LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 04-23-2011, 04:29 AM   #1
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Rep: Reputation: 1
Script to block sender domain


Hello,

In our mail server we are taking lots of hits. In the maillog there's a hell of rejected mail like these:

Code:
Apr 23 04:35:13 mail1 postfix/smtpd[31700]: NOQUEUE: reject: RCPT from unknown[119.153.14.231]: 554 <bob@domainname.net>: Recipient address rejected: User unknown in local recipient table; from=<hareme.com@shareme.com> to=<bob@domainname.net> proto=ESMTP helo=<localhost>
I Have a script which search for the IP and block those. I'm having problem if IP block the RCPT IP's. Instead i want to block the sender domain, like in this example, shareme.com. What's shall i modify in my script to do this? Thanks

Code:
#!/bin/bash
IPT=/sbin/iptables
LIMIT=10
cd /admin
# first get one minute of log
grep "`date +"%b %d %H:%M:" --date="1 minutes ago"`" /var/log/maillog > minutelog
# now extract the rejected attempts, sort and count uniq ip
cat minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed 's/^[ \t]*//' > tmp1
# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`
if [ $MYCOUNT -lt $LIMIT ] ;
then
echo $MYIP is ok: $MYCOUNT attempts
else
echo blocking the spammer at $MYIP with $MYCOUNT attempts
$IPT -I INPUT -i eth0 --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> blocked.smtp
fi
done < tmp1
rm -f minutelog
rm -f tmp1
 
Old 04-23-2011, 04:43 AM   #2
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hello,

I'm not quite sure if using a domain name will help you completely solve the problem since iptables will resolve the domain name and block the IP. Maybe it's better to include nslookup or dig to get the IP for that domain and block it with
Code:
IPA=$(nslookup shareme.com |grep -A1 "shareme.com" | grep Address | awk -F' ' '{ print $2 }')
iptables -A INPUT -p tcp --dport 25 -s $IPA/16 -j REJECT
Hope it helps.

Kind regards,

Eric
 
1 members found this post helpful.
Old 04-23-2011, 05:07 AM   #3
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by EricTRA View Post
Hello,

I'm not quite sure if using a domain name will help you completely solve the problem since iptables will resolve the domain name and block the IP. Maybe it's better to include nslookup or dig to get the IP for that domain and block it with
Code:
IPA=$(nslookup shareme.com |grep -A1 "shareme.com" | grep Address | awk -F' ' '{ print $2 }')
iptables -A INPUT -p tcp --dport 25 -s $IPA/16 -j REJECT
Hope it helps.

Kind regards,

Eric
Hi Eric,

Thanks for you feedback. I need help on extracting the domain name from the maillog. With the current script i can extract the RCPT IP not the domain name. Thanks again.
 
Old 04-23-2011, 05:28 AM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hello,

Quick and dirty. You're already extracting the necessary lines from your log, right? Pipe the line into this, saving it in a variable and then block using iptables:
Code:
cat $line | awk -F'=' '{ print $2 }' | sed -n -e 's/^\([^>]*\)>.*/\1/p' |awk -F'@' '{ print $2 }'
I tested it by putting your example in a file and running:
Code:
cat testtext | awk -F'=' '{ print $2 }' | sed -n -e 's/^\([^>]*\)>.*/\1/p' |awk -F'@' '{ print $2 }'
and the result was:
Code:
shareme.com
If you put it in a variable you can get the IP as mentioned above with nslookup and block it using iptables. Hope it helps.

Kind regards,

Eric
 
Old 04-23-2011, 09:46 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
How about something like fail2ban which will watch the logs and if a particular sender triggers too many errors they get blocked, at least temporarily. of course you define what too many errors and temporarily are. This is usually enough to get these kinds of script - bots to go away. You can then create a blacklist in Iptables and permanently ban ones that are repeat offenders. Another suggestion might be to use rate limiting on Iptables based upon new connections to port 25. I also believe that Postfix also has rate limiting features that can be enabled, but it looks like you want something that works at a lower level.
 
  


Reply

Tags
postfix, script, spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail doubling sender domain- ex. hostname.domain.net.domain.net halborr Slackware 7 08-23-2010 08:37 AM
POSTFIX how to block/delete mail from sender... hct224 Linux - Newbie 5 12-29-2009 10:11 PM
php referrer script to block people not coming from my domain steve51184 Linux - Server 6 10-11-2008 10:30 AM
postfix block sender ip csdhiman Linux - Server 3 08-07-2007 10:08 AM
qmail: how can I block emails which have no sender address? hamish Linux - Networking 0 08-16-2006 04:16 PM


All times are GMT -5. The time now is 09:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration