[Mimedefang] Pesky RCPT Flooding

Chad Stalvey cstalvey at hcsmail.com
Thu Mar 27 12:39:00 EST 2003


Well, I finally got sick and tired of these guys so I installed swatch to
mentor the maillog for 'Possible SMTP RCPT flood, throttling' and execute a
script that extracts the offending IP out and adds a bogus route to the
routing table. Seems to be working pretty good. I'd say more than 75% so far
have been from ASIA Pacific network.

Pretty simple script, but you do need RCPT throttling defined, swatch
running to hand off the log entry to the script and you need to create a
file that holds the ip addresses so you can keep track.

Works good on FreeBSD

I am a novice when it comes to perl... It's pretty short when you take the
comments out.

#!/usr/bin/perl
# This script pulls out the offending IP Address of someone that gets three
bad RCPT's
# during a single smtp connection. Then places a bogus route to that address
in the
# routing table.
#
# Swatch is running looking for the 'Possible SMTP RCPT flood, throttling'
text in
# /var/log/maillog, and hands off that line to this script. From the nature
of the
# logs, we know that if there is a valid reverse lookup, then the IP address
will
# fall into argument 8 with the resolved domain name in argument 7. If there
is
# not a valid reverse lookup, no domain is displayed and the IP address
falls into
# argument 7. So, we must take in both arguments 7 and 8 and then determine
which
# is the ip address. Syslog will always log the IP address as
[xxx.xxx.xxx.xxx]:,
# and domains will not start with a bracket, so we test for a bracket.

$case_one=@ARGV[6];
$case_two=@ARGV[7];

$check_one=index($case_one,"[");
        if ($check_one =~ -1){
                $raw_IP=$case_two;}
        else {
                $raw_IP=$case_one;}

# Now that we have a raw IP format of [xxx.xxx.xxx.xxx]: we need to extract
the
# IP address.

$rawIP_len=length($raw_IP) - 3;
$IP_address=substr($raw_IP, 1, $rawIP_len);

# This is simply hypothetical error checking.
# If the IP has already been blocked, then we shouldn't see it again.
# We have an IP address of the offending party. Lets see if they are already
# blocked by searching for them in the file that contains all blocked IP
Addresses.
# We don't want duplicate entries in our routing table. If it is not listed
in the
# file then we will write it there. If by chance it is there, we send a
# mail message stating that something is wrong and exit.

@blocked_IPs=`cat /etc/swatch/blocked_addresses`;
foreach $address (@blocked_IPs){
        if ($address =~ $IP_address){
                `echo 'offending $IP_address matches $address' | mail
rcptblocked`;
                exit;}
        }

# Now write the address to the list of blocked addresses.

`echo $IP_address >> /etc/swatch/blocked_addresses`;

# Next and final step is to add a bogus route entry so that this person
# can't get back in without notifying you first.

`route add $IP_address 192.168.23.23`;

# Send a message to administrator telling them of the blocked IP. This may
go away
# if we get too much mail.

`echo '$IP_address was blocked' | mail rcptblocked`;

exit;




Chad Stalvey
Systems Engineer
Hayes E-Government Resources
www.hcs.net
850.297.0551 ext.136
Mobile 508.0485




More information about the MIMEDefang mailing list