Block an IP from sending mail

[myros]

One of my clients has been getting abuse from a certain IP, is their a way to block one IP from sending any mail through mail.usersdomain.com or even through the server at all?

He tried setting the IP in the cpanel block&from&contains but the guys is still sending a ton of mail through somehow. Anyway to set this block on a server level?
Preferebly on the exim port but anyway would be helpfull.

Cheers,

Myros

 

[myros]

How would this work ..

in hosts.deny add:

ALL : XXX.XXX.XXX.XXX

And add the offenders IP adress in there. Would that block him from even sending mail through our server?

Myros

 

[parag]

hi

[quote:ceed24a023][i:ceed24a023]Originally posted by myros[/i:ceed24a023]

One of my clients has been getting abuse from a certain IP, is their a way to block one IP from sending any mail through mail.usersdomain.com or even through the server at all?

He tried setting the IP in the cpanel block&from&contains but the guys is still sending a ton of mail through somehow. Anyway to set this block on a server level?
Preferebly on the exim port but anyway would be helpfull.

Cheers,

Myros[/quote:ceed24a023]


Hi Myros

Checkout whether your client has any older version of formmail.pl script.

The old versions had this security hole - using that ppl could spam from your server -

If you find any old formmail scripts - upgrade them to the latest one.

http://www.scriptarchive.com/formmail.html

Mail me if you need anything else.
best regards,
Parag

 

[myros]

Thanks Parag,
Not really what I mean though. The email is coming from an external source TO the client. So Im looking for a way to block any incoming mail from that IP coming through the server at all.

Myros

 

[Annette]

The IP is contained in the message headers and is always constant? Set up a filter in the email management area where any header -& contains -& IP. You can't stop mail from arriving at the server from that IP unless you use some RBL to kill it on entry, but at least you could filter it away so your client doesn't have to see it.

 

[myros]

Guess Im not being very clear

Already setup his own cpnael email to block & from & contains & IP

But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.

Myros

 

[parag]

[quote:ce119b071a][i:ce119b071a]Originally posted by myros[/i:ce119b071a]

Guess Im not being very clear

Already setup his own cpnael email to block & from & contains & IP

But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.

Myros[/quote:ce119b071a]

Yes you can do that by editing the exim.conf and set the rules in order to block the IP.

regards
Parag

 

[myros]

Thanks Parag,
Looking through exim.conf the syntax was a little strange to me. It almost read like it was backwards.

I'll keep researching it though, but if somebody is familiar with exim and would know the right section and the syntax to use I'd appreacite it

The other thing I was thinking about was using was an ipchains command. Does exim or incoming mail use a particluar port that I could just block that IP from?

I appreciate the help folks.

Myros

 

[parag]

[quote:b797547cb6][i:b797547cb6]Originally posted by myros[/i:b797547cb6]

Thanks Parag,
Looking through exim.conf the syntax was a little strange to me. It almost read like it was backwards.

I'll keep researching it though, but if somebody is familiar with exim and would know the right section and the syntax to use I'd appreacite it

The other thing I was thinking about was using was an ipchains command. Does exim or incoming mail use a particluar port that I could just block that IP from?

I appreciate the help folks.

Myros[/quote:b797547cb6]


Hi Myros

You can enable the RBL option in the exim.conf

go to this url and read all the info - there are several ways to block the IP - Host or a specified email address

http://www.exim.org/exim-html-3.30/doc/html/spec_46.html#SEC822

Let me know if you can not figure it out

best of luck
cheers
Parag

 

[myros]

Perfect.
Thanks much Parag. Lots of stuff to work from there.

Cheers,
Myros

 

[Annette]

[quote:a4b6b4cbae][i:a4b6b4cbae]Originally posted by myros[/i:a4b6b4cbae]

Guess Im not being very clear

Already setup his own cpnael email to block & from & contains & IP

But for some reason his email is still getting though, so Im looking for a more global setting either exim or server wide to block an IP. I dont care if he sends it Id just like a way to prevent it from reaching the client. If I could set exim to refuse all incoming email from that IP that would be ideal.

Myros[/quote:a4b6b4cbae]

If the filter is as you have it above, it's not surprising that mail is making it through. Setting it to &from& contains will only check that piece of the envelope as it arrives. Setting the filter to &any header& &contains& &IP& will scan the entire header of the message as the mail arrives and discard matches. This type of filtering does work - I had to block off pm0's various mail servers by IP this way since they insisted on changing the server names every other week.

 

[myros]

Sorry yes, I had used both from and any header.

Im trying the exim.conf route, we'll see how it goes. Thanks for the tips all.

Myros

 

[eurorocco]

Block an IP? Use iptables

You can use iptables to block that IP at a low-level, at the network routing level.

For instance, if you want to block one IP...

#!/bin/sh
iptables -D INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
iptables -I INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP

or if you want to block the IP and all the 12.24.63.0 to 12.24.63.255 IPs...

#!/bin/sh
iptables -D INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP
iptables -I INPUT -s 12.24.63.45/24 -p tcp --source-port ! 80 -j DROP

I appended the #!/bin/sh so you know you can place this into a script.

I included the -D delete right before the -I insert so you know that if you place these in a script and you run the script over and over again it should delete a rule before inserting it again.

Also, if you are going to modify your iptables like this I suggest that you use

service iptables save

so redhat saves your routing table before you change it.

Then, if you want to revert the routing table to what it used to be you use

service iptables restart

Also,

service iptables stop
... to clear the table

and

service iptables start
to restore the table from /etc/sysconfig/iptables

and

iptables -L
to see the routing table

See the man page for iptables and some iptables howto for more info. Iptables can block specific ports, specific ips, ranges of ips, and has lots of quirks.

Use iptables with caution. If you ask iptables to block the IP from which you are doing ssh or the IP range where your customers live you'll be in trouble.

Hope it helps!

ER