SpamBlock

Detect and block spammers on the FreeBSD- or Linux-based router.
Uses tcpdump for detection and firewall for blocking (pf, ipfw, iptables chain or ipset).

Written by ilya.evseev@gmail.com at Jun 2009, Apr 2010.

Announces/discussions: Opennet.ru, NAG.ru.

Download

Requirements

How it works?

Spamblock counts attempts to establish connection on port 25/tcp via tcpdump.

When somebody exceeds allowed count of attempts per time,
he is added to firewall table that should be used like so (see below):

ipfw add 100 deny tcp from table(25) to any in

Additionaly, email notification is sent.

Configuration

By default, configuration file is located in the same folder as binary,
with the same name and ".conf" prefix, i.e.: $config = "$0.conf".

Optionally, configuration filepath can be explicitly passed to spamblock via command line.

Allowed directives

NameValueDescription
IFACE Required! where to watch packets via tcpdump
FIREWALL_TYPE pf, ipfw, iptables, ipset or auto (default is "auto") see below
POLICY Required! list of "ticks seconds ..." pairs, see below
BLOCK_TTL 3600 (one hour) seconds to skip watching for blocked IP
BLOCKS_FILE /var/log/spamblock_blocklist.txt filepath to export list of blocked IP's
STATS_FILE /var/log/spamblock_fullstats.txt filepath to export full information
EMAIL mail notifications to given address

Policies

Consider following policy:

POLICY="5 1 10 3 15 6 20 10 60 60 300 600 1000 3000"

That means:

Recommended rules for policy pairs:

Configure firewalls

Firewall Spamblock options Firewall rules
ipfw FIREWALL_TYPE=ipfw
IPFW_TABLE=25
deny tcp from table(25) to any 25 in
pf FIREWALL_TYPE=pf
PF_TABLE=spammers2
table <spammers2> persist file "/etc/spammers"
block on em0 proto tcp from <spammers2> to any port 25
iptables FIREWALL_TYPE=iptables
IPTABLES_CHAIN=spammers3
iptables -N spammers3
iptables -A spammers3 -j RETURN
iptables -A FORWARD -p tcp --dport 25 -j spammers3
ipset FIREWALL_TYPE=ipset
IPSET_NAME=spammers4
ipset -N spammers4 iphash --probes 2 --resize 100
iptables -A FORWARD -p tcp --dport 25 -m set --match-set spammers4 src -j DROP

Execution

Add following line to your rc.local:

/path/to/spamblock >> /var/log/spamblock.log 2>&1 &

Enjoy!