3

I've noticed a quick increase on smtp connections coming to my server, investigating it further i figured out that there's a botnet hammering my smtp server. I've tried to stop it by adding a rule at iptables:

-N SMTP-BLOCK -A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG --log-level notice --log-prefix "iptables SMTP-BLOCK " -A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTPBLOCK --rcheck --seconds 360 -j SMTP-BLOCK -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --set -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --rcheck --seconds 60 --hitcount 3 -j SMTP-BLOCK -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

That would avoid them from hammering "too fast", however the problem still, there's like 5 tries per second, it's going insane, i had to incrase the maximum number of childs of sendmail/dovecot. There's too many ips to filter out manually and simply changing the smtp to another port is not practical since i got many other clients on that server.

I'm using sendmail with dovecot, any ideas to have this filtered out more efficiently?

Rod
  • 372
  • 4
  • 10
  • I think you're on a completely wrong track here. You should not have an open SMTP relay at all. If you have one, it will be abused, it will end up on black lists and your clients emails won't get through. Start requiring authentication for sending email, the botnet will go away after a while and you won't be part of the spam problem any more. – af. Jun 04 '10 at 07:48
  • My server is NOT an open relay, all emails require authentication to be sent – Rod Jun 04 '10 at 14:24

1 Answers1

3

My inclination would be to make sure you've got backup MX hosts who are on board; then block access to your port 25 from every machine other than your backup MX host(s). Inbound legitimate mail will be delivered to the backup MX host, which will be able to deliver it to you; but inbound mail not destined for your system and coming from a known-good host will go nowhere.

(The "backup MX host" could even be another machine of yours, or even a VPS/cloud machine that you rent by the hour for a few days.)

Don't get into an arms race with a botnet - it can add traffic faster than you can add bandwidth and servers.

It sounds like maybe you've got a lot of clients/domains on one machine, which makes for more work. Sorry.

You might consider moving to a new IP address and/or changing the A record for the host under attack to 127.0.0.1 and finding a new name for the server - there's some reasonable chance the spammers will move on to another victim and leave your new hostname/IP address alone.

gbroiles
  • 1,344
  • 8
  • 8