Block an IP from sending mail
One of my clients has been getting abuse from a certain IP, is their a way to block one IP from sending any mail through mail.usersdomain.com or even through the server at all?
He tried setting the IP in the cpanel block&from&contains but the guys is still sending a ton of mail through somehow. Anyway to set this block on a server level?
Preferebly on the exim port but anyway would be helpfull.
Cheers,
Myros
http://www.neuralhq.com
How would this work ..
in hosts.deny add:
ALL : XXX.XXX.XXX.XXX
And add the offenders IP adress in there. Would that block him from even sending mail through our server?
Myros
http://www.neuralhq.com
hi
[quote:ceed24a023][i:ceed24a023]Originally posted by myros[/i:ceed24a023]
One of my clients has been getting abuse from a certain IP, is their a way to block one IP from sending any mail through mail.usersdomain.com or even through the server at all?
He tried setting the IP in the cpanel block&from&contains but the guys is still sending a ton of mail through somehow. Anyway to set this block on a server level?
Preferebly on the exim port but anyway would be helpfull.
Cheers,
Myros[/quote:ceed24a023]
Hi Myros
Checkout whether your client has any older version of formmail.pl script.
The old versions had this security hole - using that ppl could spam from your server -
If you find any old formmail scripts - upgrade them to the latest one.
http://www.scriptarchive.com/formmail.html
Mail me if you need anything else.
best regards,
Parag
Thanks Parag,
Not really what I mean though. The email is coming from an external source TO the client. So Im looking for a way to block any incoming mail from that IP coming through the server at all.
Myros
http://www.neuralhq.com
The IP is contained in the message headers and is always constant? Set up a filter in the email management area where any header -& contains -& IP. You can't stop mail from arriving at the server from that IP unless you use some RBL to kill it on entry, but at least you could filter it away so your client doesn't have to see it.
Annette
Hosting Matters, Inc.
http://www.hostmatters.com
Guess Im not being very clear
Already setup his own cpnael email to block & from & contains & IP
But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.
Myros
http://www.neuralhq.com
[quote:ce119b071a][i:ce119b071a]Originally posted by myros[/i:ce119b071a]
Guess Im not being very clear
Already setup his own cpnael email to block & from & contains & IP
But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.
Myros[/quote:ce119b071a]
Yes you can do that by editing the exim.conf and set the rules in order to block the IP.
regards
Parag
Thanks Parag,
Looking through exim.conf the syntax was a little strange to me. It almost read like it was backwards.
I'll keep researching it though, but if somebody is familiar with exim and would know the right section and the syntax to use I'd appreacite it
The other thing I was thinking about was using was an ipchains command. Does exim or incoming mail use a particluar port that I could just block that IP from?
I appreciate the help folks.
Myros
http://www.neuralhq.com
[quote:b797547cb6][i:b797547cb6]Originally posted by myros[/i:b797547cb6]
Thanks Parag,
Looking through exim.conf the syntax was a little strange to me. It almost read like it was backwards.
I'll keep researching it though, but if somebody is familiar with exim and would know the right section and the syntax to use I'd appreacite it
The other thing I was thinking about was using was an ipchains command. Does exim or incoming mail use a particluar port that I could just block that IP from?
I appreciate the help folks.
Myros[/quote:b797547cb6]
Hi Myros
You can enable the RBL option in the exim.conf
go to this url and read all the info - there are several ways to block the IP - Host or a specified email address
http://www.exim.org/exim-html-3.30/doc/html/spec_46.html#SEC822
Let me know if you can not figure it out
best of luck
cheers
Parag
Perfect.
Thanks much Parag. Lots of stuff to work from there.
Cheers,
Myros
http://www.neuralhq.com
[quote:a4b6b4cbae][i:a4b6b4cbae]Originally posted by myros[/i:a4b6b4cbae]
Guess Im not being very clear
Already setup his own cpnael email to block & from & contains & IP
But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.
Myros[/quote:a4b6b4cbae]
If the filter is as you have it above, it's not surprising that mail is making it through. Setting it to &from& contains will only check that piece of the envelope as it arrives. Setting the filter to &any header& &contains& &IP& will scan the entire header of the message as the mail arrives and discard matches. This type of filtering does work - I had to block off pm0's various mail servers by IP this way since they insisted on changing the server names every other week.
Annette
Hosting Matters, Inc.
http://www.hostmatters.com
Sorry yes, I had used both from and any header.
Im trying the exim.conf route, we'll see how it goes. Thanks for the tips all.
Myros
http://www.neuralhq.com
Block an IP? Use iptables
You can use iptables to block that IP at a low-level, at the network routing level.
For instance, if you want to block one IP...
#!/bin/sh
iptables -D INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
iptables -I INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
or if you want to block the IP and all the 12.24.63.0 to 12.24.63.255 IPs...
#!/bin/sh
iptables -D INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
iptables -I INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
I appended the #!/bin/sh so you know you can place this into a script.
I included the -D delete right before the -I insert so you know that if you place these in a script and you run the script over and over again it should delete a rule before inserting it again.
Also, if you are going to modify your iptables like this I suggest that you use
service iptables save
so redhat saves your routing table before you change it.
Then, if you want to revert the routing table to what it used to be you use
service iptables restart
Also,
service iptables stop
... to clear the table
and
service iptables start
to restore the table from /etc/sysconfig/iptables
and
iptables -L
to see the routing table
See the man page for iptables and some iptables howto for more info. Iptables can block specific ports, specific ips, ranges of ips, and has lots of quirks.
Use iptables with caution. If you ask iptables to block the IP from which you are doing ssh or the IP range where your customers live you'll be in trouble.
Hope it helps!
ER
Last edited by eurorocco; 06-20-2004 at 02:39 PM.
LinkBack URL
About LinkBacks
Reply With Quote