This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PushDo Attack: Does anyone know how to DROP all incoming SMTP traffic from a specific IP address?

I'm being attacked by the PushDo spamming botnet (see serverfault.com/.../email-server-attack-from-telnet), identified by the following lines which repeat in my SMTP log:

2016:02:02-16:00:56 fw exim-in[5767]: 2016-02-02 16:00:56 SMTP connection from [104.40.23.216]:49657 (TCP/IP connection count = 2)
2016:02:02-16:00:57 fw exim-in[12914]: 2016-02-02 16:00:57 SMTP connection from (ylmf-pc) [104.40.23.216]:49657 lost

I've tried to manually drop this traffic, by setting up a firewall rule for 104.40.23.216 to my external address, service=SMTP to "drop".  This doesn't seem to work, as (I believe) the SMTP proxy receives the traffic before the firewall rule can drop it.

Does anyone know how to DROP all incoming SMTP traffic from a specific IP address?



This thread was automatically locked due to age.
Parents Reply Children
  • Bingo. Thanks a bunch.

    For posterity, I identified an IP address in my network that was unused, and reserved it as a blackhole. Then I created a DNAT rule for any incoming service from the offending address to rewrite the destination as the blackhole. (Originally, I did this for SMTP only, but it seems like those f-----ers are also trying 587 and some other ports, so I just blocked "any". Perhaps just blocking the email ports 25, 587, 465 would have been ok, but whatever, this is easier).

    Now, when I look at the firewall log, I see the DNAT happening, followed by the DROP rule (which I never removed). So I have two rules that together flush this thing, but that works for me.

    My only worry now is that if I get attacked by several machines (i.e., different IP addresses), then I'll be playing whack-a-mole.