Using a Cisco IPS to block known spam servers

[ASPwebhosting]

This is a handy trick to utilize a Cisco IPS system to block servers that send one or more emails identified by SpamCop as sending spam.

I call it the RBL spam Source Blocker.

Create a custom signature in your Cisco IPS as follows:

Engine: State

--Event Action: Deny Attacker Inline | Deny Connection Inline | Deny Packet Inline | Reset TCP Connection

State Machine: SMTP

--State Name: SMTP Commands

Specify Min Match Length: No

RegEx String: (554).[5][.][7][.][1]

Direction: From Service <-- this is important as you are reading the response from your mail server

Service Ports: 25

Swap Attacker Victim: Yes <-- this is important as you don't want your server to be the attacker

Event Counter

--Event Count: 3 <--how many spams you're willing to tolerate from this spam server in "Alert Interval" time frame

--Event Count Key: Attacker and victim addresses

Specify Alert Interval: Yes

--Alert Interval: 60 <-- how long of an interval between "Event Counts"

Alert Frequency

--Summary Mode: Fire Once

--Summary Key: Attacker and victim addresses

This is an incredibly effective tool for conserving resources on your mail server

The way it works is the SMTP state engine in the Cisco IPS monitors traffic on port 25 looking for a 554.5.7.1 response code from your mail server, which in the case of our Zimbra Postfix server is a response code given to the foreign mail server telling it that their email was rejected because it was on an RBL blacklist (SpamCop).

The Direction:From Service tells the IPS to look from this response from our server.

The Swap Attacker Victim parameter tells the IPS that the device matching the RegEx (response code) is the victim, not the attacker.

The Event Count Key tells the IPS that you are interested in x (in my case 3) number of these responses to occur within y (alert frequency, 60 seconds) time between an "attacker/victim" (foreign mail server/our mail server) pair on port 25, then swap the pair and execute the event action(s), which in this case are to drop the packet, drop the connection and send a one way TCP reset to the victim (our mail server) so as not to leave an open connection.

We don't give a hoot about leaving the open connection on the spammers mail server, in fact we hope we leave lots of them open!

The key to this IPS signature being effective is the use of SpamCop to identify an email on its RBL list and your mail server sending the 554.5.7.1 response code to the offending mail server. The Cisco IPS does all the rest.

You can adjust the alert frequency and event counter to your taste. For example, you can set them for 5 spams in 120 seconds and if that event occurs, the offending mail server will be blocked by your IPS for the programmed amount of time, in my case, more than a week.

If you don't want to block the spammers mail server but just want to drop the packet, connection and reset your mail server, you can remove the event action Deny Attacker Inline.

I hope this helps some of you with IPS systems sitting in front of your mail servers.

David Kopacz, CTO

ASPwebhosting.com