-1

My server has started receiving thousands of attempts to use my mail server to send spam from dynamic.hinet.net. The attempts are always rejected, but it's non-stop. I'd like to block these attempts before they even reach the mail server is possible. Below are a couple of examples.

NOQUEUE: reject: RCPT from 111-249-39-49.dynamic.hinet.net[111.249.39.49]: 554 5.7.1 <szulin0918@yahoo.com.tw>: Relay access denied; 

NOQUEUE: reject: RCPT from 118-160-213-218.dynamic.hinet.net[118.160.213.218]: 554 5.1.8 <ibnzjsmvk@yahoo.com.jp>: Sender address rejected: Domain not found;

I have installed fail2ban but I'm not sure how to configure it properly. At the moment it blocks an IP after they have attempted and been rejected several times, but the problem is that the IPs from hinet.net change a LOT so they're never ending. They start 111, 114, 118, 36... could be more but that's what I've observed. I've thought about blocking IPs that start with these numbers via postscreen config, but was unsure whether I'd end up blocking legitimate emails by blanket blocking an entire IP range.

So, any idea on how to configure fail2ban, or postscreen, or some other way, to block these hinet.net people altogether? Can I not put a rule on IPTables that blocks anything with "hinet.net" in the name or something?

Any help appreciated!

nutman
  • 109
  • 2
  • 2
    What have you tried? What did you expect to happen? What happened instead? What does your config look like? Do you have any log entries from the times it didn't work as expected? – Jenny D Jan 13 '16 at 10:39
  • 4
    Possible duplicate of [Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?](http://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user) – Jenny D Jan 13 '16 at 10:46

2 Answers2

0

If you want to reject packet before it reaches smtp, you need to do this based on IP address. This means there is always risk to block legitimate emails. If you accept the risk you can use whois service and block all subnets assigned to HINET-NET (there are a lot btw)
link to whois

user1700494
  • 1,642
  • 2
  • 11
  • 20
0

GeoIP filtering with xtables-addons can cut up to 95% spam by restricting access to your SMTP from those countries, that your company won't ever get mail from.

Please follow xtables-addons installation guide for your OS (here is one for CentOS), then simply add something like:

iptables -A INPUT -m geoip -p tcp  --dport 25 --src-cc AR,BR,BY,CD,CL,CN,CO,DZ,EG,ES,HN,ID,IN,IR -j DROP
iptables -A INPUT -m geoip -p tcp  --dport 25 --src-cc IT,JP,KP,KR,KW,LY,MA,MU,MX,NP,PA,PE,PK,PL -j DROP
iptables -A INPUT -m geoip -p tcp  --dport 25 --src-cc PS,PT,SA,TH,TJ,TN,TR,TT,TW,TZ,UZ,VN,ZA -j DROP

It will drastically reduce spam & hacking attempts, just make sure you don't include any country that your company is actually getting mail from...

Anubioz
  • 3,597
  • 17
  • 23