Yeah - but I don't have time to talk to you about it ;-)
lnb
just answer this. If there is a clown in your network spamming port 25 to outside mailers, would you set up forward | src IP | tarpit ?
other than getting rid of the clown
looks like i have 3 clowns
EyePulp joined the channel
_smf_
lnb: inside your network? That rather more serious no?
lnb
well these are vps clients
_smf_
Doesn't matter - you're still responsible for them.
lnb
i was logging their outbound traffic on our mikrotik router and see like 300gb traffic from their ip's to a few public mail companies
right
agreed
_smf_
Personally I would block port 25 outbound from any VPS clients unless explicitly requested.
lnb
can't do that
_smf_
You can't?
lnb
how does clients then send out emails
legit email i mean
not spam
baudehlo2
They ask you to open up port 25.
lnb
ok your ways says block all, allow these
right
good idea
baudehlo2
That's how everyone works these days.
Even EC2 blocks port 25 by default.
_smf_
Yeah - exactly.
The big issue with VPS's is that people throw Wordpress on them, don't keep it up-to-date and secure. It gets hacked and turned into a spam cannon and no-one notices.
lnb
i am not talking about wordYpress
_smf_
The other way would be to offer an SMTP relay on your network - outbound port 25 is blocked for all VPS's except to the SMTP relay which you control and police.
Any spam - and you cut them off immediately. The issue with that is you have to monitor the output carefully as it won't take much for that relay to get blacklisted and that will then affect all your clients using it.
lnb
i have every clients wordYpress request for xmlprc set to: RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]
that works
DragonPunch joined the channel
_smf_: in our mikrotik have firewall rule for port 25 => log
daily check the live log
thats for outbound
i just wondered about tarpit instead of drop
_smf_
If you check it daily - they could send 1,000,000 messages and you wouldn't notice until the next day. Bit late by then.
lnb
I have seen tarpit before in mail filters from ultimatt and thats what got me thinking of it
you're right
_smf_
There's not point in tarpitting hosts on your own network.
lnb
well doent it prevent outbound for src IP's listed and destination is tarpit?
_smf_
tarpit could mean lots of things. Depends on the router, I have a Mikrotik here, but I've never looked at the tarpitting to see how it works.
Generally you'll tell it how many packets/sec it should allow.
So it doesn't stop it completely - just slows it down.
Which in the case of outbound spam - isn't really what you want.
You want to kill it immediately, then moment you detect any.
log then shows: firewall,info smtp-out forward: in:ether2 out:br-management, src-mac 00:1
6:3c:94:d4:cd, proto TCP (ACK,RST), 107.6.xx.xxx:59428->207.xxx.xx.xxx:25, len 40
_smf_
I already said - I don't know how tarpit works on Mikrotik.
lnb
the last thing we want is our ip's blocked due to some moron spamming the world
ok np _smf_
_smf_
I would DROP the packets or REJECT them.
REJECT would at least give some indication to the VPS owner.
DROP would cause any connections on port 25 to hang until it hits the connection timeout.
lnb
well from what I've read this morning, the tarpit is supposed to fool the attacker into thinking the packets get through
right
that part i know
_smf_
What's the point of doing that to people on your own network.
If they're that douchey, then fire them.
lnb
i just thought you might know but you've stated you dont
because they had to click the 'agreement to terms and conditions' and it states NO SPAMMING!
much more lengthy but you get the drift
_smf_
Then just reject all packets outbound on port 25.
Don't bother with any tarpitting bullshit.
lnb
ok
_smf_
It makes no difference at all.
lnb
good idea
thank you
DoubleMalt has quit
DragonPunch joined the channel
kgoess joined the channel
godsflaw is now known as TheRealMapleSyru
TheRealMapleSyru is now known as godsflaw
cek
got a client complaining we banned earthlink
"earthlink's sending spam" doesn't satisfy him :/
circ-user-Piqyc joined the channel
circ-user-Piqyc
#who
Good Evening, Hello Guys, I am struggling recently with certs from startssl for tls. I have added them with proper chain, added ca bundle to centos7 however haraka still says that "unable to get issuer certificate". Is there any special place where I should put the ca bundle.
?
cek
Guys how do I get a fqdn of machine , is there any function in haraka i could use?