Greetings,

I am running RH7.2, Sendmail 8.11.6, and ipchains

Some time ago, I was subject to a dictionary attack by someone(s) looking to verify working email addresses from my domain.
I used virtusertable to send everything that wasn't a real address to /dev/null.

If the list verifier was sharp, they would have realized that 100% of the addresses were verifying, and therefore, they would not be able to get a real list. They should have quit.

They didn't. The list seems to be widely circulated.

I recently stopped using the virtusertable as described, hoping the bounces would get at least some of the spammers to give up.

That doesn't seem to be working either. Most of the log entries seem to indicate that their MTA simply drops the connection, instead of letting sendmail send them a bounce.

Most of this spam comes through unwitting proxies. These unwitting proxies usually die shortly after they begin to be exploited.

My shell script coding abilities are not quite up to this task, but I have an outline of a plan.

Read the maillog frequently (every n hours or n minutes)(possibly run it as a cron job)
Note the sendmail pid or the mail ID associated with "User unknown"
Note the IP associated with the correlated "from" log message
Write an ipchains command to a spamip file, along with a date stamp
Set ipchains to read the smapip file when it starts
Restart ipchains
Expire the entries in the spamip file after n days

Please comment on the idea, and any offers to write the code would be appreciated.

Thanks,
longnshortofit

Here are some sample log entries:

Mar 11 10:37:11 host sendmail[32434]: k2BIb8g32434: <griffin@justgotmail.net>... User unknown
Mar 11 10:37:11 host sendmail[32435]: k2BIbAg32435: <swanson@justgotmail.net>... User unknown
Mar 11 10:37:11 host sendmail[32434]: k2BIb8g32434: from=<bwdxv@obsidiana.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[222.114.114.152]

Mar 11 10:39:26 host sendmail[32467]: k2BIdPg32467: <west@justgotmail.net>... User unknown
Mar 11 10:39:26 host sendmail[32467]: k2BIdPg32467: <wheeler@justgotmail.net>... User unknown
Mar 11 10:39:27 host sendmail[32467]: k2BIdPg32467: <williamson@justgotmail.net>... User unknown
Mar 11 10:39:27 host sendmail[32467]: k2BIdPg32467: <willis@justgotmail.net>... User unknown
Mar 11 10:39:28 host sendmail[32467]: k2BIdPg32467: <wolfe@justgotmail.net>... User unknown
Mar 11 10:39:28 host sendmail[32467]: k2BIdPg32467: <wood@justgotmail.net>... User unknown
Mar 11 10:39:29 host sendmail[32467]: k2BIdPg32467: <woods@justgotmail.net>... User unknown
Mar 11 10:39:29 host sendmail[32467]: k2BIdPg32467: <yates@justgotmail.net>... User unknown
Mar 11 10:39:30 host sendmail[32467]: k2BIdPg32467: from=<ymdbgfxhj@msn.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[82.76.150.165]

you can prevent vrfy/expn using

O PrivacyOptions goaway

in sendmail.cf

That option was set and is easily circumvented.

Any comment on the basic plan for this specific problem? Is there a better way to set ipchains?

Thanks,

longnshortofit

I did the method exactly as you described, though it was for exim instead of sendmail and iptables instead of ipchains. It functioned very well however did little to stop spam attempts for a number of reasons.

First I couldn't make the log-scan cron fast enough to prevent the attack. By the time my cron ran the attack was over. Would have had to scan the log file every 10 seconds to be effective.

Second it started to block legit mail servers... which turned out to be a very big problem after a while.

Having been there, I'd just say its not a good idea anymore. Though at the time I thought it would be effective.

Hi Randy,

Thanks for your response.

Part of my plan is to expire the DENY in as little as a week. My thinking is that when a server gets exploited, they will discover it very quickly and make appropriate changes.

So there is no benefit from banning the IP permanently, and if it is still in use, it will be sidelined again.

Did you expire the bans?

I have less than 20 real email addresses on that domain in my network, and I have been copying proxies into ipchains every so often with good results. Very tedious.

Thanks,

longnshortofit

I did not expire the bans, I would every 3 months or so flush the list manually.
I ran it for a year and a half before shutting it off.

I know you're using sendmail, but the exim server has a way to execute custom delivery transports for receiving and bouncing email. I was only reading about how to do it but havn't had the time to code up a C program yet. In theory the exim plugin C program can add an iptables rule immediately upon receiving a dictionary attack.

Lately, I've just adopted the "I don't care anymore" attitude. Let them bang the on the email server. That's probably why I havn't tried evolving the technique any more.

I know what you mean. I've been on the "I don't care" program for a while. It just irritates me to watch all the junk traffic roll by when I watch the maillog.

Then my whole network is kind of patchwork...a dyi linux setup. It has served me well, but now the hardware is 5 years old, and I'll be replacing it soon.

Right now I'm running logrotate daily, since I created a problem way back when by creating a partition at original install time that is too small for larger log files. /var is on a small partition.

I'm thinking of writing a bash file that reads the maillog and truncates a file called spamip with ipchains lines that DENY each of those IPs. Run this file by a cron job every 4 or 6 hours being sure that it is run just before the logrotate time.

Then use a cron job to restart ipchains.

I'm a little sketchy on how to flush the file. Perhaps run a weekly cron job that empties the file. That's a little sloppy because some of the IPs will have been there as long as a week, and others only a few hours. Repeat offenders will wind up in there again within a few hours.

I was planning on writing these with bash script.

that's pretty sloppy. I would have to append the file with each run. That will make duplicate ipchains entries. If I emptied the file before adding new entries, then it would in actuality be starting over every day because there would be a new maillog each day....

btw the purpose is not to stop dictionary attacks, but to stop the mail to the nonexistent address previously added to their lists.