Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 5 subscribers
  • Views 4315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best method for dealing with SMTP attacks

Owen

When I look at my SMTP live log I see continual attempts to access my mail server.
The SMTP proxy seems to be doing its job, but I am interesting in knowing the best method for minimizing the amount of entries that get recorded in the logfile.

2022:05:28-11:19:44 firewall exim-in[31398]: 2022-05-28 11:19:44 SMTP connection from (localhost) [5.34.207.150]:20624 closed by QUIT
2022:05:28-11:19:44 firewall exim-in[31414]: 2022-05-28 11:19:44 SMTP connection from (localhost) [5.34.207.182]:51714 closed by QUIT
2022:05:28-11:19:46 firewall exim-in[5027]: 2022-05-28 11:19:46 SMTP connection from [5.34.207.150]:43732 (TCP/IP connection count = 6)
2022:05:28-11:19:46 firewall exim-in[31424]: 2022-05-28 11:19:46 SMTP connection from [5.34.207.150]:43732 closed by QUIT
2022:05:28-11:19:47 firewall exim-in[5027]: 2022-05-28 11:19:47 SMTP connection from [5.34.207.150]:12380 (TCP/IP connection count = 6)
2022:05:28-11:19:47 firewall exim-in[5027]: 2022-05-28 11:19:47 SMTP connection from [5.34.207.182]:56972 (TCP/IP connection count = 7)
2022:05:28-11:19:47 firewall exim-in[31419]: 2022-05-28 11:19:47 SMTP connection from (localhost) [5.34.207.182]:22078 closed by QUIT
2022:05:28-11:19:48 firewall exim-in[31411]: 2022-05-28 11:19:48 SMTP connection from (User) [87.246.7.213]:42120 closed by QUIT
2022:05:28-11:19:49 firewall exim-in[31421]: 2022-05-28 11:19:49 SMTP connection from (localhost) [5.34.207.150]:50418 closed by QUIT
2022:05:28-11:19:50 firewall exim-in[5027]: 2022-05-28 11:19:50 SMTP connection from [5.34.207.182]:27336 (TCP/IP connection count = 5)
2022:05:28-11:19:50 firewall exim-in[31405]: 2022-05-28 11:19:50 SMTP connection from (localhost) [5.34.207.150]:35496 closed by QUIT
2022:05:28-11:19:51 firewall exim-in[31426]: 2022-05-28 11:19:51 SMTP connection from (localhost) [5.34.207.182]:56972 closed by QUIT
2022:05:28-11:19:52 firewall exim-in[31431]: 2022-05-28 11:19:52 SMTP connection from (localhost) [5.34.207.182]:27336 closed by QUIT
2022:05:28-11:19:52 firewall exim-in[5027]: 2022-05-28 11:19:52 SMTP connection from [87.246.7.213]:53630 (TCP/IP connection count = 4)
2022:05:28-11:19:53 firewall exim-in[31376]: 2022-05-28 11:19:53 SMTP connection from (User) [212.70.149.72]:44572 lost D=31s
2022:05:28-11:19:53 firewall exim-in[5027]: 2022-05-28 11:19:53 SMTP connection from [5.34.207.182]:62214 (TCP/IP connection count = 3)
2022:05:28-11:19:55 firewall exim-in[5027]: 2022-05-28 11:19:55 SMTP connection from [5.34.207.150]:27272 (TCP/IP connection count = 4)
2022:05:28-11:19:56 firewall exim-in[31425]: 2022-05-28 11:19:56 SMTP connection from (localhost) [5.34.207.150]:12380 closed by QUIT
2022:05:28-11:19:56 firewall exim-in[31440]: 2022-05-28 11:19:56 SMTP connection from (localhost) [5.34.207.182]:62214 closed by QUIT
2022:05:28-11:19:56 firewall exim-in[5027]: 2022-05-28 11:19:56 SMTP connection from [5.34.207.182]:32588 (TCP/IP connection count = 5)
2022:05:28-11:19:58 firewall exim-in[31439]: 2022-05-28 11:19:58 SMTP connection from (User) [87.246.7.213]:53630 closed by QUIT
2022:05:28-11:19:58 firewall exim-in[5027]: 2022-05-28 11:19:58 SMTP connection from [5.34.207.150]:53746 (TCP/IP connection count = 4)
2022:05:28-11:19:59 firewall exim-in[31446]: 2022-05-28 11:19:59 SMTP connection from (localhost) [5.34.207.182]:32588 closed by QUIT
2022:05:28-11:19:59 firewall exim-in[31444]: 2022-05-28 11:19:59 SMTP connection from (localhost) [5.34.207.150]:27272 closed by QUIT
2022:05:28-11:19:59 firewall exim-in[5027]: 2022-05-28 11:19:59 SMTP connection from [5.34.207.182]:2970 (TCP/IP connection count = 3)

I have tried 2 different methods, both of which seem to work.

1. Create a blackhole entry for each network in Static Routing

2. Create a DNAT blackhole

Definitions & Users >  Network Definition
   Create a Network - xxx.xxx.xxx/24 for IPs identified in SMTP log
   Create a Group, which includes all of the above attacker networks
   Create a Host named Blackhole (240.0.0.1)
Network Protection > NAT > NAT
   New NAT Rule > DNAT
   For traffic from: Group created above
   Using service: ANY
   Going to: WAN (Address)
   Change the destination to: Blackhole host created above

Are there better ways to do this?



This thread was automatically locked due to age.
Parents
  • 0

    I am currently in the process of upgrading my network from a Server 2003 environment to a Server 2019 environment.

    This will also include an upgrade of my UTM hardware and a clean install of the UTM.
    My goal is to have a "best practices" configuration of the UTM for 2022.

    I have an IT background, but I would not profess to being a firewall expert, so that is why I am asking questions and seeking advice on areas I am not 100% sure about.

Reply
  • 0

    I am currently in the process of upgrading my network from a Server 2003 environment to a Server 2019 environment.

    This will also include an upgrade of my UTM hardware and a clean install of the UTM.
    My goal is to have a "best practices" configuration of the UTM for 2022.

    I have an IT background, but I would not profess to being a firewall expert, so that is why I am asking questions and seeking advice on areas I am not 100% sure about.

Children
No Data
Unfiltered HTML