chinaspam: netfilter geoip queue

written Jun, 12th 2004

the problem

A lot of spam originates from servers located in China, Taiwan, HongKong and Korea. I don't plan to receive mail from these countries in a foreseeable future; yet, spamassassin doesn't catch all the spam they send me.

the solution

Let's combine three powerful tools against spam :

One tool to filter them all : Netfilter/IPtables the linux 2.4 firewall
One tool to queue them : Userspace queueing via NETLINK (linux 2.4 kernel module) and libipq
One tool to locate them all : GeoIP a geolocation library available in many programming languages.

...and in the darkness bind all spam in the land of Mordor, where the shadows lie.

prerequisites

Linux 2.4.x kernel
Networking Options / IP: Netfilter configuration ---> Userspace queueing via NETLINK compiled in your kernel or compiled as a kernel module
libGeoIP, C API version 1.3.5
libipq (the library is distributed as a part of iptables-1.2.x, install it with "make install-devel"

download

Get the source: chinaspam.c

detailed instructions

if you compiled "Userspace queuing via NETLINK" as a kernel module, you need to load it:
```
insmod ip_queue
```
get this source and compile it. Note that you should change line 53 if your iptables version is older than 1.2.5.
```
gcc -lGeoIP -lipq -o chinaspam chinaspam.c
```
then you need to write a iptables rule to match incoming mail packets, and send them to our userland chinaspam using the QUEUE target:
```
iptables -A INPUT -m state --state NEW -i $IF_FREE -p tcp --dport smtp -j QUEUE
```
now run the executable, and make sure it never stops (using Bernstein's daemontools for example). Forexample, to ban chinese (CN), taiwanese (TW), korea (KR) and hongkong (HK), use the following syntax :
```
./chinaspam CN TW HK KR &
```
Check the complete list of ISO3166 country-codes at http://www.maxmind.com/app/iso3166
you should check that your friends can still send emails to your server
then patiently wait for the chinese spammers:
```
tail -f /var/log/daemon.log
```

a word of caution

If 'chinaspam' process doesn't run, or stops running, iptables will not let pass any matching packet. Be warned, and monitor the process using Bernstein's daemontools

About speed: there is no NS-lookup involved, so the code is fast. GeoIP's benchmark reports around 10000 queries per second using the "free country database" on a PentiumPro200

final result: syslog messages

Jun 14 17:25:18 zboubi chinaspam: Dropped a packet from 218.190.18.249 because it came from non-authorized country : Hong Kong
Jun 14 17:25:27 zboubi last message repeated 2 times
Jun 14 17:28:04 zboubi chinaspam: Dropped a packet from 218.79.117.171 because it came from non-authorized country : China
Jun 14 19:38:20 zboubi chinaspam: Dropped a packet from 166.104.200.92 because it came from non-authorized country : Korea, Republic of
Jun 14 19:38:29 zboubi last message repeated 2 times
Jun 14 22:13:29 zboubi chinaspam: Dropped a packet from 221.124.77.241 because it came from non-authorized country : Hong Kong
Jun 14 22:35:58 zboubi chinaspam: Dropped a packet from 222.65.101.153 because it came from non-authorized country : China
Jun 14 22:36:07 zboubi last message repeated 2 times

todo list

contribute a geoip patch to iptables

Return to / or if you liked this hack, you might want to hire me, so then look at my french sysadmin resume : CV d'administrateur systemes et reseaux