I dislike spam, very much, and repeat offenders deserve all my wrath. Here's another use of the iptables recent module in a very cheap and simple manner, to limit the spam blasters' effects on me and my servers' life.

(I've said nice things about ipt_recent before here and here, both with example applications.)

I've just added these extra rules to the firewall setting on my mail servers:

 # smtp access is controlled by previous behaviour: spam me and you lose.
iptables -A INPUT -p tcp --dport 25 -j smtplimited
 # smtp: if mimedefang has flagged you as bad, you lose for 12h
iptables -A smtplimited -m recent --name SMTP --hitcount 1 \
   --seconds $((12*3600)) --rcheck -j TARPIT
 # clean up the old entries to unclog ipt_recent
iptables -A smtplimited -m recent --name SMTP --remove
 # and let people through if they've been good in the past
iptables -A smtplimited -j ACCEPT

My mimedefang filter has been instructed to (do the perl equivalent of) echo "+$ASSHOLE_IP" > /proc/net/ipt_recent/SMTP whenever it detects an asshole that tries to:

  • send email with a non-existent sender's address
  • send email to one of the spamtraps within my domains
  • send email to nonexistent addresses within my domains
  • send me spam (where the degree of spamminess is beyond any reason for doubt)
  • send me viruses

(The decision logic is actually a bit more complicated: I certainly don't blacklist known forwarders and backup MXes.)

The net effect is that when you do something nasty to me (email-wise), all your subsequent connections to my mail servers are tarpitted for the next 12 hours. Works great, easy to tweak if you want to be more lenient (just up the hitcount and adjust the following --revove rule) and reduces the time my systems have to waste on repeating the checks for surefire rejections on the smtp-envelope level. (I usually get about 5000-10000 rejections per server per day.)

[ published on Sun 13.05.2007 15:40 | filed in interests/comp | ]
Debian Silver Server
© Alexander Zangerl