This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best method for dealing with SMTP attacks

When I look at my SMTP live log I see continual attempts to access my mail server.
The SMTP proxy seems to be doing its job, but I am interesting in knowing the best method for minimizing the amount of entries that get recorded in the logfile.

2022:05:28-11:19:44 firewall exim-in[31398]: 2022-05-28 11:19:44 SMTP connection from (localhost) [5.34.207.150]:20624 closed by QUIT
2022:05:28-11:19:44 firewall exim-in[31414]: 2022-05-28 11:19:44 SMTP connection from (localhost) [5.34.207.182]:51714 closed by QUIT
2022:05:28-11:19:46 firewall exim-in[5027]: 2022-05-28 11:19:46 SMTP connection from [5.34.207.150]:43732 (TCP/IP connection count = 6)
2022:05:28-11:19:46 firewall exim-in[31424]: 2022-05-28 11:19:46 SMTP connection from [5.34.207.150]:43732 closed by QUIT
2022:05:28-11:19:47 firewall exim-in[5027]: 2022-05-28 11:19:47 SMTP connection from [5.34.207.150]:12380 (TCP/IP connection count = 6)
2022:05:28-11:19:47 firewall exim-in[5027]: 2022-05-28 11:19:47 SMTP connection from [5.34.207.182]:56972 (TCP/IP connection count = 7)
2022:05:28-11:19:47 firewall exim-in[31419]: 2022-05-28 11:19:47 SMTP connection from (localhost) [5.34.207.182]:22078 closed by QUIT
2022:05:28-11:19:48 firewall exim-in[31411]: 2022-05-28 11:19:48 SMTP connection from (User) [87.246.7.213]:42120 closed by QUIT
2022:05:28-11:19:49 firewall exim-in[31421]: 2022-05-28 11:19:49 SMTP connection from (localhost) [5.34.207.150]:50418 closed by QUIT
2022:05:28-11:19:50 firewall exim-in[5027]: 2022-05-28 11:19:50 SMTP connection from [5.34.207.182]:27336 (TCP/IP connection count = 5)
2022:05:28-11:19:50 firewall exim-in[31405]: 2022-05-28 11:19:50 SMTP connection from (localhost) [5.34.207.150]:35496 closed by QUIT
2022:05:28-11:19:51 firewall exim-in[31426]: 2022-05-28 11:19:51 SMTP connection from (localhost) [5.34.207.182]:56972 closed by QUIT
2022:05:28-11:19:52 firewall exim-in[31431]: 2022-05-28 11:19:52 SMTP connection from (localhost) [5.34.207.182]:27336 closed by QUIT
2022:05:28-11:19:52 firewall exim-in[5027]: 2022-05-28 11:19:52 SMTP connection from [87.246.7.213]:53630 (TCP/IP connection count = 4)
2022:05:28-11:19:53 firewall exim-in[31376]: 2022-05-28 11:19:53 SMTP connection from (User) [212.70.149.72]:44572 lost D=31s
2022:05:28-11:19:53 firewall exim-in[5027]: 2022-05-28 11:19:53 SMTP connection from [5.34.207.182]:62214 (TCP/IP connection count = 3)
2022:05:28-11:19:55 firewall exim-in[5027]: 2022-05-28 11:19:55 SMTP connection from [5.34.207.150]:27272 (TCP/IP connection count = 4)
2022:05:28-11:19:56 firewall exim-in[31425]: 2022-05-28 11:19:56 SMTP connection from (localhost) [5.34.207.150]:12380 closed by QUIT
2022:05:28-11:19:56 firewall exim-in[31440]: 2022-05-28 11:19:56 SMTP connection from (localhost) [5.34.207.182]:62214 closed by QUIT
2022:05:28-11:19:56 firewall exim-in[5027]: 2022-05-28 11:19:56 SMTP connection from [5.34.207.182]:32588 (TCP/IP connection count = 5)
2022:05:28-11:19:58 firewall exim-in[31439]: 2022-05-28 11:19:58 SMTP connection from (User) [87.246.7.213]:53630 closed by QUIT
2022:05:28-11:19:58 firewall exim-in[5027]: 2022-05-28 11:19:58 SMTP connection from [5.34.207.150]:53746 (TCP/IP connection count = 4)
2022:05:28-11:19:59 firewall exim-in[31446]: 2022-05-28 11:19:59 SMTP connection from (localhost) [5.34.207.182]:32588 closed by QUIT
2022:05:28-11:19:59 firewall exim-in[31444]: 2022-05-28 11:19:59 SMTP connection from (localhost) [5.34.207.150]:27272 closed by QUIT
2022:05:28-11:19:59 firewall exim-in[5027]: 2022-05-28 11:19:59 SMTP connection from [5.34.207.182]:2970 (TCP/IP connection count = 3)

I have tried 2 different methods, both of which seem to work.

1. Create a blackhole entry for each network in Static Routing

2. Create a DNAT blackhole

Definitions & Users >  Network Definition
   Create a Network - xxx.xxx.xxx/24 for IPs identified in SMTP log
   Create a Group, which includes all of the above attacker networks
   Create a Host named Blackhole (240.0.0.1)
Network Protection > NAT > NAT
   New NAT Rule > DNAT
   For traffic from: Group created above
   Using service: ANY
   Going to: WAN (Address)
   Change the destination to: Blackhole host created above

Are there better ways to do this?



This thread was automatically locked due to age.
  • Bob might be attributing to the fact that the requests are so close together in terms of a request or two every second by the same block of IPs, I would have alluded to the same conclusion.  Just a guess, but I could be reading his mind, lol.

    UTM - 9.712 | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Good read!  I just checked one of my favorite tools, ip2location.com, and 5.34.207.182 is identified as a SCANNER, confirming my guess.  According to Central Ops.net, it's located in Kyiv, Ukraine, so, my guess is that the Russian mafia is trying to break into your UTM's SMTP Proxy using an account at spaceshipnetworks.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA