Sponsored by:

GFi MailEssentials
Home
About Spam
Help for Users
Help for Sysadmins
Help for Marketers
FAQS
Join Us
Link to Us
Site Index
About Us
Editor's Blog


Promote Responsible Net Commerce: Fight Spam!
Sponsored by GFI MailEssentials - FREE direct download of anti-spam software for Exchange Server

Cutting off IP connectivity to spam sources

There are at least three ways to block IP connections from spam sites. The first two block connectivity at a fairly low level. You can also block spam sites from accessing your TCP/IP services such as SMTP, FTP and HTTP.

BGP

The first method involves dropping routes received via BGP, so is typically best suited to ISPs than to individual users. See MAPS for more information.

Router ACLs

The second method is useful if you don't run BGP, for example if your site is an end node on the Internet. You probably already use router access lists to implement packet filtering for security purposes. Simply add the IP range of the spam sites to your packet filters, and no spam packets will reach your site.

On a Cisco router, the ACL is defined by: 

access-list 100 deny ip ppp.qqq.rrr.0 0.0.0.255 any
where ppp.qqq.rrr.0 is the address used by the spamming site. If "ip" is replaced by "tcp" and "any" is prefix by "eq smtp", only SMTP will be block, as per "port blocking selected outgoing calls"
Note that with more complex ACLs that the ORDER IS SIGNIFICANT
The interface to filter also needs: 
ip access-group 100 in

Linux routing

Linux boxes with IP filtering enabled can use a command such as 
ipfwadm -I -a deny -S ppp.qqq.rrr.000/255.255.255.0
or (depending on the release version ?) 
ipfwadm -I -a deny -S ppp.qqq.rrr.000/24 -D 0.0.0.0/0
"-I" means "incoming firewall rule".
"-a deny" means "add the policy to deny this".
"-S ppp.qqq.rrr.000/255.255.255.0" means the traffic has a source and netmask as specified.
"-D 0.0.0.0/0" means to any destination.

You can also use "-a reject" instead of "-a deny". When you use a "reject", the remote site gets "connection refuesd". When you use a "deny", the remote site just thinks the connection times out.

Conversely, ISPs can be good net citizens by port blocking selected outgoing calls.

Using the LBL BPF kernel filter

The LBL BFP kernel filter can be used to reject packets from SPAM sites with `port unreachable' with a filter such as 
dst port 25 and (src net 205.199.212 or src net 204.250.46/27)
The author warns `Installing BPF kernel filters is not for everyone. But it's not too difficult to install the current version of bpf on a SunOS 4 kernel and I will soon include the necessary patches for FreeBSD.'

Update 14 June 2002: BPF is now a standard part of FreeBSD.

TCP Wrappers

The third method makes use of the TCP wrappers package. (The latest version is available in ftp://ftp.porcupine.org/pub/security/index.html and is 7.6 as of this writing.) The TCP wrapper allows a site administrator to wrap services so that they can only be used by authorized hosts. By enabling "-DPROCESS_OPTIONS" when compiling tcpd, finer control can be achieved over which sites can call. A single /etc/hosts.allow can say which host can, and which cannot, call services. In this form, to block calls for `service' from badsite.com, have the line 
service : badsite.com .badsite.com : DENY
If PROCESS_OPTIONS is not set, then nothing need be added to hosts.allow, but /etc/hosts.deny should have 
service : badsite.com .badsite.com
Note that the ORDER in which the rules are given IS SIGNIFICANT. Take care to ensure that there isn't an ALL entry before the line which denies access.

See the section on mail blocking for an example of how to use the TCP Wrapper in conjunction with the TIS Firewall Toolkit to block spam sites from using your SMTP server.

Host Routing Tables

On a per host basis, it is possible to create dummy route entries which cause all reply packets for the relevant hosts or networks not to get to the sender, ensuring that TCP connections cannot be established. This may have an adverse effect on the listen queue, as most network code does not expect the initial handshakes to fail. As such, it may be necessary to increase the listen queue of the MTA, and/or raise the default system listen queue (e.g. for sendmail, use the undocumented "OOL=20" in sendmail.cf to double the queue length from the default setting of 10).

The exact format of the command to achieve this varies between systems, but it may be of the form: 

route add -host 1.2.3.4 gw 127.0.0.1
route add -net  2.3.4.0 gw 127.0.0.1 netmask 255.255.255.0
Some systems (e.g. FreeBSD) have a "-reject" flag.

Ross Wheeler, from an Australian ISP, has written a script that dynamically blocks IP routing to addresses of hosts that have recently attempted any number of invalid probes, such as sending to nonexistent users, attempting to relay e-mail, or hitting "bait" addresses..

Host Firewalls

PacketBL is a tool that uses DNSBLs to configure network filtering to drop packets (Linux).

This is a chapter on using spamd on OpenBSD to redirect SMTP connections from spammer hosts to a specialized mail daemon that rejects their mail.

Scott Hazen Mueller / E-mail me