[Greylist-users] machine gun

Wayne Walker wwalker at bybent.com
Fri Jan 20 16:15:13 PST 2006 

Thomas Cameron posted this to the Austin Linux Group:

"I know there are probably a million better ways to do this, but I just
ran the following two commands on all my Internet facing machines:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW \
 -m recent --update --seconds 60 --hitcount 4 -j DROP

iptables -I INPUT -p tcp --dport 22 -m state --state NEW \
 -m recent --set

I got them from http://www.debian-administration.org/articles/187 and
they seem to work quite nicely.

I reversed the order from the article because (if I understand it
correctly) the second one needs to be the first rule and the -I inserts
the rules at the top of the chain.  So the end result is that the --set
rule is first, which adds the connecting host to the "recent" set.  The
second rule is the one that DROPs the connection.

Thomas"

If you change 4 to 40, 60 to 120 and 22 to 25, That ought to stop them.
Unless you actually have a client of foreign MTA that justifiably connects
more than 40 times in 2 minutes....

Zero overhead after adding two lines to /etc/rc.local :)

Wayne

On Fri, Jan 20, 2006 at 02:08:09PM -0700, Barb Dijker wrote:
> We are starting to see more machine gun spammers.  For example,  
> yesterday youngexplorerscatalog.net attempted to send a message to a  
> single recipient once per second until greylisting allowed the message.
> 
> I'm thinking about a hook to set a threshold for promoting a mail  
> server to automatic temporary BL.  I've been doing this manually when  
> we get hammered.  But it is happening too often anymore.  Has anyone  
> done this already?  Suggestions?
> 
> A quick peruse of the database shows a small handful of legitimate  
> mail that appears to be using the machine gun approach, e.g.,  mail  
> (really) from ebay that was blocked 80 or 90 times before being  
> passed once.  Blackberry.com does it pretty regularly.  An att.net  
> outgoing server hit almost once a second.  This sort of thing is  
> killer to the server with just the connection overhead.  Our delay is  
> only 4 minutes.  So if a triple has been blocked more than 48 times,  
> it is trying more frequently than once ever 5 seconds.  That seems  
> excessive.
> 
> Barb Dijker x100
> Netrack, 3080 Valmont Rd Ste 200, Boulder CO 80301
> +1.303.938.0188, toll free +1.888.9Netrack, fax +1.303.938.0177
> www.netrack.net
> 
> 
> 
> _______________________________________________
> Greylist-users mailing list
> Greylist-users at lists.puremagic.com
> http://lists.puremagic.com/cgi-bin/mailman/listinfo/greylist-users

-- 

Wayne Walker

www.unwiredbuyer.com - when you just can't be by the computer

wwalker at bybent.com                    Do you use Linux?!
http://www.bybent.com                 Get Counted!  http://counter.li.org/
Perl - http://www.perl.org/           Perl User Groups - http://www.pm.org/
Jabber:  wwalker at jabber.gnumber.com   AIM:     lwwalkerbybent
IRC:     wwalker on freenode.net

More information about the Greylist-users mailing list