Comments on: Stop spam flood attack with postfix and iptables http://blog.exeko.com/2008/06/stop-spam-flood-postfix-iptables/ un blog pas comme les autres ... Thu, 15 Jul 2010 00:26:02 +0200 http://wordpress.org/?v=2.8.4 hourly 1 By: sege http://blog.exeko.com/2008/06/stop-spam-flood-postfix-iptables/comment-page-1/#comment-9368 sege Mon, 19 Apr 2010 17:44:10 +0000 http://blog.exeko.com/?p=30#comment-9368 Great script, I had some configuration issues with my mailserver and ended up on about any spam-bot-net out there... Your script helped me stop the still coming to me :) Great script, I had some configuration issues with my mailserver and ended up on about any spam-bot-net out there…

Your script helped me stop the still coming to me :)

]]> By: Simom http://blog.exeko.com/2008/06/stop-spam-flood-postfix-iptables/comment-page-1/#comment-8621 Simom Sun, 07 Feb 2010 19:53:58 +0000 http://blog.exeko.com/?p=30#comment-8621 I have a atack of spam but it`s go i 1512 / min :) your script is okey but only if you have spam flood 12 / min :) I have a atack of spam but it`s go i 1512 / min :) your script is okey but only if you have spam flood 12 / min :)

]]> By: Flaz http://blog.exeko.com/2008/06/stop-spam-flood-postfix-iptables/comment-page-1/#comment-4790 Flaz Thu, 18 Jun 2009 21:38:34 +0000 http://blog.exeko.com/?p=30#comment-4790 Great idea. I just had one problem about the month in the date command, that in debian (italian) writes the month in italian, but in log files is in english. So that how it looks now: <code>#!/bin/bash IPT=/sbin/iptables LIMIT=10 # first get one minute of log grep "`date +" %d %H:%M:" --date="1 minutes ago"`" /var/log/mail.info > /tmp/minutelog # now extract the rejected attempts, sort and count uniq ip cat /tmp/minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed "s/^[ \t]*//" > /tmp/rejectedlog # for each line in result while read line do MYCOUNT=`echo $line | cut -d" " -f1` MYIP=`echo $line | cut -d" " -f2` if [ $MYCOUNT -gt $LIMIT ]; then $IPT -A INPUT --proto tcp -s $MYIP --destination-port 25 -j LOG --log-prefix 'filter_smtp ' --log-level 4 $IPT -A INPUT --proto tcp -s $MYIP --destination-port 25 -j DROP echo $MYIP >> /tmp/blocked_ip_smtp fi done < /tmp/rejectedlog rm -f /tmp/minutelog rm -f /tmp/rejectedlog </code> Thanks a lot :) Great idea.
I just had one problem about the month in the date command, that in debian (italian) writes the month in italian, but in log files is in english.

So that how it looks now:

#!/bin/bash

IPT=/sbin/iptables
LIMIT=10

# first get one minute of log
grep "`date +" %d %H:%M:" --date="1 minutes ago"`" /var/log/mail.info > /tmp/minutelog

# now extract the rejected attempts, sort and count uniq ip
cat /tmp/minutelog | grep "reject:" | cut -d" " -f10 | cut -d"[" -f2 | cut -d"]" -f 1 | sort | uniq -c | sort -n | sed "s/^[ \t]*//" > /tmp/rejectedlog

# for each line in result
while read line
do
MYCOUNT=`echo $line | cut -d" " -f1`
MYIP=`echo $line | cut -d" " -f2`

if [ $MYCOUNT -gt $LIMIT ]; then
$IPT -A INPUT --proto tcp -s $MYIP --destination-port 25 -j LOG --log-prefix 'filter_smtp ' --log-level 4
$IPT -A INPUT --proto tcp -s $MYIP --destination-port 25 -j DROP
echo $MYIP >> /tmp/blocked_ip_smtp
fi
done < /tmp/rejectedlog

rm -f /tmp/minutelog
rm -f /tmp/rejectedlog

Thanks a lot :)

]]> By: Panx http://blog.exeko.com/2008/06/stop-spam-flood-postfix-iptables/comment-page-1/#comment-3258 Panx Fri, 20 Feb 2009 01:40:02 +0000 http://blog.exeko.com/?p=30#comment-3258 Great script, i was using ddos deflate so far, to block apache botnets. But it wasn't very effective against spam botnets that were attacking on port 25. This really helped a lot... I was about to code my own one, but i said i'd give it a try with googling a bit :) glad i did... thanks again. Great script, i was using ddos deflate so far, to block apache botnets. But it wasn’t very effective against spam botnets that were attacking on port 25. This really helped a lot… I was about to code my own one, but i said i’d give it a try with googling a bit :) glad i did… thanks again.

]]> By: Chingson http://blog.exeko.com/2008/06/stop-spam-flood-postfix-iptables/comment-page-1/#comment-3054 Chingson Sun, 01 Feb 2009 13:06:19 +0000 http://blog.exeko.com/?p=30#comment-3054 I found ubuntu 8.04 will generate "Feb 01" instead of "Feb 1", which is used in /var/mail.info. Following code is better used at Feb 1. LASTMIN=`date +"%b %_d %H:%M:" --date="1 minutes ago"` #echo LASTMIN is $LASTMIN grep -i "$LASTMIN" /var/log/mail.info > minutelog I found ubuntu 8.04 will generate “Feb 01″ instead of “Feb 1″, which is used in /var/mail.info.
Following code is better used at Feb 1.

LASTMIN=`date +”%b %_d %H:%M:” –date=”1 minutes ago”`
#echo LASTMIN is $LASTMIN
grep -i “$LASTMIN” /var/log/mail.info > minutelog

]]> By: Andrew http://blog.exeko.com/2008/06/stop-spam-flood-postfix-iptables/comment-page-1/#comment-1966 Andrew Thu, 17 Jul 2008 01:52:47 +0000 http://blog.exeko.com/?p=30#comment-1966 Jonathan, Found your blog post as the 5th result of a Google search for "stopping a spam flood". I've started running your script on our system to help mitigate a flood attack that has been intense enough to at times cause postfix to use up all the ports on our MySQL server looking up bogus generated names. Thanks very much. Andrew Jonathan,

Found your blog post as the 5th result of a Google search for “stopping a spam flood”. I’ve started running your script on our system to help mitigate a flood attack that has been intense enough to at times cause postfix to use up all the ports on our MySQL server looking up bogus generated names. Thanks very much.

Andrew

]]>