The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block an IP from sending mail

Discussion in 'E-mail Discussions' started by myros, Aug 10, 2002.

  1. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    One of my clients has been getting abuse from a certain IP, is their a way to block one IP from sending any mail through mail.usersdomain.com or even through the server at all?

    He tried setting the IP in the cpanel block&from&contains but the guys is still sending a ton of mail through somehow. Anyway to set this block on a server level?
    Preferebly on the exim port but anyway would be helpfull.

    Cheers,

    Myros
     
  2. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    How would this work ..

    in hosts.deny add:

    ALL : XXX.XXX.XXX.XXX

    And add the offenders IP adress in there. Would that block him from even sending mail through our server?

    Myros
     
  3. parag

    parag Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    115
    Likes Received:
    0
    Trophy Points:
    16
    hi

    [quote:ceed24a023][i:ceed24a023]Originally posted by myros[/i:ceed24a023]

    One of my clients has been getting abuse from a certain IP, is their a way to block one IP from sending any mail through mail.usersdomain.com or even through the server at all?

    He tried setting the IP in the cpanel block&from&contains but the guys is still sending a ton of mail through somehow. Anyway to set this block on a server level?
    Preferebly on the exim port but anyway would be helpfull.

    Cheers,

    Myros[/quote:ceed24a023]


    Hi Myros

    Checkout whether your client has any older version of formmail.pl script.

    The old versions had this security hole - using that ppl could spam from your server -

    If you find any old formmail scripts - upgrade them to the latest one.

    http://www.scriptarchive.com/formmail.html

    Mail me if you need anything else.
    best regards,
    Parag
     
  4. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Parag,
    Not really what I mean though. The email is coming from an external source TO the client. So Im looking for a way to block any incoming mail from that IP coming through the server at all.

    Myros
     
  5. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    The IP is contained in the message headers and is always constant? Set up a filter in the email management area where any header -& contains -& IP. You can't stop mail from arriving at the server from that IP unless you use some RBL to kill it on entry, but at least you could filter it away so your client doesn't have to see it.
     
  6. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Guess Im not being very clear :)

    Already setup his own cpnael email to block & from & contains & IP

    But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.

    Myros
     
  7. parag

    parag Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    115
    Likes Received:
    0
    Trophy Points:
    16
    [quote:ce119b071a][i:ce119b071a]Originally posted by myros[/i:ce119b071a]

    Guess Im not being very clear :)

    Already setup his own cpnael email to block & from & contains & IP

    But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.

    Myros[/quote:ce119b071a]

    Yes you can do that by editing the exim.conf and set the rules in order to block the IP.

    regards
    Parag
     
  8. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Parag,
    Looking through exim.conf the syntax was a little strange to me. It almost read like it was backwards.

    I'll keep researching it though, but if somebody is familiar with exim and would know the right section and the syntax to use I'd appreacite it :)

    The other thing I was thinking about was using was an ipchains command. Does exim or incoming mail use a particluar port that I could just block that IP from?

    I appreciate the help folks.

    Myros
     
  9. parag

    parag Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    115
    Likes Received:
    0
    Trophy Points:
    16
    [quote:b797547cb6][i:b797547cb6]Originally posted by myros[/i:b797547cb6]

    Thanks Parag,
    Looking through exim.conf the syntax was a little strange to me. It almost read like it was backwards.

    I'll keep researching it though, but if somebody is familiar with exim and would know the right section and the syntax to use I'd appreacite it :)

    The other thing I was thinking about was using was an ipchains command. Does exim or incoming mail use a particluar port that I could just block that IP from?

    I appreciate the help folks.

    Myros[/quote:b797547cb6]


    Hi Myros

    You can enable the RBL option in the exim.conf

    go to this url and read all the info - there are several ways to block the IP - Host or a specified email address

    http://www.exim.org/exim-html-3.30/doc/html/spec_46.html#SEC822

    Let me know if you can not figure it out :)

    best of luck
    cheers
    Parag
     
  10. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Perfect.
    Thanks much Parag. Lots of stuff to work from there.

    Cheers,
    Myros
     
  11. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    [quote:a4b6b4cbae][i:a4b6b4cbae]Originally posted by myros[/i:a4b6b4cbae]

    Guess Im not being very clear :)

    Already setup his own cpnael email to block & from & contains & IP

    But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.

    Myros[/quote:a4b6b4cbae]

    If the filter is as you have it above, it's not surprising that mail is making it through. Setting it to &from& contains will only check that piece of the envelope as it arrives. Setting the filter to &any header& &contains& &IP& will scan the entire header of the message as the mail arrives and discard matches. This type of filtering does work - I had to block off pm0's various mail servers by IP this way since they insisted on changing the server names every other week.
     
  12. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Sorry yes, I had used both from and any header.

    Im trying the exim.conf route, we'll see how it goes. Thanks for the tips all.

    Myros
     
  13. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Block an IP? Use iptables

    You can use iptables to block that IP at a low-level, at the network routing level.

    For instance, if you want to block one IP...

    #!/bin/sh
    iptables -D INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
    iptables -I INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP

    or if you want to block the IP and all the 12.24.63.0 to 12.24.63.255 IPs...

    #!/bin/sh
    iptables -D INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
    iptables -I INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP

    I appended the #!/bin/sh so you know you can place this into a script.

    I included the -D delete right before the -I insert so you know that if you place these in a script and you run the script over and over again it should delete a rule before inserting it again.

    Also, if you are going to modify your iptables like this I suggest that you use

    service iptables save

    so redhat saves your routing table before you change it.

    Then, if you want to revert the routing table to what it used to be you use

    service iptables restart

    Also,

    service iptables stop
    ... to clear the table

    and

    service iptables start
    to restore the table from /etc/sysconfig/iptables

    and

    iptables -L
    to see the routing table

    See the man page for iptables and some iptables howto for more info. Iptables can block specific ports, specific ips, ranges of ips, and has lots of quirks.

    Use iptables with caution. If you ask iptables to block the IP from which you are doing ssh or the IP range where your customers live you'll be in trouble.

    Hope it helps!

    ER
     
    #13 eurorocco, Jun 20, 2004
    Last edited: Jun 20, 2004
Loading...

Share This Page