From mboxrd@z Thu Jan 1 00:00:00 1970 From: Georgi Alexandrov Subject: Re: Detecting/Defeating Spambots Date: Tue, 07 Jun 2005 14:36:21 +0300 Message-ID: <42A586B5.7020405@hotpop.com> References: <42A585A8.3060001@hotpop.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <42A585A8.3060001@hotpop.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Georgi Alexandrov wrote: > Lucky Leavell wrote: > >> OS: SuSE 9.3 Pro >> >> I work with a small ISP and we are encountering with increasing >> frequency Windows machines which have been compromised and apparently >> being used as spambots based on their attempted connection to port 25 >> of foreign hosts instead on using our mail server for outgoing mail. >> >> With allowance for legitimate exceptions, could we simply disallow >> port 25 connections from within our networks to any but our mail >> servers? > > Yes, something like that: > iptables -A FORWARD -p tcp -s $our_networks -d ! > $our_mail_server_ip_addr --dport 25 -j DROP Or, if you have multiple mail servers, something like that: iptables -A FORWARD -p tcp -s $our_networks -d $first_mail_server --dport 25 -j ACCEPT iptables -A FORWARD -p tcp -s $our_networks -d $second_mail_server --dport 25 -j ACCEPT iptables -A FORWARD -p tcp -s $our_networks -d $third_mail_server --dport 25 -j ACCEPT iptables -A FORWARD -p tcp -s $our_networks --dport 25 -j DROP > >> (We run all outgoing -as well as incoming- mail thru >> amavis/clamav/spamassassin.) >> >> Any other thoughts or links to resources? >> >> Thank you, >> Lucky >> >> >> >> > > > regards, Georgi Alexandrov