Re: Possible anti-zombie remedy?
Jeff Taylor <shdwdrgn <at> sourpuss.net>
2005-06-13 14:19:55 GMT
Just to follow up on this... I wrote up a script this weekend that
simply pulls IP addresses from my log files for all the lame server and
unexpected rcode errors. Ended up with over 3800 uniq IP's listed, and
when I blocked traffic based on this list, the nameserver traffic went
WAY down. I also applied the list and a blocklist in postfix, but have
not yet seen a single email rejected from this (which is dissapointing).
I need to do two things to clean this up. First, change the script to
only look for multiple hits in one second. The legitimate lame-server
errors I've seen coming from my own network typically only have a single
error per requested domain, while the abusers will spawn 3-5 lookups of
the same domain in a 1-second period. Watching for this should make the
script much less likely to blacklist a legitimate user. Second, I need
to write another script that watches the log file and dynamically
updates my IP list as new hits come in.
I currently use Spamikaze on my mail server to blacklist IP's sending
mail to my spamtrap accounts. I would like to write up something that
adds these IP's to that same list, because spamikaze-rejected emails
point the sender to a web page where they can unban their IP.
As another thought to throw out there, what about using this list of
IP's for purposeful dns poisoning? If we're certain these are spambots,
then what would happen if every further query they made, I were to
return their own IP address back to them? Wouldn't they likely them try
sending all outbound emails to themselves, possibly flooding themselves
off the internet (and forcing the computer owners to actually take a
look at why their computer is running poorly)? I'm not exactly sure how
to get bind to do something like this, but it would sure be interesting
to see the results.