* Detecting/Defeating Spambots
@ 2005-06-06 16:49 Lucky Leavell
2005-06-07 11:31 ` Georgi Alexandrov
0 siblings, 1 reply; 4+ messages in thread
From: Lucky Leavell @ 2005-06-06 16:49 UTC (permalink / raw)
To: netfilter
OS: SuSE 9.3 Pro
I work with a small ISP and we are encountering with increasing frequency
Windows machines which have been compromised and apparently being used as
spambots based on their attempted connection to port 25 of foreign hosts
instead on using our mail server for outgoing mail.
With allowance for legitimate exceptions, could we simply disallow port 25
connections from within our networks to any but our mail servers? (We run
all outgoing -as well as incoming- mail thru amavis/clamav/spamassassin.)
Any other thoughts or links to resources?
Thank you,
Lucky
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Detecting/Defeating Spambots
2005-06-06 16:49 Detecting/Defeating Spambots Lucky Leavell
@ 2005-06-07 11:31 ` Georgi Alexandrov
2005-06-07 11:36 ` Georgi Alexandrov
0 siblings, 1 reply; 4+ messages in thread
From: Georgi Alexandrov @ 2005-06-07 11:31 UTC (permalink / raw)
To: netfilter
Lucky Leavell wrote:
>OS: SuSE 9.3 Pro
>
>I work with a small ISP and we are encountering with increasing frequency
>Windows machines which have been compromised and apparently being used as
>spambots based on their attempted connection to port 25 of foreign hosts
>instead on using our mail server for outgoing mail.
>
>With allowance for legitimate exceptions, could we simply disallow port 25
>connections from within our networks to any but our mail servers?
>
Yes, something like that:
iptables -A FORWARD -p tcp -s $our_networks -d !
$our_mail_server_ip_addr --dport 25 -j DROP
>(We run
>all outgoing -as well as incoming- mail thru amavis/clamav/spamassassin.)
>
>Any other thoughts or links to resources?
>
>Thank you,
>Lucky
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Detecting/Defeating Spambots
2005-06-07 11:31 ` Georgi Alexandrov
@ 2005-06-07 11:36 ` Georgi Alexandrov
2005-06-07 11:51 ` Georgi Alexandrov
0 siblings, 1 reply; 4+ messages in thread
From: Georgi Alexandrov @ 2005-06-07 11:36 UTC (permalink / raw)
To: netfilter
Georgi Alexandrov wrote:
> Lucky Leavell wrote:
>
>> OS: SuSE 9.3 Pro
>>
>> I work with a small ISP and we are encountering with increasing
>> frequency Windows machines which have been compromised and apparently
>> being used as spambots based on their attempted connection to port 25
>> of foreign hosts instead on using our mail server for outgoing mail.
>>
>> With allowance for legitimate exceptions, could we simply disallow
>> port 25 connections from within our networks to any but our mail
>> servers?
>
> Yes, something like that:
> iptables -A FORWARD -p tcp -s $our_networks -d !
> $our_mail_server_ip_addr --dport 25 -j DROP
Or, if you have multiple mail servers, something like that:
iptables -A FORWARD -p tcp -s $our_networks -d $first_mail_server
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks -d $second_mail_server
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks -d $third_mail_server
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks --dport 25 -j DROP
>
>> (We run all outgoing -as well as incoming- mail thru
>> amavis/clamav/spamassassin.)
>>
>> Any other thoughts or links to resources?
>>
>> Thank you,
>> Lucky
>>
>>
>>
>>
>
>
>
regards,
Georgi Alexandrov
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Detecting/Defeating Spambots
2005-06-07 11:36 ` Georgi Alexandrov
@ 2005-06-07 11:51 ` Georgi Alexandrov
0 siblings, 0 replies; 4+ messages in thread
From: Georgi Alexandrov @ 2005-06-07 11:51 UTC (permalink / raw)
To: netfilter
Georgi Alexandrov wrote:
> Georgi Alexandrov wrote:
>
>> Lucky Leavell wrote:
>>
>>> OS: SuSE 9.3 Pro
>>>
>>> I work with a small ISP and we are encountering with increasing
>>> frequency Windows machines which have been compromised and
>>> apparently being used as spambots based on their attempted
>>> connection to port 25 of foreign hosts instead on using our mail
>>> server for outgoing mail.
>>>
>>> With allowance for legitimate exceptions, could we simply disallow
>>> port 25 connections from within our networks to any but our mail
>>> servers?
>>
>>
>> Yes, something like that:
>> iptables -A FORWARD -p tcp -s $our_networks -d !
>> $our_mail_server_ip_addr --dport 25 -j DROP
>
>
> Or, if you have multiple mail servers, something like that:
> iptables -A FORWARD -p tcp -s $our_networks -d $first_mail_server
> --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp -s $our_networks -d $second_mail_server
> --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp -s $our_networks -d $third_mail_server
> --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp -s $our_networks --dport 25 -j DROP
Or, you can DNAT all requests to port 25/tcp to your server, like that:
iptables -t nat -A PREROUTING -p tcp -s $our_networks --dport 25 -j DNAT
--to $our_mail_server
>
>>
>>> (We run all outgoing -as well as incoming- mail thru
>>> amavis/clamav/spamassassin.)
>>>
>>> Any other thoughts or links to resources?
>>>
>>> Thank you,
>>> Lucky
>>>
>>>
>>>
>>>
>>
>>
>>
> regards,
> Georgi Alexandrov
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-06-07 11:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-06 16:49 Detecting/Defeating Spambots Lucky Leavell
2005-06-07 11:31 ` Georgi Alexandrov
2005-06-07 11:36 ` Georgi Alexandrov
2005-06-07 11:51 ` Georgi Alexandrov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.