Fighting Spam with OpenWRT
Time Warner recently cut off our RoadRunner cable service because one of our computers was blasting spam out onto the internet. To find out which machine it was, I ran the following command in a GNU Screen session on OpenWRT on my WL500gP router:
tcpdump -n -X -s 96 -tttt -i br0 port 25
This command says basically “show me 96 bytes of each outbound packet destined for port 25 (SMTP) on a remote machine”
48 hrs later, tcpdump had chewed up almost all available memory and the GNU Screen log I had set up was occupying almost all of the router’s flash disk space. To OpenWRT’s credit, the router was still functioning.
My housemate Dave’s Windows XP had contracted some malware called SDBot. It’s a crafty bit of code that appeared to wait until the machine was idle to do its dirty deeds. It was sending about 1 email every three seconds to geographically disparate servers.
During testing I wanted to block all outbound SMTP traffic. Here’s what I added towards the top of the router’s `/etc/firewall.user` to accomplish this:
iptables -I FORWARD -i br0 -p tcp --dport 25 -j DROP
I ran `/etc/init.d/S35firewall restart` so that this new rule would take effect.
We installed McAfee’s virus scan and a firewall on Dave’s machine and we’re back in business.
How to improve on my (crude) method:
- Figure out a nice way to save the tcpdump capture to another machine on the lan via SSH. Alternatively, coerce iptables to save logs ala Quiet Earth’s method.
- Use iptable’s Layer 7 module (l7) to catch/block SMTP traffic to non-standard ports.
If any of you networking guru’s have any thoughts esp. regarding iptables, please leave a note `:]`
