This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We hit 100,000 IP's blocked last night from a spam botnet

My firewall has now blocked 100,768 IP addresses from the namecheap.com spam botnet.  These sleazebags have been spamming us 24x7 for over 5 years now.  Not one single spam - NOT ONE - has been delivered to any of my users.

What a waste of internet bandwidth though.  I wish ... bad things to happen to them.



This thread was automatically locked due to age.
  • Would you tell us a little more about your protection. How do you handle these over 100000 IPs?

    Best regards

    Alex

    -

  • Alexander Busch said:

    Would you tell us a little more about your protection. How do you handle these over 100000 IPs?

    Best regards

    Alex

     

    I started by installing and configuring Fail2ban years ago.  I configured it to watch the exim logs and ban IP's of spammers.  By the time I hit 60,000 rules in IPtables, the server started to become unstable.  So I modified the fail2ban actions to use IPSet instead.  This has worked flawlessly ever since.

    I have watched the pattern of this namecheap botnet for years.  It will begin with 3 or 4 new domains names every morning and evening, names that are completely obvious such as "state@largetheme.pro".  I had to modify the exim.conf rules to be able to block the namecheap trash domains.

    The next thing is that the botnet will start with one or two new subnets every morning.  Yesterday the spams started coming in from 45.141.151.16, but within and hour it will be all 254 ip's from that subnet.  So I have an action to block the whole X.X.X.0/24 subnet as soon as I get the first namecheap spam.

    So, 600ms after the first spam comes in, the whole /24 subnet for that is blackholed.  This process repeats every few hours.  Their botnet rolls through two or so /24 subnets a day, then switches.

    I just monitor the system every few days to see if they added another trash TLD for me to block, like .XYZ, .ICU, .SCIENCE, .PRO, etc.

    The next action is that fail2ban reports the ip to AbuseIPDB so that other people can use this information to fight the botnet.

     

    But that's just the beginning.  I have dozens of other rules now in fail2ban to detect attacks against my SIP servers, web sites, email servers, etc.  They get the same treatment.  It took me years to fine tune the rules and we had a few of my users accidentally blocked along the way, but the system is now stable and secure.  I learned a lot of new things.

    Fail2ban is the single most important piece of kit you can have to defend your network.  I can't stress that enough.

    Next, I get to watch the millions of RED lines go past in the firewall log, all the namecheap bots trying and failing to connect to my network.  After that, I meditate for 30 minutes and wish for a natural disaster to hit their building.

    These methods have also been 100% effective against the saveyourself90@8678.com ransomware spammer.  I use regular expressions to blackhole all these losers.  The REGEX does not work in UTM, I have to do it directly in exim.  That was annoying at first, but now it is very satisfying and again, I learned a great deal.

  • I've prioritized this thread at the top of the Mail Protection forum.  You might want to edit your opening post to give it a title that better announces why people should be aware of this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    I've prioritized this thread at the top of the Mail Protection forum.  You might want to edit your opening post to give it a title that better announces why people should be aware of this.

    Cheers - Bob

     

     

    OK, I updated it.  I wasn't expecting anyone to be that interested, I was just making conversation.  :)

  • I just did some investigating.  I went back and checked a bunch of blocks of IP's that were blocked this month.

    Every one had one thing in common.  They all come from the ASN: AS209737.

    So, a quick dump of that ASN yields 10,496 IP's.  A few lines of script, and now the whole AS is blocked.

    I used this to download the list https://www.enjen.net/asn-blocklist/index.php?asn=AS209737&type=nginx&api=1

     

    I think I will automate this process in the future after a little more testing.

  • I am impressed.

    You have apparently solved at least one of UTM's mail weaknesses - the inability to filter on Reverse DNS of the server name.   I read the EXIM scripting documentation awhile back, to see if I could implement Reverse DNS under the covers.  I became discouraged because I could not determine where UTM stored the scripts, much less develop a strategy for keeping may changes from being overwritten.

    I wonder if you also know how to fix some of the other gaps:

    • Inability to filter on the message's From header
    • Inability to filter on DMARC policy
    • Inability to evaluate for SPF errors without blocking messages

    At the risk of making Sophos Support throw a tantrum, it would be wonderful to read a brain dump of what you  have learned - a brief tutorial on how to tailor EXIM and how to do so in a way that is compatible with the UTM stuff on top of it, with pointers to the EXIM documentation for further reading.

  • DouglasFoster said:

    I am impressed.

    You have apparently solved at least one of UTM's mail weaknesses - the inability to filter on Reverse DNS of the server name.   I read the EXIM scripting documentation awhile back, to see if I could implement Reverse DNS under the covers.  I became discouraged because I could not determine where UTM stored the scripts, much less develop a strategy for keeping may changes from being overwritten.

    I wonder if you also know how to fix some of the other gaps:

    • Inability to filter on the message's From header
    • Inability to filter on DMARC policy
    • Inability to evaluate for SPF errors without blocking messages

    At the risk of making Sophos Support throw a tantrum, it would be wonderful to read a brain dump of what you  have learned - a brief tutorial on how to tailor EXIM and how to do so in a way that is compatible with the UTM stuff on top of it, with pointers to the EXIM documentation for further reading.

     

     

    I would like to do this.  The thought of documenting the fail2ban installation is a little frightening, but if I can find the time..

    No, I have not tried the DMARC or SPF issues you mention - for me they have been working pretty well.  Do you see evidence of your problem in the SMTP log?  If so, we can probably write a fail2ban rule for it.  I'm not clear on what you are trying to accomplish.

  • I had not planned to implement Fail2Ban, although I took a quick look at its website (https://www.fail2ban.org/) and I can see why it was useful for you.   

    My interest was focused on hacking Exim to do what UTM does not.   I thought you said that you had implemented a Reverse DNS filtering mechanism, which I assumed that you implemented with Exim filters. 

    If I get hostile mail from "server7.malware4u.com", I want to block multiple servers based on the domain name, as well as blocking one server or one range based on IP address.    This seems like an obvious requirement, requiring relatively little coding effort, so I am mystified why it is missing from UTM or any other commercial spam filter.

  • Huge fan of Fail2Ban.

    I'm assuming you have it running on/with your UTM instance?

    Regards

    Craig

  • vicegod said:

    Huge fan of Fail2Ban.

    I'm assuming you have it running on/with your UTM instance?

    Regards

    Craig

     

     

    Yes, just ssh into UTM and copy the installer with FTP.  It installs into /etc/fail2ban.

    Would you like to share jails and configs?  I think the magic is in the "filter" files.