SpamBlock

Detect and block spammers on the FreeBSD- or Linux-based router.
Uses tcpdump for detection and firewall for blocking (pf, ipfw, iptables chain or ipset).

Written by ilya.evseev@gmail.com at Jun 2009, Apr 2010.

Announces/discussions: Opennet.ru, NAG.ru.

Download

Requirements

perl modules: Config::General, Time::Local
tcpdump
ipfw2, pf, iptables or iptables+ipset

How it works?

Spamblock counts attempts to establish connection on port 25/tcp via tcpdump.

When somebody exceeds allowed count of attempts per time,
he is added to firewall table that should be used like so (see below):

ipfw add 100 deny tcp from table(25) to any in

Additionaly, email notification is sent.

Configuration

By default, configuration file is located in the same folder as binary,
with the same name and ".conf" prefix, i.e.: $config = "$0.conf".

Optionally, configuration filepath can be explicitly passed to spamblock via command line.

Allowed directives

Name Value Description

IFACE Required! where to watch packets via tcpdump

FIREWALL_TYPE pf, ipfw, iptables, ipset or auto (default is "auto") see below

POLICY Required! list of "ticks seconds ..." pairs, see below

BLOCK_TTL 3600 (one hour) seconds to skip watching for blocked IP

BLOCKS_FILE /var/log/spamblock_blocklist.txt filepath to export list of blocked IP's

STATS_FILE /var/log/spamblock_fullstats.txt filepath to export full information

EMAIL mail notifications to given address

Name	Value	Description
IFACE	Required!	where to watch packets via tcpdump
FIREWALL_TYPE	pf, ipfw, iptables, ipset or auto (default is "auto")	see below
POLICY	Required!	list of "ticks seconds ..." pairs, see below
BLOCK_TTL	3600 (one hour)	seconds to skip watching for blocked IP
BLOCKS_FILE	/var/log/spamblock_blocklist.txt	filepath to export list of blocked IP's
STATS_FILE	/var/log/spamblock_fullstats.txt	filepath to export full information
EMAIL		mail notifications to given address

Policies

Consider following policy:

POLICY="5 1 10 3 15 6 20 10 60 60 300 600 1000 3000"

That means:

Block IP when more than 5 attempts in one seconds
...or more than 10 attempts in 3 seconds
...or more than 15 attempts in 6 seconds
...or more than 20 in 10s
...or more than 60 in 60s
...or more than 300 in 600s
...or more than 1000 in 3000s

Recommended rules for policy pairs:

attempts(n) > attempts(n-1)
seconds(n) > seconds(n-1)
attempts(n)/seconds(n) < attempts(n-1)/seconds(n-1)

Configure firewalls

Firewall	Spamblock options	Firewall rules
ipfw	FIREWALL_TYPE=ipfw IPFW_TABLE=25	deny tcp from table(25) to any 25 in
pf	FIREWALL_TYPE=pf PF_TABLE=spammers2	table <spammers2> persist file "/etc/spammers" block on em0 proto tcp from <spammers2> to any port 25
iptables	FIREWALL_TYPE=iptables IPTABLES_CHAIN=spammers3	iptables -N spammers3 iptables -A spammers3 -j RETURN iptables -A FORWARD -p tcp --dport 25 -j spammers3
ipset	FIREWALL_TYPE=ipset IPSET_NAME=spammers4	ipset -N spammers4 iphash --probes 2 --resize 100 iptables -A FORWARD -p tcp --dport 25 -m set --match-set spammers4 src -j DROP

Execution

Add following line to your rc.local:

/path/to/spamblock >> /var/log/spamblock.log 2>&1 &