Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About ASPwebhosting

  • Rank
  1. This is a handy trick to utilize a Cisco IPS system to block servers that send one or more emails identified by SpamCop as sending spam. I call it the RBL spam Source Blocker. Create a custom signature in your Cisco IPS as follows: Engine: State --Event Action: Deny Attacker Inline | Deny Connection Inline | Deny Packet Inline | Reset TCP Connection State Machine: SMTP --State Name: SMTP Commands Specify Min Match Length: No RegEx String: (554).[5][.][7][.][1] Direction: From Service <-- this is important as you are reading the response from your mail server Service Ports: 25 Swap Attacker Victim: Yes <-- this is important as you don't want your server to be the attacker Event Counter --Event Count: 3 <--how many spams you're willing to tolerate from this spam server in "Alert Interval" time frame --Event Count Key: Attacker and victim addresses Specify Alert Interval: Yes --Alert Interval: 60 <-- how long of an interval between "Event Counts" Alert Frequency --Summary Mode: Fire Once --Summary Key: Attacker and victim addresses This is an incredibly effective tool for conserving resources on your mail server The way it works is the SMTP state engine in the Cisco IPS monitors traffic on port 25 looking for a 554.5.7.1 response code from your mail server, which in the case of our Zimbra Postfix server is a response code given to the foreign mail server telling it that their email was rejected because it was on an RBL blacklist (SpamCop). The Direction:From Service tells the IPS to look from this response from our server. The Swap Attacker Victim parameter tells the IPS that the device matching the RegEx (response code) is the victim, not the attacker. The Event Count Key tells the IPS that you are interested in x (in my case 3) number of these responses to occur within y (alert frequency, 60 seconds) time between an "attacker/victim" (foreign mail server/our mail server) pair on port 25, then swap the pair and execute the event action(s), which in this case are to drop the packet, drop the connection and send a one way TCP reset to the victim (our mail server) so as not to leave an open connection. We don't give a hoot about leaving the open connection on the spammers mail server, in fact we hope we leave lots of them open! The key to this IPS signature being effective is the use of SpamCop to identify an email on its RBL list and your mail server sending the 554.5.7.1 response code to the offending mail server. The Cisco IPS does all the rest. You can adjust the alert frequency and event counter to your taste. For example, you can set them for 5 spams in 120 seconds and if that event occurs, the offending mail server will be blocked by your IPS for the programmed amount of time, in my case, more than a week. If you don't want to block the spammers mail server but just want to drop the packet, connection and reset your mail server, you can remove the event action Deny Attacker Inline. I hope this helps some of you with IPS systems sitting in front of your mail servers. David Kopacz, CTO ASPwebhosting.com
  2. If you're like me and you are sick and tired of being inundated with spam containing links to .ru websites trying to get you to download malware, this handy RegEx will do the trick. [Hh][Tt][Tt][Pp][ss]?[:][/][/][A-Za-z0-9_\-.]*[.]([Rr][uu])([/][^ \t\n\r\f]+|[^A-Za-z0-9_\-]|$) In my case, I use it in a custom signature inspecting the body of emails traversing my Cisco IDS/IPS system to instantly drop the packet, drop the connection from the offending mail server and reset the TCP connection to my mail server, which acts as a tarpit delay leaving an open connection to the offending mail server while closing the connection on my mail server. This RegEx could easily be adapted to mail systems such as Zimbra that use Postfix with spam Assassin or others that make use of regular expressions. I have another I'll post that works in conjunction with SpamCop to ensure servers identified as known spam sources by SpamCop will be denied port 25 SMTP connections. David Kopacz, CTO ASPwebhosting.com
  3. ASPwebhosting

    lots of spam from me.uk

    I have captured thousands of IP addresses used by this .me.uk spammer using my Cisco IPS to inspect SMTP traffic using a regex statement. In turn, I have firewalled thousands of IP's and many known spam source networks, such as: BYFLY, CC, DATAPIPE, ENZU, EONIX, FIBER-UPLOAD, HOSTNOC, HSI, LAYERED-TECH, PSYCHZ, RACKCO, SERVIUS, SHARKTECH, SILVERPOP, SINGLEHOP, SWITZERLAND-PRIVATELAYER, TELEFONICA, VNPT-NET, and a few more. I have rarely ever seen a legitimate email come from any of these sources. They have dozens, sometimes hundreds of class C's they give freely to spammers. They constantly move them around and let them spin up virtual spam servers on new IP's and I have sent every one of them multiple detailed spam reports which include logs, headers and content. None of them respond. I suggest you firewall them all from port 25 traffic. The sooner we isolate their networks from the world the better. They should be forced to return their spam networks to IANA and free up IPv4 resources for those of us that run spam free networks and take immediate action when mail accounts are compromised. In fact, we just finished writing software for Zimbra that detects compromised accounts within a few minutes of bots logging into them and automatically disables the account and terminates all sessions. The software then sends a Cisco ACL formatted list of the bot IP addresses to us for entry into our firewall. It's slick. If anyone wants my Cisco ACL list for these major spam sources, just ask. I'll be happy to share it. Just keep in mind, it's large and aggressive. I don't tolerate providers that support spammers by reassigning them to multiple class C's and/or don't respond to abuse reports. David Kopacz, CTO ASPwebhosting.com