Am 30.05.2014 16:32, schrieb li...@rhsoft.net: > > Am 30.05.2014 16:21, schrieb li...@rhsoft.net: >> sorry for the more or less off-topic but i think >> here are the people with most expierience >> >> what i would like to do is: >> >> * setup whatever software listeing on port 25 >> * any IP connecting to that machine feed into >> a dns-zone file for a DNSBL
done something like this years ago, mostly doubles i.e spamhaus entries but usefull with many servers >> >> currently i have a stripped down CentOS6 listening >> on all unsued IP's in a /24 network on standard >> ports with xinedt answering to ping and response >> with a dash-script "creep away" >> >> assuming that only infected machines part of a botnet >> are trying to connect on random IP's to port 25 i would >> say the same machines likely are used to spread spam >> >> so feed any connection to a automatically maintained >> RBL may stop recent spam waves targeting the own network >> long before the big RBL's react nad if you achive to >> remove IP's on that auto-feeded RBL after 48 hours there >> should be little to no bad impact > > answering myself: > > a tiny, secure piece of software accepting connections on > a specific port and write only the IP adress in a textfile > would be enough as start > > the rest are some cron-scripts maintainingg a database with > timestamp/IP, generate the PTR-zone for the RBL and reload > whatever nameserver software using that zone file > i thought spreading filtered syslog results from real servers feeding to other ones, i.e with/over own rbl and/or combinate with direct firewalling actions out of syslog i.e in/with recent module, but i havent got time to investigate in this yet Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
