How to Stop SPAM Using Your Linux Firewall

Douglas Campbell

Doug.Campbell@cantspam.us

February 17, 2001

Note: This is for historical purposes only. It no longer works well since spammers shifted to worldwide viral networks. I'm checking out better ways.

The Problem

A few months ago, I was in the unenviable position of receiving twenty or thirty SPAMs a day. I had registered a few domain names, and had gone to some public sites for tech support -- and somehow, my e-mail addresses had been harvested and sold over and over again on those million address CD's you often get e-mail about.

Now, I'm sort of an anal guy -- if someone does me dirty (like spamming me), I like nothing better than notching my keyboard to record an ISP shutdown. While the SPAM was coming from the US and Canada, I was notching my keyboard so often that it hurt to type. But then the sitch changed -- the SPAM started coming from Isreal, China, Central America, Italy, Portugal.

I complained to their ISPs, but to no avail. The ISPs in these places couldn't care less.

The Solution

I put my solution (which involves use of the ipfilter (([Mar 2003]now iptables; note changes for new DSL provider hardware featuring nat) packet filtering solution under Linux) into play about a month and a half ago. After a couple of days of tuning, I literally have had exactly one piece of SPAM arrive in my mailbox since -- and that one was from a US dsl site whose ISP had shut him down hours before I complained.

Now, my solution is not for the faint hearted -- you have to be prepared to not receive e-mail from entire countries! For example, I can no longer receive e-mail from any of the places listed above. In addition, you cannot have your e-mail server configured to route undeliverable e-mail to postmaster at your site. The reason for this is that spammers use every part of their victim -- when my domains began denying access to the spammer's e-mail servers, the spammers decided that my servers were not on the network any more -- and hence were a valid sink for the bounce messages which would invariably result from a list with substantial numbers of bad e-mail addresses. Hence, my e-mail server suddenly started getting bounce messages from mailservers in the United States who had received the SPAM, determined that the recipient was nonexistant, and were politely sending an "unable to deliver" message back to the purported sender -- always a fictitious e-mail address in one of my domains. I got a couple hundred of these before I figured out what was going on and restricted mail delivery only to valid addresses on my system (the rest get politely rejected).

So, to cut to the chase:

# /etc/sysconfig/iptables
# all rules for the WAN (Internet) go here
# the WAN is eth1
:WANINPUT - [0:0]
# rules for accessing SMTP from the WAN go here
:SMTP - [0:0]
# short rule chain for logging and then accepting
:LOGACCEPT - [0:0]
...
#
-A INPUT -i eth1 -j WANINPUT
#
-A WANINPUT -p tcp -m tcp --dport 25 --syn -j SMTP
...
# these should be DROP but we are behind a NAT firewall
# where DROP could be used for a DOS attack
-A SMTP -s  61.0.0.0/8  -j REJECT
-A SMTP -s 202.0.0.0/7  -j REJECT
-A SMTP -s 210.0.0.0/7  -j REJECT
-A SMTP -s  62.0.0.0/8  -j REJECT
-A SMTP -s 195.3.0.0/16 -j REJECT
-A SMTP -s 195.70.32.0/24 -j REJECT
-A SMTP -s 217.0.0.0/8  -j REJECT
-A SMTP -s  80.0.0.0/8  -j REJECT
-A SMTP -s 218.0.0.0/8  -j REJECT
-A SMTP -s 213.0.0.0/8  -j REJECT
-A SMTP -j LOGACCEPT
#
-A LOGACCEPT -j LOG
-A LOGACCEPT -j ACCEPT