Re: [OT] HELP!!! mail attack

Nataraj wrote:

On Wed, 2008-03-26 at 11:14 -0400, Rodolfo Alcazar Portillo wrote:

Am Mittwoch, den 26.03.2008, 23:59 +0900 schrieb John Summerfield:

I use postfix; I can do this:
[root@xxxxxxxxxxxxx sysconfig]# tail /etc/postfix/header_checks
/^Received.*UNITED.CO.UK/ REJECT No thanks
/^Received.*HAPPYGROUP.CO.UK/ REJECT No thanks
/^Received:.*ceres.concept.net.nz/ REJECT Bloody twits
/^Received:.*dizinc.com/ REJECT No thanks
/CentOS-announce Digest/ REJECT I don't want these
/yourshopineu/ REJECT Bloody spammer

Ok, the problem is that the content is really random... I tried to found
common words:

Postfix has extensive features for dealing with these types of mail
attacks including all kinds of rate limiting for number of connections
from servers, blocking connections from servers with improper dns
entries, calling various hooks to other spam control mechanisms.  If a
server connects and trys to send mail to non-existant users or other
failure, this counts as an error.  You can rate limit the number of
errors allowed from a particular server attempting delivery, then

iptables does rate-limiting too, and (possibly) one can be more selective.

First, rules to accept known good guys.
Second, rules to accept some number/hour from the rest.
Third, rules to log and drop the rest.

This drops around 90% of ssh connexions that get to the box:

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP

--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)