Saturday, September 26, 2009

Exposing spammers

As a follow up to my last post on scripting firewall changes to drop spammer addresses.... here is a current list of all the IP addresses I have identified as spam sources. Feel free to use these in what ever way you like to block these evil bastards. All of the following addresses have been blocked from any access to my networks:

UPDATE!!!
I originally posted a list here but in the week after I wrote the script, the list grew to over 10,000 IP addresses - obviously too long a list to post in the blog. This list appears to be mostly "Zombies" so if you are having any difficulty accessing my website (mairs.ca or aasland.com) then it is very likely your IP has been blocked through this list and your PC may have been turned into a zombie mailer - and you may not even know it. If your public IP appears on this list, please let me know.

The current list is posted at http://www.mairs.ca/zombies.txt

Thursday, September 24, 2009

Hitting back at spammers

I manage a network of servers that include mail servers, web services, and file sharing and I have been doing so for a number of years. One of the most prevalent maintenance issues for me has always been dealing with spammers. These guys have no respect for the general rules and will insist on sending their crap to you even if you are very specific about not wanting it. The thing with spam is that it is not just an email problem. When a spammer slams an email server with millions of bogus messages, often to bogus accounts, it takes a huge toll on the firewall, spam and antivirus processors, and can seriously degrade overall network performance. Simply sending back a "550 - no such mailbox" message only adds to the network traffic and encourages them to try a different mix of fake addresses.

So say goodbye to "Mr. Nice Guy", I am taking the gloves off and delivering an uppercut right to the jaw. I recently wrote a chunk of batch script to identify the hard core spammers who waste all my system resources and just drop their connections cold. This way they will still hit my firewall for a while, but when they realize the server effectively no longer exists, they will take my IP off their list and I will be free of the annoyance.

How does it work? It's really pretty simple. Here is an an example from a Sendmail server I am still using. When one of those annoying people connect to my server, one of the first things they do is check to see if I'll relay mail so it can turn me into a zombie mailer... not gonna happen bud. What ends up happening is that my logs fill up with this garbage:
Sep 24 21:37:20 mairs sendmail[17608]: ruleset=check_relay, arg1=[114.238.85.247], arg2=114.238.85.247, relay=[114.238.85.247], reject=550 5.7.1 Fix reverse DNS for 114.238.85.247,or use your ISP server
Sep 24 21:37:37 mairs sendmail[17610]: ruleset=check_relay, arg1=[190.213.91.165], arg2=190.213.91.165, relay=[190.213.91.165], reject=550 5.7.1 Fix reverse DNS for 190.213.91.165,or use your ISP server
Sep 24 21:38:34 mairs sendmail[17612]: ruleset=check_relay, arg1=[123.17.228.211], arg2=123.17.228.211, relay=[123.17.228.211], reject=550 5.7.1 Fix reverse DNS for 123.17.228.211,or use your ISP server

The cool think about this is that regardless of what hostname they are trying to spoof, the originating IP address is right there for me to grab and use against them. So that is exactly what I did... I wrote a script to pass through my daily logs, pick out the IP addresses on these offending lines, and add them to my firewall rules with a silent "DROP". They never get any feedback, not even a ping response, so to them, the server is dead - a non existent IP.

In the first day, it dropped my spam volume to about a quarter and now it is virtually non-existent. The 30 or 40 spam messages a day I get now are nothing compared to the hundreds of thousands that were filling my logs 2 weeks ago.

Here is the actual script in case you want to run it on your own server. This was built for a CentOS 5.3 i386 server - make the appropriate adjustments for your platform. This should be run on a cron daily just before the log rotation. Alternately you could run it just after log rotation and alter the script to read maillog.1.

The /etc/cron.d job:
45 23 * * * root /home/tmairs/spamkiller >/dev/null 2>&1

The script:
#!/bin/bash

# get list of spammer IP addresses and save to temporary file

exec cat /var/log/maillog | grep check_relay | awk '{ print $8 }' | sort | uniq > /tmp/spammerlist

fname=/tmp/spammerlist

# read file sequentially

while read line
do
# pick off the first address

badaddr=${line/,/}
badaddr1=${badaddr/arg2=/}

# add a rule to drop them at the firewall

exec /sbin/iptables -A INPUT -s ${badaddr1} -j DROP | echo

# loop till it's done.
done <$fname

# save the new IP tables config

exec /sbin/iptables-save

# kill the temp IP file

exec rm /tmp/spammerlist -f

# end




Damned picky customers....

Maybe I am just biased because I have worked in customer service for so long, but I have a real problem with companies who claim that customer service is their first priority when it is clearly not. I have had two absolutely horrible experiences in the past few months that I just need to shout about and I figured I have this perfectly good blog that I have not ranted in for a while so....

The first one is "Courtesy Chrysler" in Calgary. They even have a friendly name to lull you into a false sense of ease with their obvious attention to courteous service. NOT. These people aren't even nice, never mind courteous. They were very friendly and helpful when we were buying our car, but even before the cheque cleared the relationship turned sour. Within an hour of driving off the lot we noticed that one of the features we had agreed to purchase was not installed and we reported it right away.

I was expecting a rational response in the form of some kind of assistance, but instead we were accused of lying, and told "too bad" there is nothing we can do. I was amazed at the refusal to even try to correct a mistake that they outright admitted to. This mistake amounted to billing us for a $1200 feature that was paid for and not included and they had no intention of giving us credit or putting the feature it. In my books, that is theft.

Enter the lawyers, and 2 months of fighting over who said what. We finally go a cheque to cover the missing component, but it is still not the vehicle we agreed to purchase, and they never apologized for lying, name calling, or the initial bait-and-switch.

My recommendation is to avoid Courtesy Chrysler in Calgary at all cost.

The second major service disappointment is Bubbles Car Wash (4715 Macleod Trail S). When I arrived, the "salesman" held out a laminated price card and said all the prices were on it, and then held onto the card - I actually had to ask for it and read the pricing myself. This is one sales person that could easily be replaced by a $5 brochure holder. I would highly recommend a solution-selling course like Sandler to help improve sales skills.

I explained to the rep that I specifically needed all the sand vacuumed out. The car is almost new (see the "Courtesy Chrysler" story above) but had been at the beach all summer and was covered in and out with beach sand. He assured me that the "Works" would be perfect because it is a complete wash with hand detailing and vacuuming the entire interior. It's a personal, hand detailing service by professionals that takes about 30 minutes and it is only $36.95 ($10 off) if I get to done while I wait. Sure, I said - do it.

Forty-five minutes later, I had to go hunting for my car because there was no one at the service counter (for at least 10 minutes) and no one had explained that it would be left at the far end of the building. I waited another 5 minutes for someone to take my money, and then they charged me $54.95 for a $36 service - figure that one out. When I finally located my car I noticed right away that the front bumper was still as dirty as when it came in. This amazed me as I know there were at least 4 people that *looked* like they were hand washing it. I did a walk around and noticed several places that were never touched at all. Even worse, the interior still had beach sand everywhere. In some placed it was obvious the vacuum had not even passed by. They even managed to scratch the paint on the hood.

I had to point out to the final detailers that they completely forgot to do the tire detail and that the bumpers needed to be rewashed. Even after all of that, I need to re-wash and re-vacuum it myself to get the job done properly. This is definitely not what I expected from a $50 hand detailing.

So what is the deal with companies that claim high end customer service and then fail miserably? I don't think I am being particularly picky by asking them to actually provide the service I have paid for, or to be polite, available, and respectful of my time. Is it too much to expect an honest deal with a smile, or is ignorance the standard now? Did I miss something?

I have worked with some of the largest companies in the world and some of the most demanding clients and I can tell you that providing good customer service is really not that hard to do. - It's just hard to find.