This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best method for dealing with SMTP attacks

When I look at my SMTP live log I see continual attempts to access my mail server.
The SMTP proxy seems to be doing its job, but I am interesting in knowing the best method for minimizing the amount of entries that get recorded in the logfile.

2022:05:28-11:19:44 firewall exim-in[31398]: 2022-05-28 11:19:44 SMTP connection from (localhost) [5.34.207.150]:20624 closed by QUIT
2022:05:28-11:19:44 firewall exim-in[31414]: 2022-05-28 11:19:44 SMTP connection from (localhost) [5.34.207.182]:51714 closed by QUIT
2022:05:28-11:19:46 firewall exim-in[5027]: 2022-05-28 11:19:46 SMTP connection from [5.34.207.150]:43732 (TCP/IP connection count = 6)
2022:05:28-11:19:46 firewall exim-in[31424]: 2022-05-28 11:19:46 SMTP connection from [5.34.207.150]:43732 closed by QUIT
2022:05:28-11:19:47 firewall exim-in[5027]: 2022-05-28 11:19:47 SMTP connection from [5.34.207.150]:12380 (TCP/IP connection count = 6)
2022:05:28-11:19:47 firewall exim-in[5027]: 2022-05-28 11:19:47 SMTP connection from [5.34.207.182]:56972 (TCP/IP connection count = 7)
2022:05:28-11:19:47 firewall exim-in[31419]: 2022-05-28 11:19:47 SMTP connection from (localhost) [5.34.207.182]:22078 closed by QUIT
2022:05:28-11:19:48 firewall exim-in[31411]: 2022-05-28 11:19:48 SMTP connection from (User) [87.246.7.213]:42120 closed by QUIT
2022:05:28-11:19:49 firewall exim-in[31421]: 2022-05-28 11:19:49 SMTP connection from (localhost) [5.34.207.150]:50418 closed by QUIT
2022:05:28-11:19:50 firewall exim-in[5027]: 2022-05-28 11:19:50 SMTP connection from [5.34.207.182]:27336 (TCP/IP connection count = 5)
2022:05:28-11:19:50 firewall exim-in[31405]: 2022-05-28 11:19:50 SMTP connection from (localhost) [5.34.207.150]:35496 closed by QUIT
2022:05:28-11:19:51 firewall exim-in[31426]: 2022-05-28 11:19:51 SMTP connection from (localhost) [5.34.207.182]:56972 closed by QUIT
2022:05:28-11:19:52 firewall exim-in[31431]: 2022-05-28 11:19:52 SMTP connection from (localhost) [5.34.207.182]:27336 closed by QUIT
2022:05:28-11:19:52 firewall exim-in[5027]: 2022-05-28 11:19:52 SMTP connection from [87.246.7.213]:53630 (TCP/IP connection count = 4)
2022:05:28-11:19:53 firewall exim-in[31376]: 2022-05-28 11:19:53 SMTP connection from (User) [212.70.149.72]:44572 lost D=31s
2022:05:28-11:19:53 firewall exim-in[5027]: 2022-05-28 11:19:53 SMTP connection from [5.34.207.182]:62214 (TCP/IP connection count = 3)
2022:05:28-11:19:55 firewall exim-in[5027]: 2022-05-28 11:19:55 SMTP connection from [5.34.207.150]:27272 (TCP/IP connection count = 4)
2022:05:28-11:19:56 firewall exim-in[31425]: 2022-05-28 11:19:56 SMTP connection from (localhost) [5.34.207.150]:12380 closed by QUIT
2022:05:28-11:19:56 firewall exim-in[31440]: 2022-05-28 11:19:56 SMTP connection from (localhost) [5.34.207.182]:62214 closed by QUIT
2022:05:28-11:19:56 firewall exim-in[5027]: 2022-05-28 11:19:56 SMTP connection from [5.34.207.182]:32588 (TCP/IP connection count = 5)
2022:05:28-11:19:58 firewall exim-in[31439]: 2022-05-28 11:19:58 SMTP connection from (User) [87.246.7.213]:53630 closed by QUIT
2022:05:28-11:19:58 firewall exim-in[5027]: 2022-05-28 11:19:58 SMTP connection from [5.34.207.150]:53746 (TCP/IP connection count = 4)
2022:05:28-11:19:59 firewall exim-in[31446]: 2022-05-28 11:19:59 SMTP connection from (localhost) [5.34.207.182]:32588 closed by QUIT
2022:05:28-11:19:59 firewall exim-in[31444]: 2022-05-28 11:19:59 SMTP connection from (localhost) [5.34.207.150]:27272 closed by QUIT
2022:05:28-11:19:59 firewall exim-in[5027]: 2022-05-28 11:19:59 SMTP connection from [5.34.207.182]:2970 (TCP/IP connection count = 3)

I have tried 2 different methods, both of which seem to work.

1. Create a blackhole entry for each network in Static Routing

2. Create a DNAT blackhole

Definitions & Users >  Network Definition
   Create a Network - xxx.xxx.xxx/24 for IPs identified in SMTP log
   Create a Group, which includes all of the above attacker networks
   Create a Host named Blackhole (240.0.0.1)
Network Protection > NAT > NAT
   New NAT Rule > DNAT
   For traffic from: Group created above
   Using service: ANY
   Going to: WAN (Address)
   Change the destination to: Blackhole host created above

Are there better ways to do this?



This thread was automatically locked due to age.
Parents
  • So are you more interested in just the logfile or actual traffic, because what you are doing with those is actually affecting traffic.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • What I am interested in is the best way to deal with this traffic.

    Do I just ignore all of the entries in the logfile and assume that the proxy is simply doing its job and dropping those connection attempts, or do I selectively drop traffic from networks that obviously have a sinister intent?

    Is there a "preferred" method on how to deal with this?

  • Both the DNAT and the Blackhole route achieve the same thing.  I prefer the DNAT with a Network Group named something like "Badguys" so that I just need to add hosts to it instead of creating a new DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes Bob, that is exactly what I have.

    But, my question is... Do I really need this?
    Other than having a larger SMTP logfile if I don't, does dropping the traffic have any real benefit?
    Is it just good enough to let the SMTP proxy do its thing?

    The other issue is that network entries have to be added manually to the "Badguys" list, which would need continual monitoring.
    That's doable, but only if it is beneficial.

  • That is one of the reasons, customers move to a Cloud based MX solution. Because they do not want to deal with this kind of spoofed attacks. As long as you cannot figure out, who is actually talking to you, you will have to answer on Port25 and talk to the peer. Cloud based Solutions can do this with different techniques (as they have only one MX, which will sync data in real time, they can actually quite easily detect such attacks. 

    Solutions like Sophos Central Email can do this and will scan the emails for you. Afterwards it will send the Email to your Email server. 

    __________________________________________________________________________________________________________________

  • Toni, this looks more like a scanner than a spoofer.

    BigO, do you see anything related in the Intrusion Prevention log?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • How do you know that? 

    __________________________________________________________________________________________________________________

Reply Children
  • Bob might be attributing to the fact that the requests are so close together in terms of a request or two every second by the same block of IPs, I would have alluded to the same conclusion.  Just a guess, but I could be reading his mind, lol.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Good read!  I just checked one of my favorite tools, ip2location.com, and 5.34.207.182 is identified as a SCANNER, confirming my guess.  According to Central Ops.net, it's located in Kyiv, Ukraine, so, my guess is that the Russian mafia is trying to break into your UTM's SMTP Proxy using an account at spaceshipnetworks.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA