On Thu, 29 Nov 2007, denversteve wrote: > I am running qmailrocks mail server and have not found a good > answer to this question for blocking IP instead of just processing > the spam emails and overwhelming my server. > > Is there someone with a script to modify qmail-scanner-queue.pl or > another script to run /sbin/iptables to block a spam IP address on > the first flagged email, then maybe remove blocks from iptables > after a day.
Blackholing on the first spam is a bit extreme... If you poke around under http://www.impsec.org/~jhardin/antispam/ you will find a script that I use that adds repeat abusers to the IP block list (and, in my case, also TCP tarpits their server). "repeat abuse" is defined as more than three or four attempts in a limited time from the same IP address: (1) that I am already blocking via DNSBL, or (2) to unlikely addresses at my mailing list server, or (3) that get blocked by explicit sendmail access deny rules. The blocks automatically expire after a while, as that IP will no longer be able to generate sendmail log entries while it's blocked... This script is sendmail-specific as it scans sendmail log entries to determine who to tarpit. I would assume that it wouldn't be too difficult to modify for any MTA that logs sufficient information about rejected connections. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r ----------------------------------------------------------------------- 26 days until Christmas
