Hurting email spammers with iptables

Discussion in 'Linux Networking' started by S.K.R. de Jong, May 16, 2014.

  1. I run a small email server in which (of course) I get a certain
    amount of spam. I know exactly what IP addresses the spam is coming from,
    so keeping it at bay is easy. However, I'd like to do more than that.

    Would it be possible, with iptables, so arrange things on my side
    so that resources are potentially indefinitely consumed at the system
    with the IP address from which the spam is being sent?

    For instance, since the connection to port 25 is a TCP
    connection, would it be possible to force them to keep that connection
    open for several minutes, before telling them that their spam has been
    rejected?
     
    S.K.R. de Jong, May 16, 2014
    #1
    1. Advertisements

  2. S.K.R. de Jong

    Bit Twister Guest

    Hehehe, apparently you think the spammers are stupid.

    You would be stupid to install your DOS (Denial Of Service) "Feature"

    Take this example:
    Some criminal cracks into a damn, lock control, air traffic control
    system, .... and rents that system to a spammer.

    You get spam from the compromised system, you cause a DOS, and take a
    guess who will be having a free bed and breakfast at a barbed wire hotel.

    After you spend several hundred dollars an hour to get a lawyer good
    enough to get you out of jail, there would be no telling how big a
    fine you would have to pay, not to mention even getting all your
    equipment back from them.

    Go for it, maybe you can get Usenet access after you get out of prison
    to tell us how it went.
     
    Bit Twister, May 17, 2014
    #2
    1. Advertisements

  3. So, if you use the scheme described in

    http://www.benzedrine.cx/relaydb.html

    you might end up in the big house? What I am talking about is similar to
    that, but with ip tables instead.
     
    S.K.R. de Jong, May 17, 2014
    #3
  4. S.K.R. de Jong

    Bit Twister Guest

    That link points to a passive response. Your post seemed to indicate
    an aggressive response. Your system not responding is not going to get
    you into any law enforcement trouble.
    Offhand, I would think just trying to set rules for each undesired ip address
    will get pretty large and degrade performance.
     
    Bit Twister, May 17, 2014
    #4
  5. Be it as it may, what ip tables rules would accomplish something
    similar to what is described in the link?
     
    S.K.R. de Jong, May 18, 2014
    #5
  6. S.K.R. de Jong

    detha Guest

    You are probably looking for the '-j TARPIT' target. Most distributions
    don't include that by default (because it is too easy to shoot yourself
    in the foot with it - every active tarpit consumes resources on /your/
    server, and it opens you up to being DDOSed just by opening a bunch of
    connections to a tarpit'ed port).

    Some have it as a kernel module (e.g. Debian has it in the
    xtables-addons-common package).

    -d
     
    detha, May 18, 2014
    #6
  7. Thanks. This seems to be pretty much what I was looking for.
     
    S.K.R. de Jong, May 18, 2014
    #7
  8. S.K.R. de Jong

    buck Guest

    TARPIT does not work, at least not as you desire.

    That's because it shrinks the window, which causes the sender to send
    a TCP reset (RST), closing the connection.

    The original idea was to allow the spammer to connect to your SMTP
    server and then set the window to one byte, so that each packet
    contains 1 byte, causing the transaction to take FOREVER to send even
    a small message. But when spammers figured that out, they just
    changed the TCP software to terminate the connection (RST) and go on
    to the next victim.
     
    buck, May 18, 2014
    #8
  9. S.K.R. de Jong

    Doug Laidlaw Guest

    Don't use iptables. For newsgroups, I use Leafnode, and filter out
    anything from Google Groups. That accounts fpor about 95 per cent.

    What are you trying to stop? Any emails will get through your firewall
    because you have allowed POP. Install Spamassassin, and add the undesired
    addresses to your blacklist. Much easier.

    Doug.
     
    Doug Laidlaw, May 22, 2014
    #9
  10. You are extremely unlikely to inconvenience the spammer. At most you
    might inconvenience whoever it is they are stealing resources from, and
    possibly not even them very much.
     
    Richard Kettlewell, May 23, 2014
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.