Loading ...
Sorry, an error occurred while loading the content.

Re: Need help blocking spam by IP address owner

Expand Messages
  • Stan Hoeppner
    ... This is a classic snowshoe spammer attack and I ve seen it hundreds of times. Snowshoe is incredibly difficult to block with automation but it s getting
    Message 1 of 6 , Nov 28, 2012
    • 0 Attachment
      On 11/28/2012 7:55 AM, vince@... wrote:
      > I am receiving spam from ever changing client IP addresses. Each spam
      > has other tiny variations that prevent string matching. The one thing
      > they all have in common is the owner of the IP addresses. Is there any
      > way to do lookup of the client IP owner at Prescreen or SMTP time to
      > REJECT the incoming connection? Is this a workable solution? I've
      > searched the web, the documentation and archives. No luck. Does anyone
      > have a solution or script? Thanks!

      This is a classic snowshoe spammer attack and I've seen it hundreds of
      times. Snowshoe is incredibly difficult to block with automation but
      it's getting better. There are a number of ways to beat this back
      without writing custom code. First, are you using both BRBL and
      Spamhaus Zen DNSBLs? If not use them. How about Spamhaus DBL? The DBL
      contains tons of snowshoe domains. Usage:

      smtpd_recipient_restrictions =
      ...
      reject_rbl_client zen.spamhaus.org
      reject_rbl_client b.barracudacentral.org
      reject_rhsbl_reverse_client dbl.spamhaus.org
      reject_rhsbl_sender dbl.spamhaus.org
      reject_rhsbl_helo dbl.spamhaus.org
      ...

      If that doesn't knock most of it down, simply use a local CIDR table.
      I've been building my ad hoc table for about 5 years now and I'm
      blocking 1685 snowshoe netblocks from /27 to /15 that have sent spam
      here. You're welcome to use it if you like. WARNING: it is very
      aggressive and may cause FPs at your site, so use with care and monitor
      it, removing or remarking entries that cause (too many) FPs.

      http://www.hardwarefreak.com/spammer.txt

      You can append this to your Postscreen blacklist or use it in
      smtpd_foo_restrictions such as:

      smtpd_recipient_restrictions =
      ...
      check_client_access /etc/postfix/spammer.cidr
      ...

      Later I can teach you how to build/maintain/expand such a file when
      snowshoe hits you from new netblocks, and provide you some tools for
      looking at a netblock's rDNS entries to see if it's totally spammy or
      shared with legit senders.

      Happy snowshoe hunting.

      --
      Stan
    Your message has been successfully submitted and would be delivered to recipients shortly.