• Hurting email spammers with iptables

    From S.K.R. de Jong@110:110/2002 to All on Fri May 16 19:47:37 2014
    I run a small email server in which (of course) I get a certain
    amount of spam. I know exactly what IP addresses the spam is coming from,
    so keeping it at bay is easy. However, I'd like to do more than that.

    Would it be possible, with iptables, so arrange things on my side
    so that resources are potentially indefinitely consumed at the system
    with the IP address from which the spam is being sent?

    For instance, since the connection to port 25 is a TCP
    connection, would it be possible to force them to keep that connection
    open for several minutes, before telling them that their spam has been rejected?


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Bit Twister@110:110/2002 to All on Sat May 17 00:31:04 2014
    On Fri, 16 May 2014 19:47:37 +0000 (UTC), S.K.R. de Jong wrote:

    Would it be possible, with iptables, so arrange things on my side
    so that resources are potentially indefinitely consumed at the system
    with the IP address from which the spam is being sent?

    Hehehe, apparently you think the spammers are stupid.

    You would be stupid to install your DOS (Denial Of Service) "Feature"

    Take this example:
    Some criminal cracks into a damn, lock control, air traffic control
    system, .... and rents that system to a spammer.

    You get spam from the compromised system, you cause a DOS, and take a
    guess who will be having a free bed and breakfast at a barbed wire hotel.

    After you spend several hundred dollars an hour to get a lawyer good
    enough to get you out of jail, there would be no telling how big a
    fine you would have to pay, not to mention even getting all your
    equipment back from them.

    Go for it, maybe you can get Usenet access after you get out of prison
    to tell us how it went.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From S.K.R. de Jong@110:110/2002 to All on Sat May 17 16:03:16 2014
    On Sat, 17 May 2014 00:31:04 +0000, Bit Twister wrote:

    On Fri, 16 May 2014 19:47:37 +0000 (UTC), S.K.R. de Jong wrote:

    Would it be possible, with iptables, so arrange things on my side
    so that resources are potentially indefinitely consumed at the system
    with the IP address from which the spam is being sent?

    Hehehe, apparently you think the spammers are stupid.

    You would be stupid to install your DOS (Denial Of Service) "Feature"

    Take this example:
    Some criminal cracks into a damn, lock control, air traffic control
    system, .... and rents that system to a spammer.

    You get spam from the compromised system, you cause a DOS, and take a
    guess who will be having a free bed and breakfast at a barbed wire
    hotel.

    After you spend several hundred dollars an hour to get a lawyer good
    enough to get you out of jail, there would be no telling how big a fine
    you would have to pay, not to mention even getting all your equipment
    back from them.

    Go for it, maybe you can get Usenet access after you get out of prison
    to tell us how it went.

    So, if you use the scheme described in

    http://www.benzedrine.cx/relaydb.html

    you might end up in the big house? What I am talking about is similar to
    that, but with ip tables instead.


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Bit Twister@110:110/2002 to All on Sat May 17 16:18:26 2014
    On Sat, 17 May 2014 16:03:16 +0000 (UTC), S.K.R. de Jong wrote:

    So, if you use the scheme described in
    http://www.benzedrine.cx/relaydb.html
    you might end up in the big house?

    That link points to a passive response. Your post seemed to indicate
    an aggressive response. Your system not responding is not going to get
    you into any law enforcement trouble.

    What I am talking about is similar to that, but with ip tables instead.

    Offhand, I would think just trying to set rules for each undesired ip address will get pretty large and degrade performance.


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From S.K.R. de Jong@110:110/2002 to All on Sun May 18 02:53:44 2014
    On Sat, 17 May 2014 16:18:26 +0000, Bit Twister wrote:

    On Sat, 17 May 2014 16:03:16 +0000 (UTC), S.K.R. de Jong wrote:

    So, if you use the scheme described in
    http://www.benzedrine.cx/relaydb.html
    you might end up in the big house?

    That link points to a passive response. Your post seemed to indicate an aggressive response. Your system not responding is not going to get you
    into any law enforcement trouble.

    What I am talking about is similar to that, but with ip tables instead.

    Offhand, I would think just trying to set rules for each undesired ip
    address will get pretty large and degrade performance.

    Be it as it may, what ip tables rules would accomplish something similar to what is described in the link?


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From detha@110:110/2002 to All on Sun May 18 07:22:05 2014
    On Fri, 16 May 2014 19:47:37 +0000, S.K.R. de Jong wrote:

    I run a small email server in which (of course) I get a certain
    amount of spam. I know exactly what IP addresses the spam is coming from,
    so keeping it at bay is easy. However, I'd like to do more than that.

    Would it be possible, with iptables, so arrange things on my side
    so that resources are potentially indefinitely consumed at the system with the IP address from which the spam is being sent?

    For instance, since the connection to port 25 is a TCP
    connection, would it be possible to force them to keep that connection
    open for several minutes, before telling them that their spam has been rejected?

    You are probably looking for the '-j TARPIT' target. Most distributions
    don't include that by default (because it is too easy to shoot yourself
    in the foot with it - every active tarpit consumes resources on /your/
    server, and it opens you up to being DDOSed just by opening a bunch of connections to a tarpit'ed port).

    Some have it as a kernel module (e.g. Debian has it in the xtables-addons-common package).

    -d


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: whoever pays best (110:110/2002@linuxnet)
  • From S.K.R. de Jong@110:110/2002 to All on Sun May 18 14:26:15 2014
    On Sun, 18 May 2014 09:22:05 +0200, detha wrote:

    On Fri, 16 May 2014 19:47:37 +0000, S.K.R. de Jong wrote:

    I run a small email server in which (of course) I get a certain
    amount of spam. I know exactly what IP addresses the spam is coming
    from, so keeping it at bay is easy. However, I'd like to do more than
    that.

    Would it be possible, with iptables, so arrange things on my side
    so that resources are potentially indefinitely consumed at the system
    with the IP address from which the spam is being sent?

    For instance, since the connection to port 25 is a TCP
    connection, would it be possible to force them to keep that connection
    open for several minutes, before telling them that their spam has been
    rejected?

    You are probably looking for the '-j TARPIT' target. Most distributions
    don't include that by default (because it is too easy to shoot yourself
    in the foot with it - every active tarpit consumes resources on /your/ server, and it opens you up to being DDOSed just by opening a bunch of connections to a tarpit'ed port).

    Some have it as a kernel module (e.g. Debian has it in the xtables-addons-common package).

    Thanks. This seems to be pretty much what I was looking for.


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From buck@110:110/2002 to All on Sun May 18 18:27:53 2014
    "S.K.R. de Jong" <SKRdJ@nowhere.net> wrote in news:llafu7$l26$1 @news.albasani.net:

    On Sun, 18 May 2014 09:22:05 +0200, detha wrote:

    Would it be possible, with iptables, so arrange things on my
    side
    so that resources are potentially indefinitely consumed at the
    system
    with the IP address from which the spam is being sent?
    You are probably looking for the '-j TARPIT' target. Most
    distributions
    don't include that by default (because it is too easy to shoot
    yourself
    in the foot with it - every active tarpit consumes resources on
    /your/
    server, and it opens you up to being DDOSed just by opening a bunch
    of
    connections to a tarpit'ed port).

    Some have it as a kernel module (e.g. Debian has it in the
    xtables-addons-common package).

    Thanks. This seems to be pretty much what I was looking for.

    TARPIT does not work, at least not as you desire.

    That's because it shrinks the window, which causes the sender to send
    a TCP reset (RST), closing the connection.

    The original idea was to allow the spammer to connect to your SMTP
    server and then set the window to one byte, so that each packet
    contains 1 byte, causing the transaction to take FOREVER to send even
    a small message. But when spammers figured that out, they just
    changed the TCP software to terminate the connection (RST) and go on
    to the next victim.
    --
    buck

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Say What? (110:110/2002@linuxnet)
  • From Doug Laidlaw@110:110/2002 to All on Thu May 22 18:09:42 2014
    S.K.R. de Jong wrote:

    Offhand, I would think just trying to set rules for each undesired ip
    address will get pretty large and degrade performance.

    Be it as it may, what ip tables rules would accomplish something
    similar to what is described in the link?

    Don't use iptables. For newsgroups, I use Leafnode, and filter out
    anything from Google Groups. That accounts fpor about 95 per cent.

    What are you trying to stop? Any emails will get through your firewall because you have allowed POP. Install Spamassassin, and add the undesired addresses to your blacklist. Much easier.

    Doug.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Aioe.org NNTP Server (110:110/2002@linuxnet)
  • From S.K.R. de Jong@110:110/2002 to All on Fri May 23 14:12:07 2014
    On Fri, 23 May 2014 04:09:42 +1000, Doug Laidlaw wrote:

    S.K.R. de Jong wrote:

    Offhand, I would think just trying to set rules for each undesired ip
    address will get pretty large and degrade performance.

    Be it as it may, what ip tables rules would accomplish something
    similar to what is described in the link?

    Don't use iptables. For newsgroups, I use Leafnode, and filter out
    anything from Google Groups. That accounts fpor about 95 per cent.

    What are you trying to stop? Any emails will get through your firewall because you have allowed POP.

    I am trying to keep off people who connect to my SMTP repeteadly
    and probably for nefarious reasons, and also IP addresses associated with
    spam delivery. I don't want to accept their junk and then classify it as
    spam; I just don't want for them to deliver their junk to me and, if
    possible, inconvenience them in the process. Nothing to do with POP,
    which I don't use anyway.

    Install Spamassassin, and add the undesired addresses to your
    blacklist. Much easier.

    I can already deal with spam by means of iptables as above, and milter-regex.


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Richard Kettlewell@110:110/2002 to All on Fri May 23 15:30:10 2014
    "S.K.R. de Jong" <SKRdJ@nowhere.net> writes:
    I am trying to keep off people who connect to my SMTP repeteadly and
    probably for nefarious reasons, and also IP addresses associated with
    spam delivery. I don't want to accept their junk and then classify it
    as spam; I just don't want for them to deliver their junk to me and,
    if possible, inconvenience them in the process. Nothing to do with
    POP, which I don't use anyway.

    You are extremely unlikely to inconvenience the spammer. At most you
    might inconvenience whoever it is they are stealing resources from, and possibly not even them very much.

    --
    http://www.greenend.org.uk/rjk/

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Anjou (110:110/2002@linuxnet)
  • From S.K.R. de Jong@110:110/2002 to All on Mon Aug 11 17:20:04 2014
    On Fri, 16 May 2014 19:47:37 +0000, S.K.R. de Jong wrote:

    I run a small email server in which (of course) I get a certain amount
    of spam. I know exactly what IP addresses the spam is coming from,
    so keeping it at bay is easy. However, I'd like to do more than that.

    Would it be possible, with iptables, so arrange things on my side
    so that resources are potentially indefinitely consumed at the system
    with the IP address from which the spam is being sent?

    For instance, since the connection to port 25 is a TCP
    connection, would it be possible to force them to keep that connection
    open for several minutes, before telling them that their spam has been rejected?

    A followup on this, in case anyone might be interested:

    I took a different approach to dealing with the spam issue; if I
    can't hurt them, at least I can keep (most of) them at bay. I am now
    using lists of IP addresses/countries in sendmail, and by blocking
    connections from the following countries:

    bd, cn, do, hk, id, il, in, ir, om, ro, ru, sa, sg, th, tw, vn, za

    my incoming spam has dropped almost to nothing.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)