rule to block large amounts of inbound port 25 traffic

electricus · 07-28-2011, 11:54 AM

it sure would be nice to have some way to detect a lot of smtp traffic (spammers) and block those ip's. Is there such a rule in untangle's intrusion prevention module to do that? We only have 6 users here and so we don't have a lot of mail traffic. I would think that there would be a way to detect that kind of network activity and automate blocking ip's of spammers trying to send spam emails through my mail server. Otherwise, I'm just going to have to continue to watch my mail server queue and block ip's manually.

sky-knight · 07-28-2011, 11:59 AM

Enable tarpitting.

electricus · 07-28-2011, 12:02 PM

I do have that enabled and it works great. The only drawback is that the ip's must be on the blacklist. That's why I would like to manually create this kind of rule.

dmorris · 07-28-2011, 12:13 PM

In that case firewall rules will do the trick.

Personally, I think you are asking for trouble. Just because an IP relayed a spam message to you doesn't necessarily mean they are a spammer.

The sole purpose of the "blacklist" you refer to that you don't like is to track the IP of known spammers.

electricus · 07-28-2011, 12:14 PM

do you know of a website where people have shared common firewall rulesets in .json format to cut down on spam? I could just import it into untangle. Surely people have gotten really good at this sort of thing out there.

Big D · 07-28-2011, 12:18 PM

indead I still like how a client we had tried to send 7000 emails through hosted exchange via rackspace.

Rackspace shut down their account sent them a nasty email and said keep doing that and we'll disable your whole domain email.

But the point being their mailserver would have been relaying out rackspaces relay servers which might have 1000's of legit organizations using it.

Protocol module I haven't personally messed so not sure if it can trigger based on frequency on connections or not.

dmorris · 07-28-2011, 12:19 PM

Quote:

Originally Posted by electricus

do you know of a website where people have shared common firewall rulesets in .json format to cut down on spam? I could just import it into untangle. Surely people have gotten really good at this sort of thing out there.

I would suggest this one:

http://www.spamhaus.org/

Have fun reinventing the wheel.

07-28-2011, 11:54 AM	#1 (permalink)
electricus Untanglit Join Date: Mar 2011 Posts: 19	rule to block large amounts of inbound port 25 traffic it sure would be nice to have some way to detect a lot of smtp traffic (spammers) and block those ip's. Is there such a rule in untangle's intrusion prevention module to do that? We only have 6 users here and so we don't have a lot of mail traffic. I would think that there would be a way to detect that kind of network activity and automate blocking ip's of spammers trying to send spam emails through my mail server. Otherwise, I'm just going to have to continue to watch my mail server queue and block ip's manually.

07-28-2011, 11:59 AM	#2 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,457	Enable tarpitting. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

07-28-2011, 12:13 PM	#4 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,612	In that case firewall rules will do the trick. Personally, I think you are asking for trouble. Just because an IP relayed a spam message to you doesn't necessarily mean they are a spammer. The sole purpose of the "blacklist" you refer to that you don't like is to track the IP of known spammers. __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

07-28-2011, 12:18 PM	#6 (permalink)
Big D Master Untangler Join Date: Nov 2008 Posts: 691	indead I still like how a client we had tried to send 7000 emails through hosted exchange via rackspace. Rackspace shut down their account sent them a nasty email and said keep doing that and we'll disable your whole domain email. But the point being their mailserver would have been relaying out rackspaces relay servers which might have 1000's of legit organizations using it. Protocol module I haven't personally messed so not sure if it can trigger based on frequency on connections or not. __________________ The beatings shall continue until morale improves!

Protect

Filter

Perform

Connect

Manage

Add-Ons

07-28-2011, 12:02 PM	#3 (permalink)
electricus Untanglit Join Date: Mar 2011 Posts: 19	I do have that enabled and it works great. The only drawback is that the ip's must be on the blacklist. That's why I would like to manually create this kind of rule.

07-28-2011, 12:14 PM	#5 (permalink)
electricus Untanglit Join Date: Mar 2011 Posts: 19	do you know of a website where people have shared common firewall rulesets in .json format to cut down on spam? I could just import it into untangle. Surely people have gotten really good at this sort of thing out there.