Title: Anti-Spam SMTP Implementation for anonymous Dial-In
1Anti-Spam SMTP Implementationfor anonymous
Dial-In
- SwiNOG 5, 25.09.2002
- Fredy Künzler, Init Seven AG
2SPAM is a serious problem.Better fight it at
its origin.
3Anonymous Dial-In ? Customer is not known ?
Customer can hide his identity (Rufnummerunterdr
ückung) ? In case of abuse, effort for
prevention is high and unpaid ? Complaints
Spamcop etc. ? In case of abuse, its only a
reaction, and SPAM has already been distributed
4How Spammer abuse anonymous Dial-in (1)? New
strategy by Spammers, as the classical Spam
delivery technique is not effective anymore
(abusing an open SMTP relay). Open SMTP relay
servers are disappearing more and
more. Reason M is delivering its SMTP
servers with default relay denied these days.
5How Spammer abuse anonymous Dial-in (2)?
Spam-PC dials over ISDN (Channel Bundling, PPP
Multilink)? Spam-PC runs it's own SMTP server.
Mail delivery is being done directly to the
respective MX server of the recipient. This
technique is common by well known Swiss
spammers as M.F. (Nachtsichtgeräte, overpriced
digital cameras, Brockhaus software, GPS
equipment etc.) and B.W.L. (Pfefferspray,
Graphic gallery software etc.)? as the spamming
SMTP server get's the dynamic IP of the
provider, complaints will go to the providers
abuse desk
6Prevention (Solution 1) (1)? disallow SMTP
traffic (Port 25) leaving own backbone?
Implementation (let's assume provider has
192.168.128.0/19 and the dial range is
192.168.136.0/24)access-list 100 remark SMTP
Block of Dial-in-Customersaccess-list 100 permit
tcp 192.168.136.0 0.0.0.255 192.168.128.0
0.0.31.255 eq smtpaccess-list 101 deny tcp
192.168.136.0 0.0.0.255 any eq smtpaccess-list
101 permit ip any anyinterface FastEthernet
0/0 description connected to Internet (Upstream
Provider) ip access-group 100 out
7Prevention (Solution 1) (2)Advantage of
Solution 1? Spammer cannot do direct
MX-DeliveryDisadvantages of Solution 1? User
must use providers SMTP server, even if he has a
GMX or another freemail address? User asks
support how to handle relay denied error
messages? Spammer still can abuse providerss
SMTP server, as it must relay mail traffic from
dial-in connections
8Prevention (Solution 2) (1)? same as solution
1, but with protected SMTP server of the
provider? Dial-Spam-Block is used for SMTP
server protection? Dial-Spam-Block counts the
number of recipients of mail delivery for each
dynamically assigned IP address?
Dial-Spam-Block stops relaying mail after limit
of recipients has been reached in a certain time
frame (default 50 recipients per 30 minutes
allowed)
9Prevention (Solution 2) (2)? potential Spammer
reaches limit within 1 minute and gets a relay
denied? counter is reset if dial-in user logs
off (radius server sends signal to
Dial-Spam-Block) ? Dial-Spam-Block currently
works with Sendmail (writes into access.db,
therefore no sendmail.cf quirk required) and
Freeradius. Communication between the two
servers is done over SSH.
10Prevention (Solution 2) (3) Advantages of
Solution 2 ? Spammer cannot do direct
MX-Delivery ? SMTP Server of provider is
protectedDisadvantages of Solution 2 ? User
must use providers SMTP server, even if he has a
GMX or another freemail address ? User asks
support how to handle relay denied error
messages
11Prevention (Solution 2) (4) Dial-Spam-Block
? Concept by Fredy Künzler, Init Seven
AG (thanks to the Interconnection people) ?
Developed by Marco Steinacher, Init Seven AG ?
GPL (General Public License) ? Runs since March
2002 without problems in the environment of
Init Seven AG. ? Available at
dial-spam-block.sourceforge.net
12Prevention (Solution 3) (1)? Redirect SMTP
traffic from dial-in user to providers SMTP
server. This will ease the configuration of SMTP
client. Support must no longer handle relay
denied questions, as any valid hostname (i.e.
mail.bluewin.ch at Init Sevens dial-in) works
up to the limit of the dial-spam-block.
13Prevention (Solution 3) (2)? Implementation
(lets assume provider has 192.168.128.0/19 and
the dial range is 192.168.136.0/24, and the IP
address of the SMTP server is 192.168.128.10)acc
ess-list 102 remark SMTP Redirect to SMTP server
from Dial-in-Customersaccess-list 102 permit tcp
192.168.136.0 0.0.0.255 any eq smtproute-map
SMTP-Redirect permit 10 match ip address 102
set ip next-hop 192.168.128.10interface
FastEthernet 0/0 description connected to
Internet (Upstream Provider) ip policy route-map
SMTP-RedirectNote that the SMTP server must not
be in the IP range of dial customers!
14Prevention (Solution 3) (3)? Configuration of
SMTP server (requirement kernel of SMTP server
must support iptables)iptables -A PREROUTING
--table nat --protocol tcp --source \
192.168.136.0/24 --dport 25 -j DNAT --to
192.168.128.10(Init script for Linux available
at www.init7.net/anti-spam/)
15Prevention (Solution 3) (4)
) Protected with Dial-Spam-Block
16Prevention (Solution 3) (5)Advantages of
Solution 3? Spammer cannot do direct
MX-Delivery? SMTP Server of provider is
protected? Support is no longer bothered by
relay denied questions(Minor) Disadvantage of
Solution 3? 'telnet host 25' no longer
possible from dial-in rangeSolution 3 is
operational since August 2002 in the environment
of Init Seven AG
17Further development (proposed solution 4) ?
Dial-Spam-Block is able to work as a Teergrube.
Instead of a hard limit as relay denied after
50 recipients the SMTP delivery could gradually
slow down. For instance the first 20 recipients
are delivered instantly, than wait 2 seconds for
each address for the next 20 recipients, than
wait 5 seconds etc. etc.
18Links (1)SMTP-Redirect Implementationwww.init7.
net/anti-spam/Dial-Spam-Blockdial-spam-block.so
urceforge.netTeergrubehttp//www.iks-jena.de/mi
tarb/lutz/usenet/teergrube.en.html
(English)http//www.iks-jena.de/mitarb/lutz/usene
t/teergrube.html (German)
19Links (2)Freeradiuswww.freeradius.orgSendmail
www.sendmail.orgIptableswww.iptables.org
20Questions?
21Thank you.