SMTP Attacks

Rick Stevens rstevens at vitalstream.com
Tue Oct 24 17:43:37 UTC 2006 

On Tue, 2006-10-24 at 19:10 +0200, Oliver B. wrote:
> Hello Rick,
> 
> could you please post these networks :)!?

I'm rather hesitant to post it publicly.  I can only say that these
are the networks I've had the most trouble with and the ones that have
ignored my requests to block such behavior.  I'm NOT condemning everyone
on these networks, but there seems to be a lot of *ssholes on them.

Ah, hell, I'll throw caution to the winds.  Here's the iptables rules
I've developed:

# Block traffic from known spam sources...
-A INPUT -s 201.42/15 -p tcp -j DROP
-A INPUT -s 200.176.112/21 -p tcp -j DROP
-A INPUT -s 202.158.29.0/255.255.255.0 -p tcp -j DROP
-A INPUT -s 203.228.187.0/255.255.255.0 -p tcp -j DROP
-A INPUT -s 209.223.0.0/255.255.0.0 -p tcp -j DROP
-A INPUT -s 218.0.0.0/255.0.0.0 -p tcp -j DROP
-A INPUT -s 219.251.88.0/255.255.252.0 -p tcp -j DROP
-A INPUT -s 221.0.0.0/8 -p tcp -j DROP
-A INPUT -s 64.18.4.10 -p tcp -j DROP
-A INPUT -s 59.49.0.0/22 -p tcp -j DROP
-A INPUT -s 61.169.0.0/14 -p tcp -j DROP
-A INPUT -s 61.52.0.0/14 -p tcp -j DROP
-A INPUT -s 61.153.27.0/24 -p tcp -j DROP
-A INPUT -s 219.147.177.0/24 -p tcp -j DROP
-A INPUT -s 220.160.0.0/14 -p tcp -j DROP
-A INPUT -s 201.221.144/20 -p tcp -j DROP
-A INPUT -s 61.128.0.0/16 -p tcp -j DROP
-A INPUT -s 61.129.0.0/16 -p tcp -j DROP
-A INPUT -s 211.0.0.0/8 -p tcp -j DROP
-A INPUT -s 220.0.0.0/8 -p tcp -j DROP
-A INPUT -s 222.0.0.0/8 -p tcp -j DROP
-A INPUT -s 221.0.0.0/8 -p tcp -j DROP
-A INPUT -s 218.0.0.0/8 -p tcp -j DROP
-A INPUT -s 219.0.0.0/8 -p tcp -j DROP
-A INPUT -s 210.0.0.0/8 -p tcp -j DROP
-A INPUT -s 193.149.115.0/24 -p tcp -j DROP
-A INPUT -s 61.138.0.0/16 -p tcp -j DROP

As you can see, there's lots of /8 and /14 entries in there.  We don't
do much business with the far east or eastern Europe at this time, and
if we do then I'll modify the rules.  As it stands now, I'm not going to
waste my time building lists of individual IP addresses.  If I get
enough grief from a network, I do a whois on the network and block the
whole damned thing.  Yes, it's rather draconian, but these bozos should
police their network more carefully.  We do.

> >> >> In the past week, I've seen log entries like this pretty much every
> >> day.
> >> >> This is on a Fedora 4 system. I'm running sshblack to get rid of the
> >> >> thousands of ssh breaking attempts and have been using the included
> >> bl
> >> >> command to add these ip addresses to the block list (which adds them
> >> to
> >> >> iptables with instructions to drop the packets). Is that worthwile?
> >> >> Should
> >> >> I do anything else? Again, these have only started showing up this
> >> week.
> >> >>
> >> >> Thanks!
> >> >>
> >> >> Harold
> >> >>
> >> >> WARNING!!!!  Possible Attack:
> >> >>     Attempt from 235.30.broadband2.iol.cz [83.208.30.235] with:
> >> >>        command=HELO/EHLO, count=3: 1 Time(s)
> >> >>     Attempt from 46.173.broadband6.iol.cz [88.101.173.46] with:
> >> >>        command=HELO/EHLO, count=3: 1 Time(s)
> >> >>     Attempt from [12.166.98.246] with:
> >> >>        command=HELO/EHLO, count=3: 1 Time(s)
> >> >>     Attempt from dslb-082-083-067-104.pools.arcor-ip.net
> >> [82.83.67.104]
> >> >> with:
> >> >>        command=HELO/EHLO, count=3: 1 Time(s)
> >> >>     Attempt from laly-s.bb.netvision.net.il [212.143.166.250] with:
> >> >>        command=HELO/EHLO, count=3: 1 Time(s)
> >> >>     Attempt from p54BB98E4.dip0.t-ipconnect.de [84.187.152.228] with:
> >> >>        command=HELO/EHLO, count=3: 1 Time(s)
> >> >>          Total:  6 Time(s)
> >> >>
> >> >>  **Unmatched Entries**
> >> >>     87-126-13-210.btc-net.bg [87.126.13.210] (may be forged):
> >> possible
> >> >> SMTP attack:
> >> >> command=HELO/EHLO, count=3: 1 Time(s)
> >> >
> >> > I'm unclear on this.  What does SMTP have to do with SSH?  Normally
> >> > your SMTP server (sendmail, postfix, etc.) is open to the world,
> >> > though it will pass only what mail it is configured to pass.
> >> >
> >> > That said, I use sshblack (checking SSH access) on several of the
> >> > hosts that I manage, though I have it make an entry in /etc/hosts.deny
> >> > rather than IPTABLES.  I have it set to stop the blighters after six
> >> > failed tries.  The attempts show up in my logwatch reports, and then I
> >> > do a whois on the IP address (either website or command line) to find
> >> > out the email address for the abuse contact for that network.  Then I
> >> > send them a nastygram with log excerpts.
> >> >
> >> > Because I never expect to need SSH access from a foreign network, I
> >> > block SSH access to all foreign networks.
> >> >
> >>
> >>
> >> Sorry if my note was confusing! sshblack is working very well for me
> >> blocking ssh attacks. Down from thousands a day to something like 5 from
> >> each new IP address that tries (a half dozen a day). I also have another
> >> copy of sshblack watching my httpd access log for URLs that contain the
> >> word "echo" or have Microsoft directory names in them (WINNT, etc.).
> >> These
> >> also get added to the drop list in iptables.
> >>
> >> sshblack includes a simple script called "bl". You use it something like
> >> "bl 1.2.3.4" to add IP address 1.2.3.4 to the list of addresses dropped
> >> by
> >> IP tables. I have been manually adding the IP addresses listed in the
> >> suspected SMTP attacks reported in the logs.
> >>
> >> So, from the log reports above, what's going on? I'm running sendmail on
> >> an FC4 system. Anything I need to worry about?
> >
> > This is not untypical behavior for mail servers.  What you're seeing are
> > machines trolling around for open relay mail servers.  The fact that
> > they're coming from eastern Europe and are using broadband connections
> > is pretty conclusive.  For that reason, I have huge parts of eastern
> > Europe, Brazil, Korea, Japan and China blocked (I have at least 12 /8
> > networks blocked).
> >
> > Welcome to the Internet.  :-(
> >
> > ----------------------------------------------------------------------
> > - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
> > - VitalStream, Inc.                       http://www.vitalstream.com -
> > -                                                                    -
> > -         Microsoft Windows:  Proof that P.T. Barnum was right       -
> > ----------------------------------------------------------------------
> >
> > _______________________________________________
> > Redhat-install-list mailing list
> > Redhat-install-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/redhat-install-list
> > To Unsubscribe Go To ABOVE URL or send a message to:
> > redhat-install-list-request at redhat.com
> > Subject: unsubscribe
> >
> >
> 
> 
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-                   To err is human, to moo bovine.                  -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list