Security Consulting
  Unix Administration     Firewall     Intrusion Detection     Network Security     Hacking     MORE     HOME    

SPAM Blocking

Are you an ISP interested in SPAM blocking? Here is a potential solution. But be warned, as every security measure, there are cons in doing what we suggest. But if you can cope with the following restrictions, you should try it:
  1. The users of a certain IP range (called S_ip) do not need to make any connections to machines on port 25.
    Let's say that in more comprehensive words: "Your users do not need their own webservers!".
  2. Your mailserver can handle the load of all emails that are sent by the users of the the S_ip's.
  3. You own a CISCO router that routes the traffic from S_ip.
  4. Your mailserver runs Linux with IP-tables. (Being experienced with firewalling, you could easily adopt the firewall rule to be useful with any other firewall!)
You are okay with the restrictions? Let's have a look at our setup:

S_ip ----- ROUTER R_1 ------- INTERNET
	|
	|
   MAIL_SERVER

OR

S_ip ----- ROUTER R_1 ------- INTERNET
			|
			|
		   MAIL_SERVER
This above means nothing else than that it does not matter where your mailserver is located! Further it's only important that your router R_1 is inbetween the internet (equipment you can't control any more) and your own network. Nothing easier than that!

What you have to do now is to make the following configuration on your CISCO router: 
access-list 100 remark SMTP Redirect of S_ip to mail.me.org
access-list 100 permit tcp S_ip 0.0.0.255 any eq smtp
!
route-map SMTP-Redirect permit 10
 match ip address 100
  set ip next-hop ip.of.mail.me.org
!
interface FastEthernet 0/0
 description connected to Internet
 ip policy route-map SMTP-Redirect
This is doing a policy routing on the S_ip range that connects to any machine on the smtp port and sets the next hop to the mailserver. The problem with this is that so far the IP-packet does not have the destination address of the mailserver, but still has the one of the initial mailserver that the user wanted to talk to. This is why we need a little firewall rule on the mailserver that handles this: 
iptables -A PREROUTING --table nat --protocol tcp --source S_ip/range \
--dport 25 -j DNAT --to ip.of.mail.me.org
DONE.

This takes care of all those packets and redirects them to the local interface, where you have YOUR mailserver listening. Now what you do is to use the Dial-Spam-Block and you can even limit the number of mails a user can send out.

If you wanna read this again, go to the webpage of Init 7 where this is explained in other words. Fredy and I were working on this setup and he implemented it in his company. He operates the network of init7 and is also the owner :-)


CopyLeft (l) 2003 by Raffael Marty