[Mimedefang] Blocking spam senders using IPTables?

Paul Murphy pmurphy at ionixpharma.com
Mon Nov 1 11:26:11 EST 2004 

Hi,

We've recently seen a large increase in SPAM volume, and although SA is taking
care of the classification, a simple analysis of the messages shows that most
have a pattern, in that everything which has a particular user's e-mail address
in the subject is SPAM.

Looking at the relay IP addresses, almost all are immediately suspected to be
SPAM sender domains, rather than botnets or abused relays/proxies:

52.189.55.66.in-addr.arpa       name = mx20.ejackpotclubdeals.com.
53.189.55.66.in-addr.arpa       name = mx20.ejackpotclubbenefit.com.
54.189.55.66.in-addr.arpa       name = mx20.ebigprizesclubdeals.com.
57.189.55.66.in-addr.arpa       name = mx21.myvendaresecurities.com.
58.189.55.66.in-addr.arpa       name = mx21.myphillipsdirect.net.
59.189.55.66.in-addr.arpa       name = mx21.mymembersexclusive.com.
61.189.55.66.in-addr.arpa       name = mx21.myjackpotclubgiveaway.com.
63.189.55.66.in-addr.arpa       name = mx21.myusawellnet.com.
16.142.108.67.in-addr.arpa      name = mx101.bargaincities.info.
17.142.108.67.in-addr.arpa      name = mx101.bargain-city.info.
18.142.108.67.in-addr.arpa      name = mx101.bargainsite.info.
19.142.108.67.in-addr.arpa      name = mx101.bargainsites.info.
20.142.108.67.in-addr.arpa      name = mx101.cuttingedgeinfoage.info.
21.142.108.67.in-addr.arpa      name = mx101.cuttingedgeinfotech.info.
22.142.108.67.in-addr.arpa      name = mx101.cuttingedge-infotech.info.
23.142.108.67.in-addr.arpa      name = mx101.cuttingedgeintech.info.
32.142.108.67.in-addr.arpa      name = mx102.cuttingedge-tech.info.
34.142.108.67.in-addr.arpa      name = mx102.cuttingedgetechs.info.
35.142.108.67.in-addr.arpa      name = mx102.cuttingedgetimes.info.
37.142.108.67.in-addr.arpa      name = mx102.evirtualgoldmine.info.
38.142.108.67.in-addr.arpa      name = mx102.evirtualgoldminez.com.
39.142.108.67.in-addr.arpa      name = mx102.evirtualgoldpalace.info.

Given that real mail from these sites is unlikely, I'm tempted to implement a
system of blocking all traffic from these IP addresses using the following
scheme:

A.  Add a date/time stamped record to a database with that IP address as the
key, and a spam count of 1
B.  If the number of records matching that IP is now 3 or more, modify the
IPTables system to drop all traffic from that IP with an ICMP Host-Prohibited
message
C.  Run a daily expiry process which removes all records which are more than X
days old (with X starting at 10 days) and which removes the IPTables entry if
the new count is less than 3.

They appear to be using a bank of outgoing mail servers which are all on
different IP addresses, and although I see multiple messages from some
addresses, my current volume is low enough that it is normal to see addresses
only two or three times in a couple of days - 493 messages from 223 unique IP
addresses.  

I'd also be interested in implementing a block based on address range check, so
perhaps if more than 10 SPAM messages which scored over 10 were received from an
address block, then the known or estimated range of SPAM senders in that block
would be blacklisted using IPTables, with a daily review.  To illustrate this,
supposed I received 3 SPAM messages from 1.2.3.4, 2 messages from 1.2.3.8, 2
messages from 1.2.3.9, and four from 1.2.3.12, then working firstly with a
nominal class C assumption I would calculate that the average value for the
fourth octet is 8.25, the standard deviation is 3.3, and so the normal range
would be 5 to 11 - as a result, I would block all of the known IP values, plus
the values in the range between 5 and 11, nicely filling in the gaps in the
known range.  This would go into the database with a timestamped value of 3.

Given that I am happy that the false positive rate is zero based on the last
week of logs, can anyone see any issues with this approach?  Any suggestions on
how to improve it?

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788

_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________

More information about the MIMEDefang mailing list