Menu
What's new
By:
Filters Better Search

Incomming SMTP relay spammer

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jbke

New Around Here
Hello,

I have a question regarding the best way to handle an incomming relay spammer on my mail server. I am looking for a way to dynamically block incomming traffic on port 25 based on some logic.

Let me explain. The spammer does not achieve his relay actions through the mail server that is not the issue. Also, I have IPBan running so once they come in, the IP is banned for a few months indefinitaly. So that is handled. The issue is that they are using hosts all over the world so atm I have blocked about 30 countries through Skynet and the volume is dramatically less, so all good.

The issue however is 3 fold:

1. I hate blocking all these countries. I feel its a canon to kill an anoying fly
2. Log file size is going through the roof
3. When the spammer throws his mails onto the mailserver, its always in a block of a 100 mails and my mailsever doesn't have a setting to block it

So, my idea was to have some sort of script running that checks incomming connections on port 25 and then checks wether the next x amount of incomming requests are from the same IP on the same port and then add it dynamically to the ip tables. That way it doesn't even get onto the mailserver and just bounces of the firewall.

I have been looking in scripts and entware and I'm sure this can be done. Installing a script would not be an issue. Making it would, as I have 0 expirience in making such scripts. I have been writing code for the last 40 years, but never on unix. So I guess I could find it after a lot of trial and error. So if any1 has something a like, or something I can use as a basis, it would be appriciated.

Maybe there is a better idea to get this done.

Eather way, already many thanks for any ideas.
 
Last edited:
IP-based blocking for port 25 is a losing battle, as there will be a LOT of connection attempts, which would make any blocklist futile in the end. Instead, tighten security around the SMTP daemon itself. Make sure that no relaying will be accepted unless the connection attempt uses AUTH, or the mail is to be delivered to your local domain.
 
jbke said:
Hello,

I have a question regarding the best way to handle an incomming relay spammer on my mail server. I am looking for a way to dynamically block incomming traffic on port 25 based on some logic.

Let me explain. The spammer does not achieve his relay actions through the mail server that is not the issue. Also, I have IPBan running so once they come in, the IP is banned for a few months indefinitaly. So that is handled. The issue is that they are using hosts all over the world so atm I have blocked about 30 countries through Skynet and the volume is dramatically less, so all good.

The issue however is 3 fold:

1. I hate blocking all these countries. I feel its a canon to kill an anoying fly
2. Log file size is going through the roof
3. When the spammer throws his mails onto the mailserver, its always in a block of a 100 mails and my mailsever doesn't have a setting to block it

So, my idea was to have some sort of script running that checks incomming connections on port 25 and then checks wether the next x amount of incomming requests are from the same IP on the same port and then add it dynamically to the ip tables. That way it doesn't even get onto the mailserver and just bounces of the firewall.

I have been looking in scripts and entware and I'm sure this can be done. Installing a script would not be an issue. Making it would, as I have 0 expirience in making such scripts. I have been writing code for the last 40 years, but never on unix. So I guess I could find it after a lot of trial and error. So if any1 has something a like, or something I can use as a basis, it would be appriciated.

Maybe there is a better idea to get this done.

Eather way, already many thanks for any ideas.
Click to expand...

Unfortunately this is part of the joy of running your own email server. There are firewalls and intrusion detection appliances out there that can throttle and eventually block IPs but it is pretty futile. As @RMerlin stated just ensure your relay is totally closed and everything is secure. If you have port 25 open, you're going to be inundated with spammers and bots, that's just a fact of life.

I eventually just outsourced my email hosting, it was cheaper in the long run and I can let someone else deal with it. Sure I miss some of the visibility and control but it was not worth the hassle and cost.
 
The thing is, relay is blocked so thats all ok. It is just the massive amount of logging that annoys me:) But yes, I understand that I shouldn't worry about it. Also, I think its just 1 origin that is spamming my mail server. Sooner or later he will give up I guess.
 
Back in the day when I ran a Microsoft email server I used Untangle as it had a very good email scanner. I am not sure today, but it did a good job back then with nice reports of what was going on.
 
You must log in or register to reply here.

Similar threads

V
unbound blocking apple private relay.
Replies
1
Views
798
Tech9
Tech9
V
Opera DNS-over tls
Replies
0
Views
507
vdemarco
V
S
One website cannot be accessed when VPN is on
Replies
7
Views
483
sfx2000
sfx2000
sfx2000
R5N - Obfuscated Mesh Routing on Hostile Networks
Replies
0
Views
281
sfx2000
sfx2000
D
Skynet Best way to configure SkyNet on RX-AT82U
Replies
7
Views
899
Tech9
Tech9

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 680 (members: 22, guests: 658)
Top