I´m testing this IPTABLES ruleset to avoid spamming with success! Let´s discuss it!

[bsasninja]

Tired of the spam flooding this month I aplied several rules to the mail server as

- Chirpy´s Exim dictionary attack ACL
- RBL
- Limiting the recipient numbers per e-mail
- Modsecurity to prevent Bcc injection in php forms.

These things help me a lot in stoping spam and decreasing server load, anyways I would like to go further in this a little bit. After reading forums and netfilter rules i tested this one:

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Assuming that human being will not send email more often than 60s and virus will try to connect far more often than every 60s, the above code do this: the first rule sets iptables to track new connections to port 25 and the second rule drops any new connections over 4 for 60 seconds.
You can even increase the seconds to a higher value.

To tell you the truth, I applied this ruleset to port 22 cause I was victim of Dictionary Attacks to that port, and this help me a lot.

Well, I would like to hear comments about what you think of it and even if you can make some kind of tunning to improve the ruleset.

Thank you

 

[rikgarner]

I can see a possible problem with this......

If this is per-host, and your server is receiving a reasonable volume of emails (say you have a dozen or so semi-busy domains), then you could find that these rules start blocking MTA's of popular mail services (messagelabs would be in our blocked list if we implemented this)

You may find that you need to create quite a few exclusions to this rule, if implemented. Naturally this is scenario-dependant though

Rich

 

[bsasninja]

hi

Actually this rule blocks the IP if it does more that 4 connections, it drops the connection.
For example if the source ip of message labs sends more that 4 e-mails at the same time i will drop de connection for a minute.

You can avoid this by whitelisting the source ip in iptables or you can increase the hitcount even more than 4.

Im wating Chirpy comment about this.

Thank you.

 

[chirpy]

A couple of issues:

1. Just DROPing the connection isn't a very nice thing to do from a protocol POV. If it's a legitimate connection, for example if anyone is sending to more than 4 people on the server and uses 4 separate connections, it's easily going to trip this and the email will be lost for good.

2. It's probably better to do this within exim using the smtp command settings and simply limit the number of incoming smtp connections allowed:
http://www.exim.org/exim-html-4.50/doc/html/spec_14.html#SECT14.17

 

[ramprage]

What happens when someone from a small office location, all on the same public Internet IP, all decide to check their mail? All the sudden you have 10 office users checking their mail from the same IP and sending out at the same time - so the office IP gets dropped. Do you have any customers like this?

EDIT: I can see this rule being more useful for SSH since I don't give out access to anyone.

 

[chirpy]

That's a good point. There's also disalup clients that send all their email in one go. It is a nice idea, I just think in practical terms it not be of benefit to everyone.