This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We hit 100,000 IP's blocked last night from a spam botnet

My firewall has now blocked 100,768 IP addresses from the namecheap.com spam botnet.  These sleazebags have been spamming us 24x7 for over 5 years now.  Not one single spam - NOT ONE - has been delivered to any of my users.

What a waste of internet bandwidth though.  I wish ... bad things to happen to them.



This thread was automatically locked due to age.
Parents
  • I've prioritized this thread at the top of the Mail Protection forum.  You might want to edit your opening post to give it a title that better announces why people should be aware of this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    I've prioritized this thread at the top of the Mail Protection forum.  You might want to edit your opening post to give it a title that better announces why people should be aware of this.

    Cheers - Bob

     

     

    OK, I updated it.  I wasn't expecting anyone to be that interested, I was just making conversation.  :)

Reply
  • BAlfson said:

    I've prioritized this thread at the top of the Mail Protection forum.  You might want to edit your opening post to give it a title that better announces why people should be aware of this.

    Cheers - Bob

     

     

    OK, I updated it.  I wasn't expecting anyone to be that interested, I was just making conversation.  :)

Children
  • I just did some investigating.  I went back and checked a bunch of blocks of IP's that were blocked this month.

    Every one had one thing in common.  They all come from the ASN: AS209737.

    So, a quick dump of that ASN yields 10,496 IP's.  A few lines of script, and now the whole AS is blocked.

    I used this to download the list https://www.enjen.net/asn-blocklist/index.php?asn=AS209737&type=nginx&api=1

     

    I think I will automate this process in the future after a little more testing.

  • I am impressed.

    You have apparently solved at least one of UTM's mail weaknesses - the inability to filter on Reverse DNS of the server name.   I read the EXIM scripting documentation awhile back, to see if I could implement Reverse DNS under the covers.  I became discouraged because I could not determine where UTM stored the scripts, much less develop a strategy for keeping may changes from being overwritten.

    I wonder if you also know how to fix some of the other gaps:

    • Inability to filter on the message's From header
    • Inability to filter on DMARC policy
    • Inability to evaluate for SPF errors without blocking messages

    At the risk of making Sophos Support throw a tantrum, it would be wonderful to read a brain dump of what you  have learned - a brief tutorial on how to tailor EXIM and how to do so in a way that is compatible with the UTM stuff on top of it, with pointers to the EXIM documentation for further reading.

  • DouglasFoster said:

    I am impressed.

    You have apparently solved at least one of UTM's mail weaknesses - the inability to filter on Reverse DNS of the server name.   I read the EXIM scripting documentation awhile back, to see if I could implement Reverse DNS under the covers.  I became discouraged because I could not determine where UTM stored the scripts, much less develop a strategy for keeping may changes from being overwritten.

    I wonder if you also know how to fix some of the other gaps:

    • Inability to filter on the message's From header
    • Inability to filter on DMARC policy
    • Inability to evaluate for SPF errors without blocking messages

    At the risk of making Sophos Support throw a tantrum, it would be wonderful to read a brain dump of what you  have learned - a brief tutorial on how to tailor EXIM and how to do so in a way that is compatible with the UTM stuff on top of it, with pointers to the EXIM documentation for further reading.

     

     

    I would like to do this.  The thought of documenting the fail2ban installation is a little frightening, but if I can find the time..

    No, I have not tried the DMARC or SPF issues you mention - for me they have been working pretty well.  Do you see evidence of your problem in the SMTP log?  If so, we can probably write a fail2ban rule for it.  I'm not clear on what you are trying to accomplish.

  • I had not planned to implement Fail2Ban, although I took a quick look at its website (https://www.fail2ban.org/) and I can see why it was useful for you.   

    My interest was focused on hacking Exim to do what UTM does not.   I thought you said that you had implemented a Reverse DNS filtering mechanism, which I assumed that you implemented with Exim filters. 

    If I get hostile mail from "server7.malware4u.com", I want to block multiple servers based on the domain name, as well as blocking one server or one range based on IP address.    This seems like an obvious requirement, requiring relatively little coding effort, so I am mystified why it is missing from UTM or any other commercial spam filter.

  • DouglasFoster said:

    I had not planned to implement Fail2Ban, although I took a quick look at its website (https://www.fail2ban.org/) and I can see why it was useful for you.   

    My interest was focused on hacking Exim to do what UTM does not.   I thought you said that you had implemented a Reverse DNS filtering mechanism, which I assumed that you implemented with Exim filters. 

    If I get hostile mail from "server7.malware4u.com", I want to block multiple servers based on the domain name, as well as blocking one server or one range based on IP address.    This seems like an obvious requirement, requiring relatively little coding effort, so I am mystified why it is missing from UTM or any other commercial spam filter.

     

    If you have a working regex that targets that domain, then blocking it is trivial, doesn't matter what the IP's are.

    If I understand you, we have the same problem.  I know the pattern of the namecheap spambots, so a regex expression to detect those domain names, then it tosses each IP into the IPSET database to be blocked.

    Here's is an example from right now.  Obvious spam coming in from "drama@dealrough.pro".  Log file shows IP of 185.217.228.19.

    My fail2ban action then blocks 185.217.228.0/24.  Wash your hands and you are done dealing with that parasite.

    Yes, it takes a lot of customizing to set up.  Fail2ban is not friendly, but that's part of the fun for me.