Pulu 'Anau wrote:
To kind of get back to the ISP world a little bit, has anyone used this in the way that's being recommended? (Using the OS Fingerprint Netfilter patch to block Windows machines sending to port 25).
We're currently getting slammed by Windows viruses and have thought about doing exactly that, but it seemed to us that there are enough people using Exchange or Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this would block legitimate mail almost instantly.
We've just been blocking hosts manually after the first virus. I'm thinking about writing a little script to:
1. Get the offending IP address from amavis's logfile 2. Check against a whitelist (like our own backup mx's) 3. Do something like tcpping to the IP to see if it is a valid mx host 4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours
Other than the 72 hour checks it's pretty straightforward and seems (at least to
me) very unlikely to stop legitimate mail, while cutting those guys who send
40-50 viruses a day down to 1 every three.
Does anyone see any problems with the above? The major issue is bandwidth, some of our customers host their mail servers on 32K links with 200+ users.
Sorry, it's not really about the spam issue discussed before, but it's strange the synchronicity (os fingerprinting anyway) between my work and this list sometimes.
Pulu
---- Afe.to ANTS POB 1478 Nuku'alofa, Tonga Ph: Country code 676 - 27946 or 878-1332 http://www.afe.to http://svcs.affero.net/rm.php?r=pulu
Quoting Russell Coker <[EMAIL PROTECTED]>:
On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote:
On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in messageNot all ISPs need to do it. Only your ISP and the ISPs that host mailing lists that you subscribe to.
http://www.netfilter.org/patch-o-matic/pom-base.html..if only all isp's did it...
See the section on "osf" in the above URL for a better solution.
Simply block Windows machines from accessing your port 25.
If you are interested in this then the best thing you can do is to build yourself a kernel with osf and try it out. If it works well create a Debian
kernel-patch package for it so that other Debian users can conveniently use
it. The more accessible you make this to Debian people the closer it comes
to being installed on Debian list servers...
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
-------------------------------------------------
This mail sent from Tonga's Premiere Internet Cafe
Visit us online at http://www.cafe.afe.to discussions @ http://www.nomoa.com/index.php
generic info @ http://www.tongatapu.net.to
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
