Results 1 to 19 of 19
  1. #1

    Block emails from an IP

    I know how to block single emails from the server, but Im not sure how to block all emails from an IP. I have one server that is getting a ton of emails in the mail queue from a ton of differen't addresses, but all seem to have the same IP. Please let me know the command I need to use, or if there is a better method let me know.

    Thanks
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
      0 Not allowed!

  2. #2
    Join Date
    Jul 2004
    Location
    Vladivostok, Russia
    Posts
    211
    Do you have some kind of firewall on your server?
    http://bandwidth-control.net
    Farpost Inc.
    IT outsourcing by certified professionals.
      0 Not allowed!

  3. #3
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    Hello

    Use the following iptables rule :

    iptables -A INPUT --source spammer-address.com -j DROP

    Write the domain name and it will resolve the ip automatically, Also add the above rule to :

    /etc/rc.d/rc.local file

    Regards,
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.
      0 Not allowed!

  4. #4
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    Or just use the IP address to begin with, since you already have it...

    Also, if you are running a firewall like apf, or shorewall, or something similar, you might want to add it to their ruleset instead of the rc.local.

    APF is easy: apf -d <ip address>
    Dan Sheppard ~ Freelance whatever
      0 Not allowed!

  5. #5
    I use http://www.modsecurity.org/ does anyone know what I need to do to block an IP using that?
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
      0 Not allowed!

  6. #6
    Join Date
    Oct 2001
    Posts
    1,315
    To drop only their incomming e-mail traffic:

    /sbin/iptables -I INPUT -s IP ADDRESS -p TCP --dport 25 -j DROP
    Avi Brender
    Reliable Web Hosting by Elite Hosts, Inc
    CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec
      0 Not allowed!

  7. #7
    I just tried that MaB, I will check tom and see if worked. Thanks everyone for the help so far!
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
      0 Not allowed!

  8. #8
    Now when whmap tries to send emails I get this error:

    exim failed @ Sat Jul 16 23:39:07 2005. A restart was attempted automagicly.

    How do I reverse the command: /sbin/iptables -I INPUT -s IP ADDRESS -p TCP --dport 25 -j DROP

    Change the DROP to ADD?
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
      0 Not allowed!

  9. #9
    Join Date
    Oct 2001
    Posts
    1,315
    What IP address did you block??
    Avi Brender
    Reliable Web Hosting by Elite Hosts, Inc
    CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec
      0 Not allowed!

  10. #10
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    ACCEPT Instead of DROP .
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.
      0 Not allowed!

  11. #11
    Ok here is what happens when I use: /sbin/iptables -I INPUT -s IP ADDRESS -p TCP --dport 25 -j DROP

    All the problem emails stop. I can send and recieve emails fine, but when whmap tried to send welcome emails for new signups exim failed. I readded the IP to the server now whmap can send emails again.

    Im not sure why that would be, the IP I blocked was nothing close to what my server uses and it did stop the spammer.
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
      0 Not allowed!

  12. #12
    Join Date
    Oct 2001
    Posts
    1,315
    Was the IP address 127.X.X.X?
    Avi Brender
    Reliable Web Hosting by Elite Hosts, Inc
    CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec
      0 Not allowed!

  13. #13
    Yeah, its was 127.x.x.x
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
      0 Not allowed!

  14. #14
    Join Date
    Oct 2001
    Posts
    1,315
    I was afraid that you were going to say that... I truly was.

    127.X.X.X is linked to a loop-back device, any IP address starting 127. is an alias for your local system (if you ssh, ftp, telnet etc to any port on 127.0.0.1 from your server, it will connect to your server).

    The reason you are seeing 127.X.X.X as the source of the email is because its originating from your server... by blocking 127.X.X.X you are blocking access to your server.

    I don't want to sound cruel, but you can't just start a web hosting company by buying a server... I feel bad for your current or future customers.... knowing that 127.X.X.X is a local IP is something that any system administrator will know... I suggest that you hire someone to help you out.
    Avi Brender
    Reliable Web Hosting by Elite Hosts, Inc
    CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec
      0 Not allowed!

  15. #15
    All my servers are managed by fsm, but I like to do a lot of things myself. I installed apf and bfd and was able to reslove the ip of the email domains and now the emails have stopped. Thanks everyone.
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
      0 Not allowed!

  16. #16
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Originally posted by SmartActive
    ACCEPT Instead of DROP .
    That is not the recommended way as the chain for the DROP will still be there.
    Replace the -I INPUT with -D INPUT and keep all the other line for the command should remove the block

    Here is an example why I mentioned not to use ACCEPT to lift the block as you are just insert a new rule in the beginning of the rule chain which you are not actually REMOVE the block
    Code:
    [[email protected] ~]iptables -I INPUT -s 192.168.0.1 -j DROP
    # iptables -L -n|grep 192.168.0.1
    DROP       all  --  192.168.0.1          0.0.0.0/0
    [[email protected] ~]# iptables -I INPUT -s 192.168.0.1 -j ACCEPT
    [[email protected] ~]# iptables -L -n|grep 192.168.0.1
    ACCEPT     all  --  192.168.0.1          0.0.0.0/0
    DROP       all  --  192.168.0.1          0.0.0.0/0
    See below to remove the rule in the chain:
    Code:
    [[email protected] ~]# iptables -D INPUT -s 192.168.0.1 -j ACCEPT
    [[email protected] ~]# iptables -L -n|grep 192.168.0.1
    DROP       all  --  192.168.0.1          0.0.0.0/0
    [[email protected] ~]# iptables -D INPUT -s 192.168.0.1 -j DROP
    [[email protected] ~]# iptables -L -n|grep 192.168.0.1
    [[email protected] ~]#
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::
      0 Not allowed!

  17. #17
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    The iptables mess above is why one uses apf

    to remove the block, delete the IP from config files in /etc/apf
    then run apf -r
    ... all done!
      0 Not allowed!

  18. #18
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Originally posted by brianoz
    The iptables mess above is why one uses apf

    to remove the block, delete the IP from config files in /etc/apf
    then run apf -r
    ... all done!
    What mess you are talking about? You talking about my post -> mess? All can be read in man iptables... ... and FYI... not all will want to install apf anyway... ...
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::
      0 Not allowed!

  19. #19
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Choon,

    Sorry for the implication, that post was made late at night.

    Your post was detailed and perfectly accurate as far as I can tell and I wasn't having a dig at you, the jibe was aimed at raw iptables use.

    It's just that apf is so much simpler for that stuff, that's the point I was making; and sure, I do understand that some people won't want to install apf.

    Cheers and all the best, and apologies!
      0 Not allowed!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •