This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We hit 100,000 IP's blocked last night from a spam botnet

My firewall has now blocked 100,768 IP addresses from the namecheap.com spam botnet.  These sleazebags have been spamming us 24x7 for over 5 years now.  Not one single spam - NOT ONE - has been delivered to any of my users.

What a waste of internet bandwidth though.  I wish ... bad things to happen to them.



This thread was automatically locked due to age.
  • DouglasFoster said:

    I had not planned to implement Fail2Ban, although I took a quick look at its website (https://www.fail2ban.org/) and I can see why it was useful for you.   

    My interest was focused on hacking Exim to do what UTM does not.   I thought you said that you had implemented a Reverse DNS filtering mechanism, which I assumed that you implemented with Exim filters. 

    If I get hostile mail from "server7.malware4u.com", I want to block multiple servers based on the domain name, as well as blocking one server or one range based on IP address.    This seems like an obvious requirement, requiring relatively little coding effort, so I am mystified why it is missing from UTM or any other commercial spam filter.

     

    If you have a working regex that targets that domain, then blocking it is trivial, doesn't matter what the IP's are.

    If I understand you, we have the same problem.  I know the pattern of the namecheap spambots, so a regex expression to detect those domain names, then it tosses each IP into the IPSET database to be blocked.

    Here's is an example from right now.  Obvious spam coming in from "drama@dealrough.pro".  Log file shows IP of 185.217.228.19.

    My fail2ban action then blocks 185.217.228.0/24.  Wash your hands and you are done dealing with that parasite.

    Yes, it takes a lot of customizing to set up.  Fail2ban is not friendly, but that's part of the fun for me.

  • Sure can... I dont use Fail2Ban on the UTM, but on a Centos webserver, I'm assuming the logs are similar.

    So advice for anyone attempting to use Fail2Ban

    First bit of advice... small steps, one at a time. Backup configs, Implement, watch, test, tweak - repeat

    Second bit of advice - drinking beer while you tweak into the night is not advisable.

    Whitelist your servers and your connection/admin IP!!! ( More than likely Sophos IP's for updates etc)

    Activate the sshd filter - whitelist your admin ip's!

    Watching the Fail2Ban log can be "fun" - No1 Tool - tail -f /etc/fail2ban/fail2ban.log

    No2 tool is a testing process for checking logs against regex. You block the wrong stuff and you are screwed. eg Background updates, SSL updates / Server monitors or worse you lock yourself out

    https://www.regextester.com/94338

    This allows a dump of a log segment to test the regex.

    Document and name your filters for easy id.

    These are probably the most active filters I have created - Disclaimer - use at your own risk -

    Test them before to see what they do!

    # hashed out comments are recipes I have created and used at times

    -------------------------

     jail.local:

    [dovecotCraigHack]
    enabled = true
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath = /var/log/exim_rejectlog
    maxretry = 1

    File Filter "dovecotCraigHack.conf"

    #\[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[\S+\])
    #\[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[<HOST>\])
    #\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
    #\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
    #\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
    #\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
    #\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
    #\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
    [Definition]
    failregex = \[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[<HOST>\])
            \[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
            \[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
            \[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
    ignoreregex =

     

    -------------------------

    jail.local:


    [eximCraigHack]
    enabled = true
    port   = smtp,465,submission
    logpath =/var/log/exim_mainlog
    maxretry = 1

    File Filter "eximCraigHack.conf"

    #\[\d+\] SMTP connection from \[(<HOST>)\]
    #\[\d+\] no MAIL in SMTP connection from \(\[(<HOST>)\]\)
    [Definition]
    failregex = \[\d+\] no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?(\[<HOST>\])
    ignoreregex = 

    -------------------------

     

    Regards

    Craig

  • LMAO, Craig - "Second bit of advice - drinking beer while you tweak into the night is not advisable."

    Thanks for your contributions here!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    LMAO, Craig - "Second bit of advice - drinking beer while you tweak into the night is not advisable."

    Thanks for your contributions here!

    Cheers - Bob

     

     

    I don't know, some of my best tweaking was done with Guinness.

  • vicegod said:

    [dovecotCraigHack]

    enabled = true
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath = /var/log/exim_rejectlog
    maxretry = 1

    I started off blocking individual ports like that too, but then I thought why?

    If you attack me, I block you completely.  All ports.  For a minimum of 2 years.