This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail flooding / "DDos"

Hallo,

es geht um ein SG210 mit UTM 9.

Über einen schon längeren Zeitraum kommt eine Flut an Mails von hunderten verschiedenen IP Adrressen daher, welche alle an ein Konto zustellen wollen, dass es nicht gibt.

Die Sophos hält das zwar alles vom Mailserver fern, aber zwischendurch haben diese "Spam Verbindungen" die erlaubten Verbindungen komplett aufgebraucht.
Ein Finetuning der erlaubten Verbindungen pro IP etc. hat mehr oder weniger Abhilfe geschaffen (es kann auch wieder legitimes bearbeitet werden).
Geschätzt gut 80% der Verbindungen sind aber noch immer mit Spam belegt.

Kann man diese IPs irgendwie ausbremsen ohne dass sie wirklich bearbeitet werden? z.B. Zustellversuch an Mailadresse x => Verbindungsabbruch & 10 Minuten Auszeit.
IPs und Netze sperren ist nur bedingt möglich, da vieles aus der Microsoft Cloud kommt.

This thread was automatically locked due to age.

Parents

0 Raphael Alganes over 1 year ago

Hi Robert IT ,

Thanks for reaching out to Sophos Community and hope you are well.

You may try to configure this:

Blackhole DNAT.JPG

https://support.sophos.com/support/s/article/KB-000034529?language=en_US

When doing so, also consider item#2 on this post: Rulz

You could also refer to these past community post that might help you and might be a similar case:

RE: Additional DNAT Blackhole to permanently Block IPs

Blackhole DNAT not working

Hope this helps. Thanks for your time and patience and Thank you for choosing Sophos.

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Robert IT over 1 year ago in reply to Raphael Alganes

thx for the reply.

As i understand it, the ressources provided only explain how to block specific IP adressen or ranges.
Since the mail flood originates from all over the world and from different companies and new IP addresses pop up now and then, it's not feasible to manually maintain a block list. And as mentioned there are also a bunch of Microsoft addresses which i can't block or otherwise risk blocking legitimate outlook customers.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Robert IT over 1 year ago in reply to Raphael Alganes

thx for the reply.

As i understand it, the ressources provided only explain how to block specific IP adressen or ranges.
Since the mail flood originates from all over the world and from different companies and new IP addresses pop up now and then, it's not feasible to manually maintain a block list. And as mentioned there are also a bunch of Microsoft addresses which i can't block or otherwise risk blocking legitimate outlook customers.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Amodin over 1 year ago in reply to Robert IT

You may want to contact your ISP and let them know about this. They may be able to help you better than Sophos products could with this type of issue.

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel