netsecurity database

You may have find your way to this page,
because your smtp-server received a message like:

550 SMTP/S access denied. (according to smtp-rfc's)

doing a telnet to port 25 shows in addition:

netsecurity-db status: <CIDR of netrange> recorded as spammer
(<timestamp of last received spam>).
Ref-ID: <reference id> from: <country>
See http://www.netsecdb.de for more info.

So what the hell is netsec-db
and why is the network-range blocked?

• we 'map networks' logically, not spying users privacy
• we take respect to the different network levels on the way to our customer networks
• we control access to our services.

  

• we know our customers networks
  and their communication partners
• we have set up self-educating engines
• we know more than 7.66 million networks
• we know 113.203 spammer networks
  (current stats on left part of frontpage)
• we hold other metadata regarding the known netranges
  (572575 filter+tags)
• think of it as an 'streetmap of the internet'
• in third dev-level, users shall be able to apply their own profiles to manage and generate individual configurations matching their customer-situation like we do today

What is that good for?
what can we do with it?

• 
  we integrated netsec-db functions into woltlab bulletin boards:
  • www.chatcops.de (mixed community)
  • www.net4cops.de (closed community - police officers only), international collegues welcome.
  • www.german-police.de (mixed community)
• police officers from the above mentioned bulletin boards have direct access to netsecdb in order to support their work.
• we integrated netsec-db and live-monitoring functions into drupal cms:
  • www.netsecdb.de (this page)
  • www.marxmeier.de
  • www.cologne-crocodiles.de
• request live security relevant infos about visitors/users
  
• import missing info and judge the net by mouseclkick
• block or open servers/nets/ports from the frontend
• netsec-db uses the database content to automatically generate config-files and firewall rulesets
• in addition, the netsec-db is automatically updated from logfiles (mail/web/syslog):

  
  
  

• 
  we currently generate:

  • hosts.deny files for plesk/qmail/xinetd
  • evil-client.cidr for postfix,
  • exim4_local_host_blacklist for exim4.x,

  

  • .htaccess-files for apache,
  • iptables-scripts for debian/SuSE and
  • cmdlets for use with Microsoft Exchange Server7 Series

  to be used by external partners.
  
  
  
  
  
  
  
  
  
  

• we are able to process and analyse logfiles very fast against netsec-db and give quick reports
• do you ever received logs you have to pay for (like advertising clicks) and like to check them for plausibility? - now one can analyze them
• netsec-db has been hosted behind two redundant and stateful firewalls and switched to ordinary rootserver in a standard hosting environment.
• we save load and energy costs, getting our servers back to their work - of course, you can filter each mail by content, like we do with the remaining ones (and the ones from customer nets) - but 98% traffic and cpu for nothing?
• we want to fight internet crime fast and effectively.

For further documentation please check out the documentation section.
A quickjump to tagging rulesets.

In general - it does not look pretty like an advertisment spam, but it works in production.

Applying netsecdb mapping on spams,
we have the following results:

we have decreased them more than 98% on this server.

Take a look at the current mailstats on the left

 

---

From 2008/07/07 to 2008/09/12
we prevented
1.763.693 connects
to srv01 from
known spammer-nets.
We reduced load and traffic to approx. 1% of before:

With the saved resources we drive netsecdb engines and database.

---