This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We hit 100,000 IP's blocked last night from a spam botnet

My firewall has now blocked 100,768 IP addresses from the namecheap.com spam botnet.  These sleazebags have been spamming us 24x7 for over 5 years now.  Not one single spam - NOT ONE - has been delivered to any of my users.

What a waste of internet bandwidth though.  I wish ... bad things to happen to them.



This thread was automatically locked due to age.
Parents
  • Would you tell us a little more about your protection. How do you handle these over 100000 IPs?

    Best regards

    Alex

    -

  • Alexander Busch said:

    Would you tell us a little more about your protection. How do you handle these over 100000 IPs?

    Best regards

    Alex

     

    I started by installing and configuring Fail2ban years ago.  I configured it to watch the exim logs and ban IP's of spammers.  By the time I hit 60,000 rules in IPtables, the server started to become unstable.  So I modified the fail2ban actions to use IPSet instead.  This has worked flawlessly ever since.

    I have watched the pattern of this namecheap botnet for years.  It will begin with 3 or 4 new domains names every morning and evening, names that are completely obvious such as "state@largetheme.pro".  I had to modify the exim.conf rules to be able to block the namecheap trash domains.

    The next thing is that the botnet will start with one or two new subnets every morning.  Yesterday the spams started coming in from 45.141.151.16, but within and hour it will be all 254 ip's from that subnet.  So I have an action to block the whole X.X.X.0/24 subnet as soon as I get the first namecheap spam.

    So, 600ms after the first spam comes in, the whole /24 subnet for that is blackholed.  This process repeats every few hours.  Their botnet rolls through two or so /24 subnets a day, then switches.

    I just monitor the system every few days to see if they added another trash TLD for me to block, like .XYZ, .ICU, .SCIENCE, .PRO, etc.

    The next action is that fail2ban reports the ip to AbuseIPDB so that other people can use this information to fight the botnet.

     

    But that's just the beginning.  I have dozens of other rules now in fail2ban to detect attacks against my SIP servers, web sites, email servers, etc.  They get the same treatment.  It took me years to fine tune the rules and we had a few of my users accidentally blocked along the way, but the system is now stable and secure.  I learned a lot of new things.

    Fail2ban is the single most important piece of kit you can have to defend your network.  I can't stress that enough.

    Next, I get to watch the millions of RED lines go past in the firewall log, all the namecheap bots trying and failing to connect to my network.  After that, I meditate for 30 minutes and wish for a natural disaster to hit their building.

    These methods have also been 100% effective against the saveyourself90@8678.com ransomware spammer.  I use regular expressions to blackhole all these losers.  The REGEX does not work in UTM, I have to do it directly in exim.  That was annoying at first, but now it is very satisfying and again, I learned a great deal.

Reply
  • Alexander Busch said:

    Would you tell us a little more about your protection. How do you handle these over 100000 IPs?

    Best regards

    Alex

     

    I started by installing and configuring Fail2ban years ago.  I configured it to watch the exim logs and ban IP's of spammers.  By the time I hit 60,000 rules in IPtables, the server started to become unstable.  So I modified the fail2ban actions to use IPSet instead.  This has worked flawlessly ever since.

    I have watched the pattern of this namecheap botnet for years.  It will begin with 3 or 4 new domains names every morning and evening, names that are completely obvious such as "state@largetheme.pro".  I had to modify the exim.conf rules to be able to block the namecheap trash domains.

    The next thing is that the botnet will start with one or two new subnets every morning.  Yesterday the spams started coming in from 45.141.151.16, but within and hour it will be all 254 ip's from that subnet.  So I have an action to block the whole X.X.X.0/24 subnet as soon as I get the first namecheap spam.

    So, 600ms after the first spam comes in, the whole /24 subnet for that is blackholed.  This process repeats every few hours.  Their botnet rolls through two or so /24 subnets a day, then switches.

    I just monitor the system every few days to see if they added another trash TLD for me to block, like .XYZ, .ICU, .SCIENCE, .PRO, etc.

    The next action is that fail2ban reports the ip to AbuseIPDB so that other people can use this information to fight the botnet.

     

    But that's just the beginning.  I have dozens of other rules now in fail2ban to detect attacks against my SIP servers, web sites, email servers, etc.  They get the same treatment.  It took me years to fine tune the rules and we had a few of my users accidentally blocked along the way, but the system is now stable and secure.  I learned a lot of new things.

    Fail2ban is the single most important piece of kit you can have to defend your network.  I can't stress that enough.

    Next, I get to watch the millions of RED lines go past in the firewall log, all the namecheap bots trying and failing to connect to my network.  After that, I meditate for 30 minutes and wish for a natural disaster to hit their building.

    These methods have also been 100% effective against the saveyourself90@8678.com ransomware spammer.  I use regular expressions to blackhole all these losers.  The REGEX does not work in UTM, I have to do it directly in exim.  That was annoying at first, but now it is very satisfying and again, I learned a great deal.

Children
No Data