Postscreen als "Teergrube"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Postscreen als "Teergrube"

J. Fahrner
Hallo,

ist es möglich, postscreen so zu konfigurieren, dass es vor einem
Disconnect die Verbindung noch eine Weile bestehen lässt, um den
Angreifer eine Weile zu beschäftigen?

Hintergrund: ich sehe gerade in meinem Log folgende Versuche Spam abzuladen:

Mar  6 12:20:23 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62525 to [78.47.47.89]:25

Mar  6 12:20:23 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62525: EHLO ylmf-pc\r\n

Mar  6 12:20:24 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:24 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62525

Mar  6 12:20:24 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62525 in tests after SMTP handshake

Mar  6 12:20:24 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62525

Mar  6 12:20:24 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62604 to [78.47.47.89]:25

Mar  6 12:20:24 s3 postfix/dnsblog[13901]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:24 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62604: EHLO ylmf-pc\r\n

Mar  6 12:20:24 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62604

Mar  6 12:20:24 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62604 in tests after SMTP handshake

Mar  6 12:20:24 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62604

Mar  6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62618 to [78.47.47.89]:25

Mar  6 12:20:25 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62618: EHLO ylmf-pc\r\n

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62618

Mar  6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62618 in tests after SMTP handshake

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62618

Mar  6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62631 to [78.47.47.89]:25

Mar  6 12:20:25 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62631: EHLO ylmf-pc\r\n

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62631

Mar  6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62631 in tests after SMTP handshake

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62631

Mar  6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62642 to [78.47.47.89]:25

Mar  6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62642: EHLO ylmf-pc\r\n

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62642

Mar  6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62642 in tests after SMTP handshake

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62642

Mar  6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62649 to [78.47.47.89]:25

Mar  6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62649: EHLO ylmf-pc\r\n

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62649

Mar  6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62649 in tests after SMTP handshake

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62649

Mar  6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62665 to [78.47.47.89]:25

Mar  6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62665: EHLO ylmf-pc\r\n

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62665

Mar  6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62665 in tests after SMTP handshake

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62665

Mar  6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62680 to [78.47.47.89]:25

Mar  6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62680: EHLO ylmf-pc\r\n

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62680

Mar  6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62680 in tests after SMTP handshake

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62680

Mar  6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62692 to [78.47.47.89]:25

Mar  6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4

Mar  6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62692: EHLO ylmf-pc\r\n

Mar  6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62692

Mar  6 12:20:26 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62692 in tests after SMTP handshake

Mar  6 12:20:26 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62692



Bevor mein fail2ban die Chance hatte die IP zu blocken, hat der Spammer
schon etliche Wiederholungsversuche gemacht. Das möchte ich ein bisschen
hinauszögern. Kein Spammer soll mehr als 3 Versuche bekommen. ;-)

Gruss
Jochen

Reply | Threaded
Open this post in threaded view
|

Re: Postscreen als "Teergrube"

Patrick Ben Koetter-2
* J. Fahrner <[hidden email]>:
> Hallo,
>
> ist es möglich, postscreen so zu konfigurieren, dass es vor einem
> Disconnect die Verbindung noch eine Weile bestehen lässt, um den
> Angreifer eine Weile zu beschäftigen?

Nein. Das ist auch explizit kein Designziel gewesen.

Du kannst - wenn Du willst - einen TCP-Service hinhängen und den trödeln
lassen. Und kurz vor dem timeout sagt der dann "Nö".

p@rick


--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen als "Teergrube"

Robert Schetterer-2
In reply to this post by J. Fahrner
Am 06.03.2016 um 21:37 schrieb J. Fahrner:
> Mar  6 12:20:23 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62525: EHLO ylmf-pc\r\n

ich habe das anders geloest
https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen als "Teergrube"

J. Fahrner
Am 07.03.2016 um 06:57 schrieb Robert Schetterer:
> Am 06.03.2016 um 21:37 schrieb J. Fahrner:
>> Mar  6 12:20:23 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62525: EHLO ylmf-pc\r\n
> ich habe das anders geloest
> https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/
>

Interessanter Ansatz. Werde ich mal ausprobieren.

--
Mit besten Grüßen
Jochen Fahrner