I noticed my SMTP logs explode in size two days ago and investigated to find that an IP address keeps trying to connect. I don't know why, but I run a very small email server for home use, so I'm thinking botnet or something. I did a bit a research on the forums on ways to deal with this, including a DNAT blackhole and listing the IP as a blacklisted SMTP relay, but my SMTP logs continue to show the UTM starting the connection process. Can someone tell me the right way to basically blacklist this IP?
Here's a sample of my SMTP logs:
2018:05:31-00:00:03 utm exim-in[30095]: 2018-05-31 00:00:03 SMTP connection from (ylmf-pc) [54.36.39.55]:50654 lost
2018:05:31-00:00:03 utm exim-in[25177]: 2018-05-31 00:00:03 SMTP connection from [54.36.39.55]:61031 (TCP/IP connection count = 1)
2018:05:31-00:00:04 utm exim-in[30098]: 2018-05-31 00:00:04 SMTP connection from (ylmf-pc) [54.36.39.55]:61031 lost
2018:05:31-00:00:04 utm exim-in[25177]: 2018-05-31 00:00:04 SMTP connection from [54.36.39.55]:56425 (TCP/IP connection count = 1)
2018:05:31-00:00:04 utm exim-in[30105]: 2018-05-31 00:00:04 SMTP connection from (ylmf-pc) [54.36.39.55]:56425 lost
2018:05:31-00:00:04 utm exim-in[25177]: 2018-05-31 00:00:04 SMTP connection from [54.36.39.55]:50948 (TCP/IP connection count = 1)
2018:05:31-00:00:04 utm exim-in[30106]: 2018-05-31 00:00:04 SMTP connection from (ylmf-pc) [54.36.39.55]:50948 lost
2018:05:31-00:00:04 utm exim-in[25177]: 2018-05-31 00:00:04 SMTP connection from [54.36.39.55]:61221 (TCP/IP connection count = 1)
That's just a few seconds... my logs went from under 100k a day to a few MBs! Please help!
This thread was automatically locked due to age.
