[Esd-l] auto-add iptables filter-rules to block senderips of quarantined mails

Howard Lowndes lannet at lannet.com.au
Tue Sep 9 15:13:47 PDT 2003 

I think you would be better off using milter (for sendmail) or greylisting 
http://projects.puremagic.com/greylisting/

On Tue, 9 Sep 2003, Peter Warasin wrote:

> hi
> 
> the SoBig.F worm made me an incredible useless amount of traffic which
> somebody has to pay.
> the sanitizer and the spamassassin filtered out most but that is after the
> worm has made the traffic.
> 
> so i decided to write a script, which gathers ip-addresses from
> quarantined mails and stores it in a special directory.
> 
> i get the ipaddress from the last Received-line, so i am sure that it is
> the real sender.
> there is also a possibility to choose if the ipaddress should be taken
> only from senders which have their own smtp (mostly hosts which are
> infected by a worm with his own smtp).
> 
> another cron-script inserts the ip-addresses into an iptables-chain if the
> sender sent more than a specified amount of mail in the last 24 hours.
> 
> probably somebody here find this usefull and could test it on his box.
> 
> here is the link of the first tar:
> http://www.darkrealms.org/mebendazol-niclosamid-0.0.1.tar.gz
> 
> i did not write much documentation.. so here some steps:
> the perl-script mebendazol.pl should be called from procmail between the
> sanitizer-localrules include and the sanitizer html-trap.procmail include.
> like this:
> 
> :0c
> *       X-Content-Security:.*QUARANTINE
> |/usr/bin/mebendazol.pl --trash=/dev/null
> 
> 
> the niclosamid.sh script should be called from cron every hour or so.
> then the niclosmid iptables rule must be hung in in the INPUT chain manually.
> (iptables -N niclosmid
> iptables -I INPUT -j niclosomid)
> 
> 
> hope this reduces some traffic ;)
> if i find some more time probably i will write some more documentation and
> put it on a website.
> 
> please feel free to send suggestions or comments..
> 
> peter
> 
> 
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
> 

-- 
Howard.
LANNet Computing Associates - Your Linux people <http://www.lannetlinux.com>
------------------------------------------
Flatter government, not fatter government - Get rid of the Australian states.
------------------------------------------
If all economists were laid end to end, they would not reach a conclusion 
- George Bernard Shaw

More information about the esd-l mailing list