[CentOS] spam control (by the way)

Mon Oct 30 03:42:06 UTC 2006
Mark Weaver <mdw1982 at mdw1982.com>

Mark Weaver wrote:
> Bill Church wrote:
>> If you have the luxury of blocking IPs based on countries or regions,
>> that helps as well but not everyone can do this.
>>
>> -Bill
> 
> That in a nutshell of but one layer of a multi-layer approach that I've 
> been using for the past two years. At present I may get a grand total of 
> 2 SPAMs per week; sometimes less than that, but that's the average.
> 
> layer #1: RBLs configured in the MTA - Sendmail
> layer #2: SpamAssassin (score set to 3 and known or trusted addresses
>           white-listed
> layer #3: iptables rules and a technique known as geo-blocking.
> 
> The third layer, iptables and geo-blocking REALLY make a huge 
> difference. It's taken about a year and some digging, but I've got a 
> very good foundation ruleset that works extremely well. And personally I 
> don't consider blocking on countries or regions is a luxury, but rather 
> a necessity. Anyone can do it and should of they're running a mail 
> server that is accepting direct SMTP connections.
> 
> Since my mail server is already behind a router the rule set is very 
> simple, but extremely effective and very portable.
> 

Thought I'd send this along as well. It's a small perl script that will 
make batch processing spammers IP addresses a little easier and faster. 
It isn't pretty or much past beta, but it gets the job done.

The script does a whois lookup on the IP address, grabs the IP range and 
writes a rule which gets put into the "chains" file. Once it's processed 
all the addresses it writes out the file afresh. At that point just run 
the chains file from where ever you've placed it. (at the moment is has 
trouble processing whois information when arin redirects to some of 
suib-whois server. And you have to watch when it does a whois lookup on 
a LACNIC address because they display their IP range information much 
differently than APNIC or RIPE so, some hand editing after the batch 
processing may need done. YMMV) Like I said... it's still beta.

to use the script simply place the spam IP addresses harvested from the 
spam email headers into a simple text file, one address per line. (edit 
the script and replace the current file name storing the IP addresses 
with what ever you've called your IP address file) Then run the script 
like so:
	
	perl proc_ip_list.pl  [ENTER]

You'll see a listing of rules being printed out on the console screen, 
or a message letting you know that the address or address range already 
exists in the "chains" file. Once the program completes upload or copy 
the fresh copy of chains to it's place and run "chains" from the command 
line. ( I keep mine in the /bin directory )

	EX: /bin/chains  [ENTER]

It will flush Iptables and set the new rules in place.

-- 
Mark

"If you have found a very wise man, then you've found
a man that at one time was an idiot and lived long enough
to learn from his own stupidity."
==============================================
Powered by CentOS4 (RHEL4)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proc_ip_list.pl
Type: application/x-perl
Size: 2663 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20061029/97ea4817/attachment-0005.pl>