Ban flooding IPs

Questions and answers about how to do stuff
Post Reply
User avatar
BruceLeeRoy
Posts: 36
Joined: 01 May 2015 13:27

Ban flooding IPs

Post by BruceLeeRoy » 06 Nov 2018 18:56

Wondering if anyone has found a way to ban an IP that floods EFA with spam. Maybe there's a way to use fail2ban with blacklist entries?
I've been getting attacks at the rate of 70 messages per minute (as reported by EFA) that originate from the same IP, sometimes the IP increments through a subnet with the same spam message going to every user I've ever had on my system, many of which have not been valid accounts for over 15 years. each of these invalid users will get 6 or 7 variations of the spam which totals around 5,000 messages which I think are being sent to my domains within a few minutes. It's almost like a DoS attack. I have to block those subnets at the router to get mail working normally again when this happens. Maybe fail2ban or some other kind of rate limiting?

henk
Posts: 181
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Ban flooding IPs

Post by henk » 06 Nov 2018 20:50

Just take a look at viewtopic.php?t=2659

Works fine. To use blacklists you need to share some details about the spam mails.

To use iptables see: https://www.digitalocean.com/community/ ... ving-rules
and : https://www.cyberciti.biz/tips/linux-ip ... ports.html

EFA allows you to add a bunch of extra scanners and blocklists.

Within postfix there are many things you can do with smtpd_recipient_restrictions.

A nice firewall with IDS ( Snort) is the first defence line. Pfsense is my faforite.
to every user I've ever had on my system, many of which have not been valid accounts for over 15 years
Is it just me or is this kinda strange? How do they know these accounts?
It's not that difficult to blow up someone's mailserver, but you still need the -valid- mailaccounts, as far as I know.

Post Reply