I'm pretty sure that that's not possible, even from the command line. Next best would be Greylisting. I don't use it with any of my clients, but some folks like it. Personally, I think it just slows valid mail without reducing the load on the UTM.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
I have now built my own tarpit server. UTM redirects the subnets of the spammer to my tarpit, where he spends 3 - 10 minutes for each email plodding along talking with my fake smtp server, wasting his resources. When it gets to the DATA command, it returns and error and drops the connection.
But this guy is so braindead he still sends 2 or 3 a second. Even though they are 100% rejected, and have been since this campaign started.
Isn't one of the definitions of insanity is doing the same thing over and over, and expecting a different result?
Well, keep them coming spammer. My tarpit is enjoying the conversation.
OK, I now have Fail2ban installed and running in UTM.
I can't believe I didn't do this sooner. This is the greatest thing since sliced spam.
Sophos you definitely need to build this into UTM.
Fail2ban is monitoring the smtp log. When the spammer attacks, it instantly adds the entire /24 subnet to a black-hole route. And by instantly, I mean in 600 ms.
So, as soon as a spam comes in, I block the entire subnet in less than a second. Our spammer then tries to send spams over the whole subnet - they are already blocked. You can't even connect. I have the ban-time set to 1 year. I may increase that to 5 years.
OK, I now have Fail2ban installed and running in UTM.
I can't believe I didn't do this sooner. This is the greatest thing since sliced spam.
Sophos you definitely need to build this into UTM.
Fail2ban is monitoring the smtp log. When the spammer attacks, it instantly adds the entire /24 subnet to a black-hole route. And by instantly, I mean in 600 ms.
So, as soon as a spam comes in, I block the entire subnet in less than a second. Our spammer then tries to send spams over the whole subnet - they are already blocked. You can't even connect. I have the ban-time set to 1 year. I may increase that to 5 years.
Thanks for sharing the knowledge. I support that idea and request you to raise it as a feature request here.
Thanks
Sachin Gurung Team Lead | Sophos Technical Support Knowledge Base | @SophosSupport | Video tutorials Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
One small issue I found though, the version of iptables used by Sophos seems to be old.
It does not support the '-w' command, which is used to lock iptables for multiuser use. This would have been nice when sharing iptables between UTM and Fail2ban. It still works without it, but it is not the ideal configuration.
