Honeypots mailing list archives
Re: Honeypots
From: "Michael" <michael () insulin-pumpers org>
Date: Tue, 20 Jan 2004 11:38:29 -0800
----- Original Message ----- From: "Michael" <michael () insulin-pumpers org> To: "Ian Baker" <ibaker () codecutters org> Cc: <honeypots () securityfocus com> Sent: Tuesday, January 20, 2004 6:54 PM Subject: Re: HoneypotsMichael, Very interesting idea - apparently a wholly legal passive "attack". One thing that I would question (simply because I couldn't find the documentation) is how the blocking-list is determined - there are several ways. There are mentions of WHOIS and DNS lookup (MX?) - I'd be interested to know more..There are several methods. There is a common configuration file for Net::DNSBL::MultiDnsbl and the SpamCannibal cron script sc_BLcheck.pl, which checks incoming IP's that are stored by the dbtarpit daemon. 'multidnsbl' is used in place of RBL checks in the MTA. The action for the MTA is usually configured to bounce the messages tagged by 'multidnsbl'. The action of sc_BLcheck.pl is to place the suspect IP address into the dbtarpit 'tarpit' database. (sc_BLpreen removes it if a subsequent check detects a correction). Criteria: presets: always fail by IP, CIDR, Country conditional: allowed DNSBL reply, in-addr.arpa failure All of this is in the sample configuration file in the distribution sc_Blacklist.conf.sample In addition to these automated tarpit actions, spam that gets through to the master user as either a bounce return with attached message or direct spam can be emailed to a "spam" user for auto addition to the tarpit database. These manual additions are permanent until removed by the administratior. Admin tools allow addition of CIDR blocks from 2 to 256 as well as general database tweaking.(Hope no-one minds the bottom-posting - it's just easier for me to follow the conversation..) OK, so it's configured to either use an individual IP or to perform a WHOIS and attempt to parse the CIDR?
hmmm..... I guess I wasn't clear. WHOIS is not used at all.
CIDR's, if used are inserted by the admin into the config file. You
put it in, it's blocked -- all of it. I don't use it, but some people
like to block all traffic from a certain netblock.
i.e.
'BLOCK' => [
# # a single address
'11.22.33.44',
# # a range of ip's, ONLY VALID WITHIN THE SAME CLASS 'C'
'22.33.44.55 - 22.33.44.65',
# # a CIDR range
'5.6.7.16/28',
# # a range specified with a netmask
'7.8.9.128/255.255.255.240',
],
You could block all of China and Korea by specifying
(block by country)
'BBC' => [qw(
CN
KR
)],
If it's the latter, do you whitelist the associated Mail eXchanger?
You can whitelist in the config file in the same manner as BLOCK => [ ], above
To take an example, say you have A.N.Other Cable Company with the usual load of spamming-Trojans (spamjans? ;o) and blacklist the block - at this point, you've also potentially taken-out their legitimate server.
The automated additions using DNSBL's are already vetted if you use the reliable providers -- the config file is pre-loaded with some of these.
OK, so in general they'll be using a different block for the server, but that's not /always/ the case. Is there a configuration mechanism to get around that potential problem?
Only applicable for additions using the local spam-mail-bot. Care must be used by the admin sending these to the spam-mail-bot. I do it daily, and it's pretty easy. There are only a few messages, even from overseas, where it's not obvious that it's a hijacked dsl host or something like that.
Last question - what are you using for country resolution? WHOIS (buffered or otherwise) or something like GeoIP? The reason I ask is that ARIN and APNIC (in particular) have fairly vicious throttling on real-time requests..
GeoIP::PurePerl. The database is available for download and is updated weekly. I reset the statistics counters last night on the two sites that run spamcannibal. The upper stats are from SpamCannibal's sc_BLcheck.pl script, the lower from multi_dnsbl -- there are no stats collected from the manual block or bbc entries http://www.spamcannibal.org/dnsbl_stats.shtml Below is the sample config file #!/usr/bin/perl # multi_dnsbl.conf # Configuration for sc_BLcheck.pl, sc_BLpreen.pl, and # Net::DNSBL::MultiDaemon # # version 1.10, 1-19-04 # my $DNSBL = { ## Net::DNSBL::MultiDaemon parameters # the OPTIONAL name of a file that will contain 'hit' statistics for # DNSBLS this file will be used to seed the sort order of DNSBL # checking if it is present and will be updated with the 'added' # counts of each run. If it is deleted, it will be recreated with a # new time tag at the beginning. # MDstatfile => '/usr/local/spamcannibal/mdstats.txt', # The path for the directory where the pid file will live # MDpidpath => '/var/run', # The zone name for this PSEUDO DNSBL # MDzone => 'pseudo.dnsbl', ###### The following optional configuration parameters ###### are shown with their default values # # Update frequency for the "stats" file, no # update occurs if there is no new information # # MDstatrefresh => 300, # seconds # The IPaddress that the daemon will listen on. # The default will listen on ALL interfaces, # this is probably not what you want. A more # suitable value for co-installation with bind # on the same host would be 127.0.0.1 # MDipaddr => '127.0.0.1', # The port that the daemon will listen on # # MDport => 9953, # Syslog facility. Specify one of: # LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_WARNING LOG_NOTICE LOG_INFO # LOG_DEBU # MDsyslog => 'LOG_ERR', ## SpamCannibal parms follow: # the OPTIONAL name of a file that will contain 'hit' statistics for # DNSBLS this file will be used to seed the sort order of DNSBL # checking if it is present and will be updated with the 'added' # counts of each run. If it is deleted, it will be recreated with a # new time tag at the beginning. # 'STATS' => '/usr/local/spamcannibal/blcheck_stats.txt', # A multi-formated array of IP address that will never be tarpitted. # # WARNING: if you are using a private network, then you should include # the address description for the net/subnets that you are using or # you might find your DMZ or internal mail servers blocked since many # DNSBLS list the private network addresses as BLACKLISTED # # 127./8, 10./8, 172.16/12, 192.168/16 # # class A xxx.0.0.0/8 255.0.0.0 # class B xxx.xxx.0.0/16 255.255.0.0 # class C xxx.xxx.xxx.0/24 255.255.255.0 # 128 subnet xxx.xxx.xxx.xxx/25 255.255.255.128 # 64 subnet xxx.xxx.xxx.xxx/26 255.255.255.192 # 32 subnet xxx.xxx.xxx.xxx/27 255.255.255.224 # 16 subnet xxx.xxx.xxx.xxx/28 255.255.255.240 # 8 subnet xxx.xxx.xxx.xxx/29 255.255.255.248 # 4 subnet xxx.xxx.xxx.xxx/30 255.255.255.252 # 2 subnet xxx.xxx.xxx.xxx/31 255.255.255.254 # single address xxx.xxx.xxx.xxx/32 255.255.255.255 # 'IGNORE' => [ # # a single address # '11.22.33.44', # # a range of ip's, ONLY VALID WITHIN THE SAME CLASS 'C' # '22.33.44.55 - 22.33.44.65', # # a CIDR range # '5.6.7.16/28', # # a range specified with a netmask # '7.8.9.128/255.255.255.240', # # # you may want these # '10.0.0.0/8', # '172.16.0.0/12', # '192.168.0.0/16', # this should ALWAYS be here '127.0.0.0/8', # ignore all test entries and localhost ], # A multi-formatted array of addresses that will ALWAYS be tarpitted # formats are the same as above # # 'BLOCK' => [ #], # A list of COUNTRIES to block entirely # BBC == Block By Country # # To print a complete list of countries and country codes, # use the utilty script 'list_countries.pl' in the # Net::DNSBL::MultiDaemon distribution # # Use the 2 letter country codes in the array below # # i.e. US MX CN TW etc... # # 'BBC' => [qw( # CN #)], # Text to append to BLOCK and BBC T_TXT record # see "errors" below for syntax # 'REJECT' => 'see: http://www.myhostname.com/', # FOR A COMPREHENSIVE LIST OF ALL DNSBL ZONES, SEE: # http://www.openrbl.org # click "zones" # # all dnsbl servers must have a record a config entry as follows: # # 'zone.name' => { # accept => { # a list of codes that are ok to add # to tarpit from this DNSBL # '127.0.0.2' => 'reason', # '127.0.0.3' => 'reason', # }, # # WARNING !!! DO NOT USE THIS OPTION WITH DNSBL HOSTS THAT REPORT # TARPIT ACTIVITY # # confirm => 1, # optional, # confirmation of acceptance of non - 127.0.0.2 codes # # response => '127.0.0.3', # optional, our # default response code for records # # added because of # # queries to this # # DNSBL server this # # code will be ignored # # if it is < 127.0.0.3 # # and 127.0.0.3 will # # be used in its place # # error message to use with this host. # NOTE: if the DNSBL supplies a TXT record and it contains the string # "http://something..."; or "www.something..." then that will be use # for the error string for the matching A record. Otherwise, the # error string below will be appended to the whatever TXT is returned # by the DNSBL. If no TXT is returned, then the "reason" code from # the "accept" line for the matching 127.0.0.X code will be use and # the error code below will be appended. # # If the error string ending matches /\?.+=$/ or /\?$/ # then the offending IP address will be automagically added # # error => 'IP address blocked, see # http://www.somehost.com?ip=', # # expire => '7d', # optional default expiration if DNSBL # can not be reached # # may be specified in any combination # # of seconds, minutes, hours, days, # # weeks # # i.e. 604800 or 604800s, 10080m, # # 168h # # 1w 3d # # timeout => 30, # default seconds to wait for dnsbl # query to timeout # To check that ip addresses have some kind of reverse DNS entry, add # a zone for in-addr.arpa as shown below. You must have reverse DNS # entries for ip blocks 127, 10, 172, 192 or use the IGNORE blocks # above to prevent rejects for these address blocks as they DO NOT # HAVE worldwide RDNS 'in-addr.arpa' => { # check for lack of reverse DNS # accept is not needed for reverse DNS checking error => 'no reverse DNS, see http://www.myhostname.com/?page=lookup&lookup=', timeout => 15, }, # working, sample file entries 'dnsbl.sorbs.net' => { # see http://www.dnsbl.sorbs.net/using.html accept => { # list of codes for which we tarpit '127.0.0.2' => 'open http proxie', '127.0.0.3' => 'open socks proxie', '127.0.0.4' => 'open proxy server', '127.0.0.5' => 'open smtp relay', # '127.0.0.6' => 'spam supporting ISP', '127.0.0.7' => 'open web - form mail servers', '127.0.0.8' => 'blocked hosts', '127.0.0.9' => 'zombie - hijacked netblock', '127.0.0.10' => 'dynamic address range', '127.0.0.11' => 'bad config -- MX or A records inaccurate', '127.0.0.12' => 'no mail ever sent from these domains', }, confirm => 1, error => 'for removal see: http://www.dnsbl.sorbs.net/cgi-bin/lookup?js&IP=', expire => '30d', timeout => '15', }, 'dnsbl.njabl.org' => { # see http://dnsbl.njabl.org/use.html accept => { # list of codes for which we tarpit '127.0.0.2' => 'open relays', '127.0.0.3' => 'dial-up/dynamic IP ranges', '127.0.0.4' => 'spam sources', '127.0.0.5' => 'multi-stage openrelay', '127.0.0.8' => 'open web - form mail servers', '127.0.0.9' => 'open proxy servers', }, confirm => 1, error => 'for removal see: http://www.dnsbl.njabl.org/cgi-bin/lookup.cgi?query=', expire => '30d', timeout => '15', }, 'relays.ordb.org' => { # see http://www.ordb.org/faq/#usage_dns accept => { '127.0.0.2' => '', }, error => 'for removal see: http://www.ordb.org/submit', expire => '30d', timeout => '15', }, 'bl.spamcop.net' => { # see http://spamcop.net/fom-serve/cache/291.html accept => { '127.0.0.2' => '', }, error => 'for removal see: http://www.spamcop.net/w3m?action=checkblock&ip=', expire => '30d', timeout => '15', }, 'cbl.abuseat.org' => { # see http://cbl.abuseat.org accept => { '127.0.0.2' => '', }, error => 'for removal see: http://cbl.abuseat.org/lookup.cgi?.submit=lookup&ip=', expire => '30d', timeout => '15', }, 'sbl.spamhaus.org' => { # see http://www.spamhaus.org accept => { '127.0.0.2' => '', }, error => 'for removal see http://abuse.net/sbl.phtml?IP=', expire => '30d', timeout => '15', }, 'dynablock.njabl.org' => { # see http://dnsbl.njabl.org/use.html accept => { '127.0.0.3' => 'dynamic IP address not allowed', }, error => 'see http://www.dnsbl.njabl.org/cgi-bin/lookup.cgi?query=', expire => '30d', timeout => '15', }, 'list.dsbl.org' => { # see http://dsbl.org accept => { '127.0.0.2' => '', }, error => 'for removal see http://dsbl.org/listing?', expire => '30d', timeout => '15', }, 'spews.dnsbl.net.au' => { # see http://www.spews.org/ accept => { '127.0.0.2' => '', }, error => 'blocked see: http://www.spews.org/ask.cgi?x=', expire => '30d', timeout => '15', }, 'bogons.dnsiplists.completewhois.com' => { # see http://completewhois.com/bogons/ accept => { '127.0.0.2' => 'bogus IP address', }, error => 'see: http://completewhois.com/bogons/', expire => '30d', timeout => '15', }, 'hijacked.dnsiplists.completewhois.com' => { # see http://completewhois.com/bogons/bogons_usage.html accept => { '127.0.0.2' => 'hijacked IP address', }, error => 'see: http://completewhois.com/bogons/bogons_usage.html', expire => '30d', timeout => '15', }, # higher risk # 'blackholes.five-ten-sg.com' => { # see # http://www.five-ten-sg.com/blackhole.php # accept => { # '127.0.0.2' => 'spam source', # '127.0.0.3' => 'dialup address', # '127.0.0.4' => 'multistage open relay', # '127.0.0.5' => 'openrelay', # '127.0.0.6' => 'spam supporting ISP', # '127.0.0.7' => 'web form', # '127.0.0.8' => 'relay/open proxy', # '127.0.0.9' => 'klez source', # '127.0.0.10' => 'violate TCPA', # '127.0.0.11' => 'spam supporting freemailer', # }, # confirm => 1, # error => 'for removal see # http://www.five-ten-sg.com/blackhole.php?ip=', expire # => '30d', timeout => '15', # }, };
Current thread:
- Re: Honeypots Michael (Jan 19)
- <Possible follow-ups>
- Re: Honeypots Michael (Jan 20)
- Re: Honeypots Michael (Jan 20)