BenV's notes

Yesterday evening I was curiously looking at some tcpdump traffic that went through our dom0 of Xenbro. There seemed to be a ton of weird DNS requests. And with weird I mean spamlike domains, like familiesfirstmedical.com. After wondering for a bit I realized they were coming from our service domU that runs mail for the junerules.com domain.
I logged in and was surprised to see more than 50 active connections busy trying to deliver mostly spam to us. Fortunately I have some anti spam things enabled like spamassassin and reverse DNS checking (which is where the DNS requests came from) and some more things using Spamdyke. However, checking the maillog I noticed that there were over 300000 denied connections from a day earlier! Time to become a bit more agressive in getting rid of zombie machines trying to spam us.

As a side story, since we moved our junerules.com domain from our very kind previous host to our own Xenbro machine, the amount of spam we receive plummeted. Apparently not because they stopped spamming on the domain though. I’m sure our previous host is glad he doesn’t have to deal with all the attention and traffic anymore :).
The main reason for this spam drop seems to be spamdyke. I’m sure you have your own opinion about how nice or acceptable it is to run graylisting and reverse DNS checking and all that, but my opinion is that if you have a badly configured mailserver (read: windows zombie machine) you can die in a fire for all I care. Fix your mailserver and then I’ll accept your mail.
Too bad for the few properly configured mailservers out there that now have to try twice to get through the graylisting…. then again, it’s a small price to pay.

Anyway, to get rid of assholes trying to bruteforce their way into my ssh daemon I run fail2ban, which lets you try to get in a few times and then blocks your IP for a week. That’s how much I like them. So I decided to add a new filter to fail2ban, which gets rid of asshole mailservers that will fail their next attempts anyway. Those are the mailservers that spamdyke denies with the following errors:

• DENIED_RDNS_MISSING – in other words, the mailserver doesn’t have a reverse DNS entry. You can’t be serious, that has to be a zombie.
• DENIED_IP_IN_CC_RDNS – means the mailserver probably has a dynamic IP address from their local ISP. Mostly zombies. Sorry for the 2 mailservers our there that are legitimate that mail like this. I’ll whitelist you whenever I see complaints.
• DENIED_RDNS_RESOLVE – means the reverse DNS does not resolve to the IP address it connected from. Get lost. However, this one should be used with care, because if the DNS resolver fails for whatever reason spamdyke will also issue this. So make a real good consideration if you want to use this in the fail2ban filter.

Since above failures will keep coming back if they retry, I block these asshole servers for a week.
Here’s my /etc/fail2ban/filter.d/spamdyke.conf:
[Download not found]

Simply put it in /etc/fail2ban/filter.d and edit /etc/fail2ban/jail.local and add something like this:

[spamdyke-rdns]
enabled = true
filter = spamdyke
action = iptables-allports[name=SPAM, protocol=all]
logpath = /var/log/maillog
maxretry = 2
bantime = 604800

Then reload fail2ban:

# fail2ban-client reload

After enabling it about 12 hours ago, this is the result:

root@service# fail2ban-client status spamdyke-rdns
Status for the jail: spamdyke-rdns
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 72
| `- Total failed: 10065
`- action
|- Currently banned: 1987
|- too many to list
`- Total banned: 1987

Simply amazing. We’ll end up blocking half the internet. Oh well, it’s only the bad part of internet anyway.