|Non-Stop SMTP attacks
on Wednesday, August 18, 2004 at 11:40:38 AM (EST)
We are currently experiencing occurrences where a particular external computer outside our network is attempting to send e-mails through our server using spoofed addresses.
I would guess this a result of the remote computer having a virus on their computer. The messages are blocked, but the server still goes through the process of responding, and logging each attempt.
Is there a way to deny their IP outright so that any further attempts are ignored?
If we could find the source, they could remove the virus, but without knowing the source our options are limited.
on Thursday, August 19, 2004 at 10:15:50 AM (EST)
There really is no way to block this except to block it at the firewall or an IP filter rule. You could create a rule to deny access to port 25 from the particular IP address.
The firewall would deny access to port 25 from that specific address, and the IP filter would reject the ability to relay mail from that address. In the IP filter's case, you would see the connection in the log file but it would be rejected. In the case of the firewall rule, you wouldn't even see the connection.
The only downside to this is you could end up with hundreds of addresses in your IP filter/firewall rules because spammers tend to use a lot of different servers when sending their garbage out. Additionally, you may end up blocking a legitimate server that is just an open relay at the moment..so you should take these things into consideration before blocking the servers.
If it were me, I'd probably go with the firewall rules. You can use the instructions provided on the Feb. 2004 Tips and tricks (second part of the tip):
Just edit the "SMTP connection to this computer" rule instead of the "WWW" rule, and make sure you use port 25 instead of 80..