This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I am being DDOS'd via SMTP. Help!

Hi there,

 

I am being DDOS'd via SMTP. These strange "queues" (or whatever you'd call the requests) come from china/turkey keep coming and will not stop. I have no idea how to block them. As you can see, in the log there sometimes isn't even an IP associated with the line. They all come from either yrlrk@jndh.com or oz@ozyat.net. I am using the SMTP proxy.

Help!

 

This is a sample of my smtp proxy log. This repeats endlessly. Here's a pastebin for easier reading. 

 

2017:05:10-13:38:00 utm-1 exim-out[26764]: 2017-05-10 13:38:00 Start queue run: pid=26764
2017:05:10-13:38:00 utm-1 exim-out[26767]: 2017-05-10 13:38:00 1d7l8m-00066S-MO 211.155.224.115 [211.155.224.115]:25 Connection refused
2017:05:10-13:38:00 utm-1 exim-out[26766]: 2017-05-10 13:38:00 1d7l8m-00066S-MO == yrlrk@jndh.com R=dnslookup T=remote_smtp defer (111): Connection refused
2017:05:10-13:38:00 utm-1 exim-out[26764]: 2017-05-10 13:38:00 End queue run: pid=26764
2017:05:10-13:38:07 utm-2 exim-out[27593]: 2017-05-10 13:38:07 1d8UQY-0002ui-WF mail.ozyat.net [85.95.249.166]:25 Connection timed out
2017:05:10-13:38:07 utm-2 exim-out[27592]: 2017-05-10 13:38:07 1d8UQY-0002ui-WF == oz@ozyat.net R=dnslookup T=remote_smtp defer (110): Connection timed out
2017:05:10-13:38:07 utm-2 exim-out[27590]: 2017-05-10 13:38:07 End queue run: pid=27590
2017:05:10-13:38:29 utm-1 smtpd[26757]: SCANNER[26757]: Nothing to do, exiting.
2017:05:10-13:39:00 utm-1 exim-out[27144]: 2017-05-10 13:39:00 Start queue run: pid=27144
2017:05:10-13:39:00 utm-1 exim-out[27146]: 2017-05-10 13:39:00 1d7l8m-00066S-MO == yrlrk@jndh.com R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017:05:10-13:39:00 utm-1 exim-out[27144]: 2017-05-10 13:39:00 End queue run: pid=27144
2017:05:10-13:39:00 utm-2 exim-out[27792]: 2017-05-10 13:39:00 Start queue run: pid=27792
2017:05:10-13:39:00 utm-2 exim-out[27794]: 2017-05-10 13:39:00 1d8UQY-0002ui-WF == oz@ozyat.net R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017:05:10-13:39:00 utm-2 exim-out[27792]: 2017-05-10 13:39:00 End queue run: pid=27792
2017:05:10-13:40:00 utm-2 exim-out[27801]: 2017-05-10 13:40:00 Start queue run: pid=27801
2017:05:10-13:40:00 utm-2 exim-out[27803]: 2017-05-10 13:40:00 1d8UQY-0002ui-WF == oz@ozyat.net R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017:05:10-13:40:00 utm-2 exim-out[27801]: 2017-05-10 13:40:00 End queue run: pid=27801


This thread was automatically locked due to age.
  • That looks like two emails that your mail server bounced and the senders are not accepting the bounce.  These should go away in a couple days.  If you search earlier on 5-10 or maybe on 5-9, you should see where emails from those two senders came in.

    You might want to select 'Reject invalid HELO / missing RDNS' and 'Do strict RDNS checks' on the 'Antispam' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA