Detecting/Defeating Spambots

All of lore.kernel.org
 help / color / mirror / Atom feed

* Detecting/Defeating Spambots
@ 2005-06-06 16:49 Lucky Leavell
  2005-06-07 11:31 ` Georgi Alexandrov
  0 siblings, 1 reply; 4+ messages in thread
From: Lucky Leavell @ 2005-06-06 16:49 UTC (permalink / raw)
  To: netfilter

OS: SuSE 9.3 Pro

I work with a small ISP and we are encountering with increasing frequency 
Windows machines which have been compromised and apparently being used as 
spambots based on their attempted connection to port 25 of foreign hosts 
instead on using our mail server for outgoing mail.

With allowance for legitimate exceptions, could we simply disallow port 25 
connections from within our networks to any but our mail servers? (We run 
all outgoing -as well as incoming- mail thru amavis/clamav/spamassassin.)

Any other thoughts or links to resources?

Thank you,
Lucky

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Detecting/Defeating Spambots
  2005-06-06 16:49 Detecting/Defeating Spambots Lucky Leavell
@ 2005-06-07 11:31 ` Georgi Alexandrov
  2005-06-07 11:36   ` Georgi Alexandrov
  0 siblings, 1 reply; 4+ messages in thread
From: Georgi Alexandrov @ 2005-06-07 11:31 UTC (permalink / raw)
  To: netfilter

Lucky Leavell wrote:

>OS: SuSE 9.3 Pro
>
>I work with a small ISP and we are encountering with increasing frequency 
>Windows machines which have been compromised and apparently being used as 
>spambots based on their attempted connection to port 25 of foreign hosts 
>instead on using our mail server for outgoing mail.
>
>With allowance for legitimate exceptions, could we simply disallow port 25 
>connections from within our networks to any but our mail servers? 
>
Yes, something like that:
iptables -A FORWARD -p tcp -s $our_networks -d ! 
$our_mail_server_ip_addr --dport 25 -j DROP

>(We run 
>all outgoing -as well as incoming- mail thru amavis/clamav/spamassassin.)
>
>Any other thoughts or links to resources?
>
>Thank you,
>Lucky
>
>
>  
>



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Detecting/Defeating Spambots
  2005-06-07 11:31 ` Georgi Alexandrov
@ 2005-06-07 11:36   ` Georgi Alexandrov
  2005-06-07 11:51     ` Georgi Alexandrov
  0 siblings, 1 reply; 4+ messages in thread
From: Georgi Alexandrov @ 2005-06-07 11:36 UTC (permalink / raw)
  To: netfilter

Georgi Alexandrov wrote:

> Lucky Leavell wrote:
>
>> OS: SuSE 9.3 Pro
>>
>> I work with a small ISP and we are encountering with increasing 
>> frequency Windows machines which have been compromised and apparently 
>> being used as spambots based on their attempted connection to port 25 
>> of foreign hosts instead on using our mail server for outgoing mail.
>>
>> With allowance for legitimate exceptions, could we simply disallow 
>> port 25 connections from within our networks to any but our mail 
>> servers?
>
> Yes, something like that:
> iptables -A FORWARD -p tcp -s $our_networks -d ! 
> $our_mail_server_ip_addr --dport 25 -j DROP

Or, if you have multiple mail servers, something like that:
iptables -A FORWARD -p tcp -s $our_networks -d $first_mail_server 
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks -d $second_mail_server 
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks -d $third_mail_server 
--dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s $our_networks --dport 25 -j DROP

>
>> (We run all outgoing -as well as incoming- mail thru 
>> amavis/clamav/spamassassin.)
>>
>> Any other thoughts or links to resources?
>>
>> Thank you,
>> Lucky
>>
>>
>>  
>>
>
>
>
regards,
Georgi Alexandrov


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Detecting/Defeating Spambots
  2005-06-07 11:36   ` Georgi Alexandrov
@ 2005-06-07 11:51     ` Georgi Alexandrov
  0 siblings, 0 replies; 4+ messages in thread
From: Georgi Alexandrov @ 2005-06-07 11:51 UTC (permalink / raw)
  To: netfilter

Georgi Alexandrov wrote:

> Georgi Alexandrov wrote:
>
>> Lucky Leavell wrote:
>>
>>> OS: SuSE 9.3 Pro
>>>
>>> I work with a small ISP and we are encountering with increasing 
>>> frequency Windows machines which have been compromised and 
>>> apparently being used as spambots based on their attempted 
>>> connection to port 25 of foreign hosts instead on using our mail 
>>> server for outgoing mail.
>>>
>>> With allowance for legitimate exceptions, could we simply disallow 
>>> port 25 connections from within our networks to any but our mail 
>>> servers?
>>
>>
>> Yes, something like that:
>> iptables -A FORWARD -p tcp -s $our_networks -d ! 
>> $our_mail_server_ip_addr --dport 25 -j DROP
>
>
> Or, if you have multiple mail servers, something like that:
> iptables -A FORWARD -p tcp -s $our_networks -d $first_mail_server 
> --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp -s $our_networks -d $second_mail_server 
> --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp -s $our_networks -d $third_mail_server 
> --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp -s $our_networks --dport 25 -j DROP

Or, you can DNAT all requests to port 25/tcp to your server, like that:
iptables -t nat -A PREROUTING -p tcp -s $our_networks --dport 25 -j DNAT 
--to $our_mail_server

>
>>
>>> (We run all outgoing -as well as incoming- mail thru 
>>> amavis/clamav/spamassassin.)
>>>
>>> Any other thoughts or links to resources?
>>>
>>> Thank you,
>>> Lucky
>>>
>>>
>>>  
>>>
>>
>>
>>
> regards,
> Georgi Alexandrov
>
>



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-06-07 11:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-06 16:49 Detecting/Defeating Spambots Lucky Leavell
2005-06-07 11:31 ` Georgi Alexandrov
2005-06-07 11:36   ` Georgi Alexandrov
2005-06-07 11:51     ` Georgi Alexandrov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.