I have been watching our system and, or firewall log since long, the
smtp port 25 are open here only for local mail services and have been
blocked for the public in general. But why the hell so many of the spam
pushers try to invade our machines, particularly the one which as acting
as gateway and firewall. Here follows an part of a daily log report for
yesterday for your kind reference:
--------------------- iptables firewall Begin ------------------------
Listed by source hosts:
Logged 751 packets on interface eth0
From 66.7.205.67 - 11 packets to tcp(25)
From 66.7.210.196 - 12 packets to tcp(25)
From 72.14.204.237 - 5 packets to tcp(25)
From 72.29.69.195 - 12 packets to tcp(25)
From 72.29.72.47 - 4 packets to tcp(25)
From 74.55.201.34 - 4 packets to tcp(25)
From 76.13.13.68 - 9 packets to tcp(25)
From 76.13.13.73 - 9 packets to tcp(25)
From 76.13.13.86 - 198 packets to tcp(25)
From 89.163.148.127 - 24 packets to tcp(25)
From 118.161.50.225 - 3 packets to tcp(25)
From 146.83.129.6 - 51 packets to tcp(25)
From 195.149.90.4 - 18 packets to tcp(25)
From 206.47.199.164 - 5 packets to tcp(25)
From 207.102.49.249 - 4 packets to tcp(25)
From 209.85.217.26 - 5 packets to tcp(25)
From 209.191.84.166 - 89 packets to tcp(25)
From 216.165.179.135 - 285 packets to tcp(0,25)
---------------------- iptables firewall End -------------------------
I can/shall list all the above said IP's by hostnames also, if the needed.
Do I need to report these kinds of invaders? If yes, to whom do I report
these?
How do I limit access to this smtp port 25 so that the invader is
blocked after more that 3 attempts?
Thanks,
Regards,
--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/
> Hi,
>
> I have been watching our system and, or firewall log since long, the
> smtp port 25 are open here only for local mail services and have been
> blocked for the public in general. But why the hell so many of the spam
> pushers try to invade our machines, particularly the one which as acting
> as gateway and firewall. Here follows an part of a daily log report for
> yesterday for your kind reference:
They scan all the time for open relays, you won't stop it.
> I can/shall list all the above said IP's by hostnames also, if the
> needed.
Why, everybody can do that. Most of them are computers which a part of a
bot net.
> Do I need to report these kinds of invaders? If yes, to whom do I report
> these?
Usually you can get a abuse email address via whois, you could send an
email but those guy's have other things to do than asking these people
what happens on their computers.
> How do I limit access to this smtp port 25 so that the invader is
> blocked after more that 3 attempts?
fail2ban or man iptables search for --limits
I just block it, thats it why should I spend time to report crap like this.
cheers
> Hi,
>
> I have been watching our system and, or firewall log since long, the
> smtp port 25 are open here only for local mail services and have been
> blocked for the public in general. But why the hell so many of the spam
> pushers try to invade our machines, particularly the one which as acting
> as gateway and firewall. Here follows an part of a daily log report for
> yesterday for your kind reference:
[list]
Welcome to the Internet, sir. Do Not Panic.
Spam is commonly sent by botnets, large groups of infected machines.
>
> I can/shall list all the above said IP's by hostnames also, if the needed.
>
> Do I need to report these kinds of invaders? If yes, to whom do I report
> these?
You could report these to the owner of the ip block.
That's usually their isp or hosting provider, which may decide to forward
the report or stop the service.
> How do I limit access to this smtp port 25 so that the invader is
> blocked after more that 3 attempts?
If your port 25 is open only for local mail services, why would
you want to block outsiders (since they should already be blocked,
right ? ).
If you just want to limit the log amount, something similar
to this configuration would help :
http://www.debian-administration.org/articles/187
(of course, that's for ssh, port 22. you can adapt to fit
correctly in your current firewall ruleset)
--
Thomas Samson
A witty saying proves nothing, but saying something pointless gets
people's attention.
>I have been watching our system and, or firewall log since long, the
>smtp port 25 are open here only for local mail services and have been
>blocked for the public in general.
As long as it's blocked - who cares?
>But why the hell so many of the spam pushers try to invade our
>machines, particularly the one which as acting as gateway and firewall.
With one exception, those all seem to be looking to send mail. To you
or to others is hard to say without further details.
> From 66.7.205.67 rwhois.dimenoc.com
> From 66.7.210.196 rwhois.dimenoc.com
> From 72.14.204.237 Google
> From 72.29.69.195 rwhois.dimenoc.com
> From 72.29.72.47 rwhois.dimenoc.com
> From 74.55.201.34 rwhois.theplanet.com
> From 76.13.13.68 networ...@cc.yahoo-inc.com
> From 76.13.13.73 networ...@cc.yahoo-inc.com
> From 76.13.13.86 networ...@cc.yahoo-inc.com
> From 89.163.148.127 ab...@unitedcolo.de
> From 118.161.50.225 hinet.net Taiwan
> From 146.83.129.6 Red Universitaria Nacional (Santiago, CL)
> From 195.149.90.4 CityNet, Nezhin, Ukraine
> From 206.47.199.164 Bell Canada ab...@bellnexxia.net
> From 209.85.217.26 Google
> From 209.191.84.166 networ...@cc.yahoo-inc.com
> From 216.165.179.135 ab...@tds.net
Some of those look like "legitimate" mail servers, but if you are not
open for mail, why would they be sending to you? (Yes, "some" of those
domains are _permanently_ blocked at home _and_ where I work.) Some of
the hits could be clueless mail servers attempting to "return" spam
that was forged from your domain - hard to say without seeing the mail,
isn't it.
>I can/shall list all the above said IP's by hostnames also, if the needed.
Anyone with a network connection and a 'whois' tool can get all the data
they need from the addresses alone.
>Do I need to report these kinds of invaders? If yes, to whom do I report
>these?
How are these systems "invading" your systems? By trying to send mail?
If they actually are sending spam, post the actual spam to the Usenet
newsgroup news.admin.net-abuse.sightings (which is moderated). You can
use 'whois' (and the near identical rwhois) to see who is responsible
for the IP blocks, and perhaps get abuse@ addresses, but if you are not
expecting legitimate mail from them, why are you accepting connections
in the first place? If they are already blocked by your firewall AS
THEY SHOULD BE, who cares what you do?
>How do I limit access to this smtp port 25 so that the invader is
>blocked after more that 3 attempts?
Do you expect mail from these hosts? If no, then block the address
ranges permanently. If you are accepting mail for your users, then
run a spam filter like spamassassin.
Automatic blocking can be done my a number of "tools" such as fail2ban
or a trivial re-write of 'DenyHost' (both are python scripts originally
designed to react to bad ssh logins). Personally, automatic scripts are
good ways to automatically shoot yourself in the wobbly bits. It's
much easier to simply permanently block the "offending" IP blocks.
Old guy
Use a disposable email address when sending reports to abuse
addresses. A few years back, I sent abuse reports to some
foreign domains, and my inbound spam rate immediately went
through the roof. Some whole (foreign) domains are owned
(legitimately or by malware infection) by the spammers.
In another posting in this thread, one of the IP addresses
was identified as hinet.net in Taiwan. That domain appears
to account for a large fraction of the spam I receive on my
personal accounts.
HTH
--
Robert Riches
spamt...@verizon.net
(Yes, that is one of my email addresses.)
> How do I limit access to this smtp port 25 so that the invader is
> blocked after more that 3 attempts?
I use blocklists. Spamhaus' Zen list catches 90% of them.
> Hi,
>
> I have been watching our system and, or firewall log since long, the
> smtp port 25 are open here only for local mail services and have been
> blocked for the public in general. But why the hell so many of the spam
> pushers try to invade our machines, particularly the one which as acting
> as gateway and firewall. Here follows an part of a daily log report for
> yesterday for your kind reference:
>
Why then is it even bound to the external interface? Port 25 should not be
open to that one, after all - unless you accept direct smtp from selected
counterpart(s). Normally, you'll just pull the mailboxen from your isp
account using pop or friends.
--
vista policy violation: Microsoft optical mouse found penguin patterns
on mousepad. Partition scan in progress to remove offending
incompatible products. Reactivate MS software.
Linux 2.6.24. [LinuxCounter#295241,ICQ#4918962]
The smtpd is listening only on internal interface for local users; is
almost secure and protected by iptables/firewall from internal attacks
as well.
That's nice, shall definitely give it a try, thanks :)