A daemon to detect spammers trying to harvest email addresses by username guessing and temporarily DROP them with iptables firewall rules. This program is written in perl, and requires a perl version >= 5.0. The source package comes with a build script to make a Debian package with proper dependencies.
Use the scipt included in with this source pacakge, or author yourself a script like this, substituting values that make sense for your network:
#!/bin/bash # Mainly because init restricts to short command lines. EXE="/usr/sbin/blocksmtp" if [ -x "$EXE" ]; then exec "$EXE" --debug=3 --debug-to-syslog \ --white-list=/etc/blocksmtp.whitelist \ --syslog-msgs-file=/var/log/messages \ --mailer-ip=10.100.10.200 --mailer-port=25 \ --mailer-syslog-host=mail1 --mailer-syslog-name=sm-mta \ --iptables-chain-name=SPAM_UNAME_GUESSERS fi
The white-list file holds one-entry-per line with comments marked by a pound sign (#) in column zero, where each entry is a network address in the format 10.10.10.10/24. The mailer-ip and mailer-port options represent the IP address and port (should always be 25) that *external* hosts connect to in order to deliver email to this server (for your network). The mailer-syslog-host and mailer-syslog-name options, respectively, are the hostname and tag that sendmail logs its messages with on this server. The iptables-chain-name option is what this program is to name the iptables table in which this script will place its DROP rules.
And then add a line to your /etc/inittab file like this:
# A program working to reduce spam by firewalling username guessers SMFW:3:respawn:/usr/sbin/blocksmtp.init.sh
And then execute "init q" ...
This program also looks for and kills sendmail processes that have been stuck in ``cmd read'' mode for a long time. The definition of a ``long time'' is controlled by the global variable $MAX_RUNTIME_SENDMAIL_CMD_READ which represents the number of seconds since a given sendmail process, that is stuck on ``cmd read'' mode, started running.
This program has only been tested on Linux 2.4 and 2.6 kernels and sendmail 8.12.x and 8.13.x. It may work with other platforms, but none have been tested by the author.
Just as information, this is what the iptables rules that this script produces and manages will look like:
root@mail1:# iptables -L -n | egrep ^SPAM_UNAME_GUESSERS SPAM_UNAME_GUESSERS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
root@mail1:# iptables -L SPAM_UNAME_GUESSERS -n Chain SPAM_UNAME_GUESSERS (1 references) target prot opt source destination DROP tcp -- 220.127.116.11 0.0.0.0/0 tcp dpt:25 DROP tcp -- 18.104.22.168 0.0.0.0/0 tcp dpt:25 DROP tcp -- 22.214.171.124 0.0.0.0/0 tcp dpt:25
DROP rules for specific hosts are removed from the SPAM_UNAME_GUESSERS table after the ``UnblockOldOffenders'' timeout has past, as specified in the %PERIODIC_CLEANSERS global data structure.
Lester H. Hightower, Jr.
Copyright (c) Lester Hightower. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.