Is it possible to block email from a certain host?

K

Kal

Verified User
Joined
Nov 18, 2019
Messages
140
Location
Australia
In the never-ending spam-blocking battle, I feel like the wins are few and short-lived. Looking at recent spam, I noticed that the bulk of them were coming from two hosts. (I run the headers through SpamCop to quickly work out where it's coming from.) So I sent abuse reports to both hosts.

One of those hosts (Nexeon) took the reports seriously, responded quickly and (so far at least) the spam from their servers has stopped!

The other host (QuadraNet) didn't even respond, and nearly all the overnight spam is now coming from them. And this is nothing new from QuadraNet. In previous months and years I've noticed their name come up time and again, and no amount of spam reporting (via SpamCop mainly) seems to improve things.

So, you know, I'm at the point where I'd be happy to just blacklist QuadraNet altogether. I know that's an extreme solution, but I'm okay with that. I figure if everyone did it, they'd be forced to act responsibly or else lose all their legitimate customers. But how can I do this? Is it even possible?
 
Kal said:
In the never-ending spam-blocking battle, I feel like the wins are few and short-lived. Looking at recent spam, I noticed that the bulk of them were coming from two hosts. (I run the headers through SpamCop to quickly work out where it's coming from.) So I sent abuse reports to both hosts.

One of those hosts (Nexeon) took the reports seriously, responded quickly and (so far at least) the spam from their servers has stopped!

The other host (QuadraNet) didn't even respond, and nearly all the overnight spam is now coming from them. And this is nothing new from QuadraNet. In previous months and years I've noticed their name come up time and again, and no amount of spam reporting (via SpamCop mainly) seems to improve things.

So, you know, I'm at the point where I'd be happy to just blacklist QuadraNet altogether. I know that's an extreme solution, but I'm okay with that. I figure if everyone did it, they'd be forced to act responsibly or else lose all their legitimate customers. But how can I do this? Is it even possible?
Click to expand...

Yes you can open console and edit /etc/system_filter.exim
Put this line inside

if ("$h_from:" contains "[email protected]")
then fail
endif

Or block entire domain

if ("$h_from:" contains "@example.com")
then fail
endif

Fyi , This can be replace if you update exim but you can chattr it so it cant be replace
chattr +i system_filter.conf

Or if you have been angry ??
you can blocking their network ip range via csf , this will cut off everything from their ip sending spam to your server ??
 
Last edited:
Spam and server attacks are a never ending issue as a sysadmin you need to deal with. (Went a little overboard writing.)

For problem spammers like that, what I used to do is just add them to the firewall (be it on the router or on the server), it worked well enough at the time. This is probably the easiest method to stop receiving junk from a single IP. It's all manual though. Just have to check your blocks from time to time to remove them, as they will eventually get removed from their provider for spamming. You can even add that bad provider's IP block(s) to the firewall to block, it's a bit extreme but can be effective, but could also block many good domains that your customers may end up communicating with.

You can add filter rules to for exim to block the domain as IXPLANET has mentioned. If it's always from the same domain this can work well.

Maybe even add an additional mail filter appliance to be your clients MX server, for some clients I use Proxmox Mail Gateway setup as a cluster for their MX and have it deliver to the correct servers for their domain, it works well enough as a pre-filter and makes it easy to add lots of custom ip blocks/rules/regex's. Customers seem ok with using it, as it sends a daily digest report of blocked messages, which if one was actually valid they can easily add an exception and have the original message delivered to their account. And then the majority of the junk doesn't even make it to the servers.

(A bit off topic, but this is what I do now, in addition to the PMG for specific customers)
Got tired of dealing with all of this at the server level for many servers and automated the process, now all my servers send all the IP blocks (ssh brute force/imap-pop-smtp brute force/really high scoring spam ip/spam honey pot/any bad activity that can be identified to a single IP) to my central crowdsec server and generate a BGP black-hole for my border routers, so the offending traffic can't even enter the network to any server. I have this semi automated, with lots of allow lists so nothing important gets blocked. I also feed in daily updates of a few select known bad host/network lists (RBLs). I try to always check on the new auto blocks daily, and have a few honey pots as triggers also. Found lately reporting spam only is effective 50% of the time (and sometimes very slow to respond), which I still send abuse reports as long as I have time. If you only have a few hosts/VM's this is absolute over kill, but if you have many servers on your own network and BGP routers, this can help save your sanity by automating, but it means you need to build it yourself.
 
Thanks for the replies!

@IXPLANET the emails themselves do not come from any one domain, so unfortunately I can't simply block specific addresses or domains like that. As for your second suggestion (I guess I am a little bit angry ?), how do I reliably get QuadraNet's entire range of IP addresses?

@cjd thank you for the ideas. I operate such a small server, your solution does sound like it might be overkill, and possibly a bit beyond me. I think I'm okay with blocking QuadraNet's range of IPs, and then dealing with it if and when a client reports that they can't communicate with a legit domain. If it cuts the spam down significantly (which I know it would), I think the occasional issue would be worth it.
 
Kal said:
Thanks for the replies!

@IXPLANET the emails themselves do not come from any one domain, so unfortunately I can't simply block specific addresses or domains like that. As for your second suggestion (I guess I am a little bit angry ?), how do I reliably get QuadraNet's entire range of IP addresses?

@cjd thank you for the ideas. I operate such a small server, your solution does sound like it might be overkill, and possibly a bit beyond me. I think I'm okay with blocking QuadraNet's range of IPs, and then dealing with it if and when a client reports that they can't communicate with a legit domain. If it cuts the spam down significantly (which I know it would), I think the occasional issue would be worth it.
Click to expand...
Maybe you can check this

 
  • Like
Reactions: Kal
Kal said:
Holy Quadramire Batman! ?
Click to expand...
No need to block myriad of IP-Ranges/CIDRs, simply block their AS8100 in CSF. CSF eats ASNs without problems :)
Chose either 1 or 2 in CC_SRC = ("1" - MaxMind, "2" - db-ip, ipdeny, iptoasn) and put AS8100 in the CC_DENY = field.
 
Last edited:
johannes said:
No need to block myriad of IP-Ranges/CIDRs, simply block their AS8100 in CSF. CSF eats ASNs without problems :)
Chose either 1 or 2 in CC_SRC = ("1" - MaxMind, "2" - db-ip, ipdeny, iptoasn) and put AS8100 in the CC_DENY = field.
Click to expand...

Thank you, that's brilliant—exactly the sort of thing I was hoping for! I'm excited to see what the results will be.
 
cjd said:
... send all the IP blocks ... to my central crowdsec server ...
Click to expand...
@cjd I`m thinking first time about including crowdsec into my server. But i see its api only. Please, do you have maybe any insights about impact for slowing down websites, which you would share? How does it work in DA, pulls it 100.000e IPs and check each on every single http-request or email?
I just cleared all my ASNs and CCs and 3.party blocklists off of CSF, because the spammer and attacker are changing their IPs all the time. And i was immediately hit with a spamwave from (one of the most notorious spammers) serverion.com . As I didnt wanted to start again with too much ASN blocking, i did some research and found only a few CIDRs from them are used at one time. So its overload to block full ASN. But then i found out, serverion.com get his IPs from Prefixbroker.com and is rotating them for their spamcustomers on a regular basis. They advertise with having 2 Mio IPs. That brought me to crowdsec. Just blocking the newest 10.000 or so would be nice, without harming websites too much. And does it blocks normal email spam? Did you ever had it running in DA only, please can you share your knowledge? Thank you!
 
Greetings @johannes

For myself, I do all my crowdsec blocking at my BGP border routers by creating a BGP black-hole feed directly from the crowdsec server. Doing it this way I just have the servers communicate blocks with the crowdsec server (blocks propagate out to the routers in a few seconds). No crowdsec blocks on the hosting servers, so when one server triggers a block, the whole network is blocking the attacking host. Servers don't need to spend resources on what the routers already can do. I also add blocks manually from alerts via CLI scripts (which is primarily spam sources, i'm not totally comfortable completely automating this).

So I cannot comment on performance only on a single host.

For email blocking I also run my own Proxmox Mail Gateways for customers that want it. I find it does a decent job, I have a few of my own custom regex's to block constant sub domain changes of some spammers, which is working quite well so far.

Servers will add their own crowdsec blocks for SSH/FTP/DA failed logins. And I get alerts for spammers which I take care of manually. There's a few honey-pots that also will send out blocks. Most blocks are also only for a short period of time up to an hour, so accidental false positives clear quickly.
 
Hi @cjd , yes you are in an big advantage over me, with blocking them at router level. I can fully understand that this is the better way. Thank you very much for your insight and explanation! Seems I must try it on a testserver to see whats going on on single host.
 
You must log in or register to reply here.
Back
Top