Ramprasad wrote:
Marc Perkel wrote:
There's people out there who are better and faster programmers than I
am. I need a simple utility written We can post it on the SA Wiki when
we're done.
I don't care what it's written in but I'm thinking that xinetd might
be easiest. What I want is something to record the IP address of any
host connection to port 25. Then going to need it to run a one line
script file that runc netcat (nc) and sends me data. Basically I just
need te IP address. I have a collector program listening that feeds
the blacklist system. The collector is.
echo "$*" | nc -w 2 <host> <port>
exit 0
You mean you need a script will listen to port 25 instead of a smtpd
daemon ?
Will be a trivial thing to do?
What should this do , just log to syslog the IP's and break connection
immediately after connect
The idea of this project is to collect hits on port 25 of computers
that shouldn't be hit on port 25. Thses hits would be 100% spambots
and hackers. They hit it - they get listed.
I'll share my collector code, which is a one line script.
socat -u TCP4-LISTEN:<port>,reuseaddr,fork OPEN:/logfile &
The pair of these programs can be used to collect any kind of data
base on trouble makers hitting port that shouldn't be hit. This could
be used for ssh attempts - anything. These programs feed IP collection
systems and then some task manages the list, rotates it, and generates
DNS blacklists.
I'm thinking such a system might be really useful.
Yes , I think that would give a zero fp blacklist on ip's
Any real MTA would mx lookup ,
IMO If mail is sent on non mx ips the mail is spam and the ip is of a
spammer
(internal misconfigured transport relays need to be excluded )
There is one caveat in this argument. yes, an MTA would lookup the MX.
but it is the MX as seen in DNS, not as seen in _your_ zone.
in short, if someone declares you as their MX (without your
authorization), you should not start listing clients that try to send
mail to such domains.
This is one problem with the MX "standard". anybody can list your
servers as their MX. there is no authorization mechanism.
so when collecting such "anomalies", you need to do some checks before
listing the client. as a result, you need the "intended" recipient. in
which case, a real smtp daemon is the right choice.
