Re: A different kind of attack/probe, how can postfix defend against it?

[Robert Schetterer [Permanent Link]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin Piszcz schrieb:
> Recently, I saw this in my logs:
> 
> With iptables I guess I could specify something to block port 25 if it
> gets hit too many times from _ANY_ ip but that would block legitimate
> mail; however, it seems as if it the only or best option?
> 
> Aug  9 12:47:19 l2 postfix/smtpd[12676]: connect from
> mx181.populationarea.com[69.31.50.181]
> Aug  9 12:47:24 l2 postfix/smtpd[12676]: disconnect from
> mx181.populationarea.com[69.31.50.181]
> Aug  9 12:47:26 l2 postfix/smtpd[12676]: connect from
> mx190.webcastersradio.com[69.31.50.190]
> Aug  9 12:47:30 l2 postfix/smtpd[12676]: disconnect from
> mx190.webcastersradio.com[69.31.50.190]
> Aug  9 12:47:31 l2 postfix/smtpd[12676]: connect from
> mx184.shippingkick.com[69.31.50.184]
> Aug  9 12:47:35 l2 postfix/smtpd[12676]: disconnect from
> mx184.shippingkick.com[69.31.50.184]
> Aug  9 12:47:36 l2 postfix/smtpd[12676]: connect from
> mx184.shippingkick.com[69.31.50.184]
> Aug  9 12:47:41 l2 postfix/smtpd[12676]: disconnect from
> mx184.shippingkick.com[69.31.50.184]
> Aug  9 12:47:43 l2 postfix/smtpd[12676]: connect from
> mx184.shippingkick.com[69.31.50.184]
> Aug  9 12:47:47 l2 postfix/smtpd[12676]: disconnect from
> mx184.shippingkick.com[69.31.50.184]
> Aug  9 12:47:49 l2 postfix/smtpd[12676]: connect from
> mx186.shippingkick.com[69.31.50.186]
> Aug  9 12:47:53 l2 postfix/smtpd[12676]: disconnect from
> mx186.shippingkick.com[69.31.50.186]
> Aug  9 12:47:54 l2 postfix/smtpd[12676]: connect from
> mx186.shippingkick.com[69.31.50.186]
> Aug  9 12:47:59 l2 postfix/smtpd[12676]: disconnect from
> mx186.shippingkick.com[69.31.50.186]
> Aug  9 12:48:01 l2 postfix/smtpd[12676]: connect from
> mx186.shippingkick.com[69.31.50.186]
> Aug  9 12:48:05 l2 postfix/smtpd[12676]: disconnect from
> mx186.shippingkick.com[69.31.50.186]
> Aug  9 12:48:07 l2 postfix/smtpd[12676]: connect from
> mx166.censusarea.com[69.31.50.166]
> Aug  9 12:48:11 l2 postfix/smtpd[12676]: disconnect from
> mx166.censusarea.com[69.31.50.166]
> Aug  9 12:48:12 l2 postfix/smtpd[12676]: connect from
> mx166.censusarea.com[69.31.50.166]
> Aug  9 12:48:22 l2 postfix/smtpd[12676]: disconnect from
> mx166.censusarea.com[69.31.50.166]
> Aug  9 12:48:23 l2 postfix/smtpd[12676]: connect from
> mx173.officecent.com[69.31.50.173]
> Aug  9 12:48:27 l2 postfix/smtpd[12676]: disconnect from
> mx173.officecent.com[69.31.50.173]
> Aug  9 12:48:28 l2 postfix/smtpd[12676]: connect from
> mx172.officecent.com[69.31.50.172]
> Aug  9 12:48:33 l2 postfix/smtpd[12676]: disconnect from
> mx172.officecent.com[69.31.50.172]
> Aug  9 12:48:35 l2 postfix/smtpd[12676]: connect from
> mx168.offcentral.com[69.31.50.168]
> Aug  9 12:48:39 l2 postfix/smtpd[12676]: disconnect from
> mx168.offcentral.com[69.31.50.168]
> Aug  9 12:48:41 l2 postfix/smtpd[12676]: connect from
> mx163.censusarea.com[69.31.50.163]
> Aug  9 12:48:45 l2 postfix/smtpd[12676]: disconnect from
> mx163.censusarea.com[69.31.50.163]
> Aug  9 12:48:46 l2 postfix/smtpd[12676]: connect from
> mx163.censusarea.com[69.31.50.163]
> Aug  9 12:48:51 l2 postfix/smtpd[12676]: disconnect from
> mx163.censusarea.com[69.31.50.163]
> Aug  9 12:48:52 l2 postfix/smtpd[12676]: connect from
> mx179.populationarea.com[69.31.50.179]
> Aug  9 12:48:56 l2 postfix/smtpd[12676]: disconnect from
> mx179.populationarea.com[69.31.50.179]
> Aug  9 12:48:58 l2 postfix/smtpd[12676]: connect from
> mx183.shippingkick.com[69.31.50.183]
> Aug  9 12:49:02 l2 postfix/smtpd[12676]: disconnect from
> mx183.shippingkick.com[69.31.50.183]
> Aug  9 12:49:03 l2 postfix/smtpd[12676]: connect from
> mx188.webcastersradio.com[69.31.50.188]
> Aug  9 12:49:08 l2 postfix/smtpd[12676]: disconnect from
> mx188.webcastersradio.com[69.31.50.188]
> Aug  9 12:49:10 l2 postfix/smtpd[12676]: connect from
> mx178.populationarea.com[69.31.50.178]
> Aug  9 12:49:14 l2 postfix/smtpd[12676]: disconnect from
> mx178.populationarea.com[69.31.50.178]
> 
i installed fail2ban yesterday , this may help, but if you know the ips
i would simple drop them static with iptables, or perhaps their whole net

- --
Mit freundlichen Gruessen
Best Regards

Robert Schetterer

Germany/Bavaria/Munich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGu0pofGH2AvR16oERAmbyAJ9uTuOBMY+z0AaoFeNpGsMkas4XEACfT534
gvA8oaOkj0htlixXMU01du8=
=g5IF
-----END PGP SIGNATURE-----