If I remember right (and someone correct me if I'm wrong) a mail server
doesn't have to have an MX record. If no MX record exists then the
sending server drops back to normal host records and this is perfectly
legitimate. So the MX record checking may not work so well
Pulu 'Anau wrote:
To kind of get back to the ISP world a little bit, has anyone used this in the
way that's being recommended? (Using the OS Fingerprint Netfilter patch to
block Windows machines sending to port 25).
We're currently getting slammed by Windows viruses and have thought about doing
exactly that, but it seemed to us that there are enough people using Exchange or
Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this
would block legitimate mail almost instantly.
We've just been blocking hosts manually after the first virus. I'm thinking
about writing a little script to:
1. Get the offending IP address from amavis's logfile
2. Check against a whitelist (like our own backup mx's)
3. Do something like tcpping to the IP to see if it is a valid mx host
4. If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours
Other than the 72 hour checks it's pretty straightforward and seems (at least to
me) very unlikely to stop legitimate mail, while cutting those guys who send
40-50 viruses a day down to 1 every three.
Does anyone see any problems with the above? The major issue is bandwidth, some
of our customers host their mail servers on 32K links with 200+ users.
Sorry, it's not really about the spam issue discussed before, but it's strange
the synchronicity (os fingerprinting anyway) between my work and this list
sometimes.
Pulu
----
Afe.to ANTS
POB 1478
Nuku'alofa, Tonga
Ph: Country code 676 - 27946 or 878-1332
http://www.afe.to
http://svcs.affero.net/rm.php?r=pulu
Quoting Russell Coker <[EMAIL PROTECTED]>:
On Fri, 9 Apr 2004 21:32, Arnt Karlsen <[EMAIL PROTECTED]> wrote:
On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message
http://www.netfilter.org/patch-o-matic/pom-base.html
See the section on "osf" in the above URL for a better solution.
Simply block Windows machines from accessing your port 25.
..if only all isp's did it...
Not all ISPs need to do it. Only your ISP and the ISPs that host mailing
lists that you subscribe to.
If you are interested in this then the best thing you can do is to build
yourself a kernel with osf and try it out. If it works well create a Debian
kernel-patch package for it so that other Debian users can conveniently use
it. The more accessible you make this to Debian people the closer it comes
to being installed on Debian list servers...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
-------------------------------------------------
This mail sent from Tonga's Premiere Internet Cafe
Visit us online at http://www.cafe.afe.to
discussions @ http://www.nomoa.com/index.php
generic info @ http://www.tongatapu.net.to
