Blocking spam relaying.

Forum Moderators: phranque

Message Too Old, No Replies

Blocking spam relaying.

How to _stop_ "POST 195.***.76.123:25 HTTP/1.0" requests?

reseaum

3:18 pm on Feb 13, 2004 (gmt 0)

Use of Apache webservers as proxy relays for Spam was much discussed in mid- /late- 2003 (see for example
[webmasterworld.com...]

The advice there (limiting to POST and GET; and, setting Apache to not proxy) stops _my_ servers from being spam _sources_.
That is "POST 111..222.333.111:25" and "POST 111.222.333.112:25" (both my servers) fail, but I am less sure that requests to third parties are failing:

Whether "POST 111.222.334.111:25" (requested to one of my servers) succeeds seems to depend on the configuration of the 334.111 server over which I have no control.

Arguably its not my fault, but I don't like the idea of being a relay for this sort of junk.

I'm pretty much a newbie, but can find nothing on the Web about this, nor have my readings of mod_rewrite, iptables, etc. shown any possible routes ...

Can anyone help?

[IP addreses purely fictious!]

Thanks

reseaum

4:54 pm on Feb 13, 2004 (gmt 0)

O.K my google did not show a thread started earlier today ... sorry:
In [webmasterworld.com...]
Blue_Wizard cites the suggestion:

RewriteCond %{REQUEST_URL} \:25(/)?$
RewriteRule .* - [F]

which would seem to answer the point.

(jdMorgan gives a longer suggestion on the same thread.)

Before doing it (editing the Apache config file) I'd appreciate details of any field experiences ....

jdMorgan

8:25 pm on Feb 13, 2004 (gmt 0)

reseaum,

Welcome to WebmasterWorld [webmasterworld.com]!

> Before doing it (editing the Apache config file) I'd appreciate details of any field experiences ....

The code I posted was taken off a working server -- one of several successfully using that code. However, I would certainly not recommend that you use it (or any other solution given here) if you have any doubts about how it works.

Jim

wkitty42

9:13 pm on Feb 13, 2004 (gmt 0)

FWIW: it was i who suggested to key on the :25 in the uri... of course, doing it this way only prevents those trying to get to port 25 on the remote server... you'd have to add in any additional ports that may be being abused, too...

jdMorgan, i was looking for you to come by there (hopefully)... then i lost track of the thread... guess its a good thing that i suggested it also be brought into this forum ;)

Blue_Wizard

11:16 pm on Feb 13, 2004 (gmt 0)

Wkitty thanks for redirecting me to this section of the forum.

JD's code works
of course the log file is now lit up like a Christmas tree with 403's

But it stopped cold the problem and still allows the wanted visitors to get through without any glitches.

After thought question?
Is a custom 403 page a bad idea?
I had one for a while but went back to just the generic 403 because one of the ips I had trouble with thought it would be fun to autoreload the 403 page for 5 hours one night.

jdMorgan

12:50 am on Feb 14, 2004 (gmt 0)

> one of the ips I had trouble with thought it would be fun to autoreload the 403 page for 5 hours one night.

The most likely cause of this problem is that you did not make allowances to permit banned visitors to access your custom 403 page. Thus, when they went to fetch the 403 page, they got another 403, so tried to fetch the 403 page, got another 403, etc. I posted a warning note about just this problem in another thread today.

Jim

reseaum

5:34 pm on Feb 16, 2004 (gmt 0)

Thanks to everyone.
I'll skip being lazy and go for the fuller jdmorgan code ;-)> (Though that will require a little bit of study ...!)
(Would rather have a catch-as-many approach as possible -- if not then just blocking numeric (IP address) requests would solve the _present_ problem: If the cause is some generic software* (it seems to be) then a lot of folks are just scanning every IP number one-by-one.)

(*Still deluged with [*...] requests --who writes these 'exploits'?)

Thanks again, reseaum