> system($command) unless ($debug);
> }
> print STDERR "Found $count new records.\n";
>
> # Close the files
> close IN;
> close OUT;

Re: How to block brute force mail address scans? [ In reply to ]

spamassassin at troutpocket

Mar 15, 2004, 3:04 PM

Post #4 of 8 (834 views)

Permalink

It makes the rule the first time a 550 user unknown is encountered. It's
pretty brute force, but we've had no complaints for 2 weeks now. There are
only about 20 users on this system and their communications are otherwise
augmented by phone so if someone has a problem sending they quickly let me
know. It's a pretty dicey script to run, but in an emergency it's all we got.

-Scott

Steve Yuroff wrote:
> I'll just expose my complete inability to accurately interpret perl
> here with this question: Does this script set up a DROP rule the first
> time a host gets a 550 user unknown?
> If not the first, how many 550s are needed before the drop is in effect?
>
> Thanks,
>
> Steve.
>
> On Mar 15, 2004, at 2:32 PM, Scott wrote:
>
>> Kenneth Andresen wrote:
>>
>>> How can I block brute force mail address scans?
>>
>>
>> Exactly the same thing is happening to a server I admin. I get 100's
>> per
>> minute entries like the following:
>>
>> Mar 15 12:15:43 mail courieresmtpd:
>> error,relay=::ffff:aaa.bbb.ccc.ddd,from=<1558pomeroy@t-
>> dialin.net>,to=<ryanjackson@insertdomainhere.com>:
>>
>> 550 User unknown.
>>
>> My friend wrote a great perl script which scans for these entries and
>> creates
>> an iptables entry like:
>>
>> /sbin/iptables -I INPUT --protocol tcp -i eth0 -s %ip --dport 25 -j DROP
>>
>> I reload it every 5 hours and it appends any new IPs to the iptables
>> list.
>> So far it's dropped my server load from 20+ to 0.4ish. I have 17,000ish
>> entries now.
>>
>> I attached the script, modification might be necessary, YMMV
>>
>> -Scott
>>
>>
>> #!/usr/bin/perl -w
>> #Last Updated: 2003.00.00 (xris)
>> #
>> # mailblock.pl
>> #
>> # Scans a mail log file and runs iptables to block IP's that are
>> submitting
>> # messages to unknown users.
>> #
>>
>> # The path to the input log file
>> my $input_file = '/var/log/maillog';
>>
>> # The path to the output log file
>> my $output_file = '/tmp/mailblocked.txt';
>>
>> # The command to run iptables - use %ip to represent the ip address
>> parsed from the log
>> my $iptables = '/sbin/iptables -I INPUT --protocol tcp -i eth0 -s
>> %ip --dport 25 -j DROP';
>> # IP's listed in this array will be ignored
>> my %ignore = (
>> '123.123.123.123' => 1,
>> );
>>
>> # If debug is set to a true value, the iptables command will not be
>> executed
>> $debug = 0;
>>
>> ############# DO NOT EDIT BELOW THIS LINE #############
>>
>> #Scan for a line like:
>> # Mar 5 23:13:07 mail courieresmtpd: error,relay=::ffff:
>> aaa.bbb.ccc.ddd,from=<gmaehpqyx@pcom.net>,to=<jantonio@yourdomainhere.c
>> om>: .
>>
>> # Keep track of duplicates so we don't create more rules than we need to
>> my %found;
>>
>> # Used to keep track of whether or not we need to flush the rule set
>> my $flush = 0;
>>
>> # Load any old rules that might exist
>> if (-e $output_file) {
>> my $count = 0;
>> (my $scan = $iptables) =~ s/%ip/(\\d+\\.\\d+\\.\\d+\\.\\d+)/;
>> $scan = qr/$scan/;
>> open(IN, $output_file) or die "Can't read $output_file: $!\n\n";
>> while (<IN>) {
>> next unless (/$scan/);
>> $found{$1} = 1;
>> $count++;
>> }
>> close IN;
>> print STDERR "Imported $count old records.\n";
>> }
>> # Output file doesn't exist? Make sure we write the flush command
>> else {
>> $flush = 1;
>> }
>>
>> # Open the output file for writing
>> open(OUT, ">>$output_file") or die "Can't write to $output_file:
>> $!\n\n";
>>
>> # Insert the flush command?
>> if ($flush) {
>> print OUT "/sbin/iptables -F INPUT\n";
>> system('/sbin/iptables -F INPUT');
>> }
>>
>> # Open the input file
>> $count = 0;
>> open(IN, $input_file) or die "Can't read $input_file: $!\n\n";
>> while (<IN>) {
>> # Skip ahead unless there is a match
>> next unless
>> (/relay=::ffff:(\d+\.\d+\.\d+\.\d+),from.+550\sUser\sunknown/);
>> my $ip = $1;
>> # Ignored IP?
>> next if ($ignore{$ip});
>> # Have we seen this IP already?
>> next if ($found{$ip});
>> # Remember this IP
>> $found{$ip} = 1;
>> $count++;
>> # Build the command
>> (my $command = $iptables) =~ s/%ip/$ip/sg;
>> # Print out the command
>> print "$command\n";
>> # Log the command
>> print OUT "$command\n";
>> # Execute the command
>> system($command) unless ($debug);
>> }
>> print STDERR "Found $count new records.\n";
>>
>> # Close the files
>> close IN;
>> close OUT;
>
>

Re: How to block brute force mail address scans? [ In reply to ]

gcirino at cirelle

Mar 15, 2004, 3:23 PM

Post #5 of 8 (829 views)

Permalink

An effective way is to send all bad addresses to the bit bucket
without a reject message.

You won't be cleaning up their database either.

Was going to continue on a religious rant but I won't

Greg

----- Original Message -----
From: "Kenneth Andresen" <kenneth@cancun.net>
To: <spamassassin-users@incubator.apache.org>
Sent: Monday, March 15, 2004 3:08 PM
Subject: How to block brute force mail address scans?

|
| Hello all,
|
| I know this question might not be directly spamassassin related, but I
| can't think of any group who might know the answer to my question better
| than you:
|
| How can I block brute force mail address scans?
|
| The best thing is if there are any ways to make sendmail, and/or a
| active trafic monitor detect that one or several email are sent to
| multiple addresses from the same ip address, and if X number of mail
| addresses does not exist, then send IP address to be processed by other
| aplication. (I.e. iptables DROP IP address).
|
| I am looking for solutions for blocking one mail with multiple incorrect
| recipients as well as solutions that can block repetitive bad entries
| from a particualar ip address.
|
| Any ideas?
|
|

Re: How to block brute force mail address scans? [ In reply to ]

sprior at geekster

Mar 15, 2004, 3:29 PM

Post #6 of 8 (829 views)

Permalink

Even better would be redirecting those connection requests to that
old 486sx box with 8M RAM running Linux sitting in the corner with
the connection speed throttled to 300 baud... Results go to /dev/null
of course.

Steve

Greg Cirino - Cirelle Enterprises wrote:
> An effective way is to send all bad addresses to the bit bucket
> without a reject message.
>
> You won't be cleaning up their database either.
>
> Was going to continue on a religious rant but I won't
>
> Greg

Re: How to block brute force mail address scans? [ In reply to ]

dbfunk at engineering

Mar 15, 2004, 4:33 PM

Post #7 of 8 (826 views)

Permalink

On Mon, 15 Mar 2004, Greg Cirino - Cirelle Enterprises wrote:

> An effective way is to send all bad addresses to the bit bucket
> without a reject message.
>
> You won't be cleaning up their database either.

If you can spare the bandwidth/CPU, accept it for what it is,
free Bayes food. ;)
I use a number of fake addresses here as spam-traps, they tend
to be well fed.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

RE: How to block brute force mail address scans? [ In reply to ]

djh-lists at platformhosting

Mar 16, 2004, 5:02 AM

Post #8 of 8 (830 views)

Permalink

> -----Original Message-----
> From: Kenneth Andresen [mailto:kenneth@cancun.net]
> Sent: Tuesday, 16 March 2004 7:08 AM
> To: spamassassin-users@incubator.apache.org
> Subject: How to block brute force mail address scans?
>
> Hello all,
>
> I know this question might not be directly spamassassin related, but I
> can't think of any group who might know the answer to my question better
> than you:
>
> How can I block brute force mail address scans?
>

Hi Kenneth,

Have a look @ this: http://www.linuxmailmanager.com/tantalus.html

Quote from site:
"In a nutshell, this program will only allow X many wrong email addresses to
come from a SMTP server during X amount of time. If they hit the limit, they
get blocked for X amount of time. (All the X's are configurable by you)"

Regards,

David Hooton

========================================================================
Pain free spam & virus protection by: www.mailsecurity.net.au
Forward undetected SPAM to: spam@mailsecurity.net.au
========================================================================

Mailing List Archive

Mailing List Archive

Attached Files: