How To Protect Linux Server From Stolen Zombie Netblocks & 100% Professional Spammer Controlled Netblocks

By Angsuman Chakraborty, Gaea News Network
Monday, December 3, 2007

DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list from Spamhaus, consisting of stolen ‘zombie’ netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL advisory designed for use by firewalls and routing equipment. It can also be implemented in iptable rules as explained below.

DROP is currently available as a simple text list. The DROP list will NEVER include any IP space “owned” by any legitimate network and reassigned - even if reassigned to the “spammers from hell”. It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are “direct allocations” from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of “hijacked zombie” IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP’s ‘core routers’, DROP will protect all the network’s users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

The following one line script will fetch the current list from DROP and convert it to iptables rules to reject packets from rogue netblocks:
curl -s |grep ^[1-9]|cut -f 1 -d ‘ ‘ | xargs -iX -n 1 /sbin/iptables -A INPUT -s X -j DROP

You should consider adding it to your cron job which runs not more than once per hour. Once per day is recommended. My crontab reads:
0 0 * * * /etc/spamdrop

Note: /etc/spamdrop is the path to the script.

You can verify that the rules have been properly added with:
/sbin/iptables -nvL

You will see entries like these:

0 0 DROP 0 — * *
0 0 DROP 0 — * *
0 0 DROP 0 — * *

will not be displayed