Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How do you deal with abusers?--- For service providers
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How do you deal with abusers?--- For service providers

support123support123 Member
edited April 2013 in General

How do you deal with abusers?
Do you use any automated scripts?
Currently,I am doing all manually on case by case basis .Just looking into automated options if available specially for dealing with the spammers

«13

Comments

  • HassanHassan Member, Patron Provider

    @ftpit said: Currently,I am doing all manually on case by case basis .Just looking into automated options if available specially for dealing with the spammers

    I'm also looking for automated options.

  • support123support123 Member
    edited April 2013

    Note--- Just terminated a dedi being used by a spammer from top 100s list of spamhaus

  • TheLinuxBugTheLinuxBug Member
    edited April 2013

    So I am not trying to be sarcastic, but hire someone to write some automated scripts for you. This is what most people who have automated processes in place have done. Either that or wrote them them selves. Most are not going to give away their code for free as I am sure they put a fair amount of time (read: money) into it them selves. I am sure some people will have a few open source items to suggest, but writing your own scripts helps you be sure what they are doing and learn to be a better admin.

    my 2 cents.

    Cheers!

  • support123support123 Member
    edited April 2013

    @TheLinuxBug Thanks for the suggestions :) I am not looking for free if someone has a good to script to sell .

  • KrisKris Member

    @ftpit said: How do you deal with abusers?

    iptables and a hammer.

  • @Kris This is what doing currently.Slightest of hint of abuse leads to the hammer :)

  • KrisKris Member

    http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:8.8.8.8#

    MXToolbox could also help, I'm sure there are services that could monitor the entire /24 and query them directly, but it would be easier parsing data out from a website.

    Just an example of one.

  • AnthonySmithAnthonySmith Member, Patron Provider

    Basically exactly what @TheLinuxBug said + case by case basis.

    It is much easier with OpenVZ, As soon as you catch some abuse you study it and write an alerting loop script that lets you knwo when, who and what.

    Essentially a big capture script to generate sample data followed by a long 'while read do;' script

  • About to do manually at http://www.senderbase.org/
    Maybe that a time saver.

  • goexodusgoexodus Member
    edited April 2013

    what kind of automated scripts can you run on a dedicated server. except the router logs and external checking tools what else can you do?

  • AnthonySmithAnthonySmith Member, Patron Provider

    @goexodus said: how can a provider verify a dedicated server except the router logs

    yeah fair point, just make sure you subscribe to as many *BL's as possible.

  • support123support123 Member
    edited April 2013

    @AnthonySmith Your and @jarland suggestions always nice

    Not talking about dedi here,just vps nodes

  • jarjar Patron Provider, Top Host, Veteran

    I'll give some good advice, when @Liam bans @Maounique :)

  • @jarland I just see,you have a good fighting there with him

  • @jarland said: I'll give some good advice, when @Liam bans @Maounique :)

    That's childish :)

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    @rds100 said: That's childish :)

    Didn't see you saying that to him for calling my friends and family rapists, so glad you had time to chime in on how my being upset is childish.

  • @rds100 Yes,but this what LET/LEB is ;)

  • @jarland i apologize on his behalf, if this is any help. Still i hope these kind of person-to-person discussions are better held in a different place, like IRC.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    *snipped

  • MaouniqueMaounique Host Rep, Veteran

    I am doing manually from time to time.
    We also get reports from spamhaus. At any given time, we have an average of 1 IP blacklisted. This diminished over time while the number of allocated IPs grew.
    Int he beginning it is hard, spammers flock hoping you do not know how to deal with it or you are too desperately needing the money.
    Once they know they are terminated the next day, they look for other targets.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    @ftpit said: Do you use any automated scripts?

    My automation is lacking. For the first bit it was because I saw my administration technique as adaptive and considerate of context, which I think is very important. How I react is very dependent on what it is and the pattern that it follows. What I am noticing though is that there are repeat events that I can absolutely plan a strict logic for and then create for myself more time to deal with the situations that need to be approached based on context.

    So I think the key is first learning how you want to deal with it and then deciding what parts you can cut from manual action. It's been working for me and the things people say about how our servers run leads me to believe that I've chosen a good path. The single most important thing is proper monitoring and alerts. You need to monitor CPU, disk I/O, bandwidth, PPS, and fail counts. I may be forgetting another key element, mind went blank after that. You'll have to decide for yourself what thresholds you think you need to be notified for.

    All that of course completely ignores the issue of spam. I rate limit all e-mail ports and log everything over it and that hits my logwatch in the evening. If I see a ton of dropped packets over port 25, I've got a target to be watching blacklists for. This an area I could do better in.

  • @jarland Looks like an idea at last for spammers.So it comes when you get cooled !!

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    @ftpit said: Looks like an idea at last for spammers

    Open to suggestions on doing this better by the way. Source and destination IPs help. Makes a lot of rules though. This is something I haven't spent the time on that I should.

    /sbin/iptables -A FORWARD -p tcp --dport 25 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j DROP
    /sbin/iptables -A FORWARD -p tcp --dport 2525 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 2525 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 2525 -m state --state NEW -j DROP
    /sbin/iptables -A FORWARD -p tcp --dport 587 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 587 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 587 -m state --state NEW -j DROP
    /sbin/iptables -A FORWARD -p tcp --dport 465 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 465 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 465 -m state --state NEW -j DROP
    /sbin/iptables -A FORWARD -p tcp --dport 2526 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 2526 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 2526 -m state --state NEW -j DROP
  • @jarland said: /sbin/iptables -A FORWARD -p tcp --dport 2525 -m limit --limit 50/minute -m state --state NEW -j ACCEPT

    /sbin/iptables -A FORWARD -p tcp --dport 2525 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 2525 -m state --state NEW -j DROP
    /sbin/iptables -A FORWARD -p tcp --dport 587 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 587 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 587 -m state --state NEW -j DROP
    /sbin/iptables -A FORWARD -p tcp --dport 465 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 465 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 465 -m state --state NEW -j DROP
    /sbin/iptables -A FORWARD -p tcp --dport 2526 -m limit --limit 50/minute -m state --state NEW -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 2526 -m state --state NEW -j LOG
    /sbin/iptables -A FORWARD -p tcp --dport 2526 -m state --state NEW -j DROP

    Honestly, I rarely see a spammer on any of these ports. It's nearly exclusively 25.

    Altho I am wondering if setting a speed limit of like 5 kbit/s on port 25 would do a good deal of work against spam.

  • Spammers look like the hardest to beat until you get notifications externally.

  • KrisKris Member

    I used to work at a large data center with lax checking at sign up which resulted in a lot of spam being blasted out from shared servers.

    Eventually got to the point where we routed all exim outbound to a set of 'mail handlers' which scanned the message, dropped it if it matched spam based a blend on Bayesian and SpamAssasin rules.

    Not exactly viable for every client, but if you have a managed setup, route their outbound mail through your machines, rate limit and drop as you'd like.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    @Rallias said: It's nearly exclusively 25.

    Truthfully same here. I've really slacked on nailing this whole area down.

    Which, to any reader, doesn't mean I won't catch spam ;)

  • MaouniqueMaounique Host Rep, Veteran
    edited April 2013

    Prometeus also used to do rate limiting on port 25, however, ended up hurting forums and other legit users.
    In the meantime the problem eased too, so we no longer limit anything, but watch the lists regularly and spamhaus helps too.
    We caught port scanners and other scams with their help and from abuse complaints.
    I wish there was a really good honeypot there to check. Even (sanely) paid ones would do.

  • Spamhaus will notify you when it is time :P

  • @qhoster It gets hard after that if you rent the IPs

Sign In or Register to comment.