Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1074 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP outside of fw-rules?

Peter Engler

Hi

I have a lot of spam and syn-floodig from 1 network. So i have created a rule that drop all communication from this network.

But i can see a lot of syn from this network in the connection-table to all smtp tcp-port (25/465/587)

Why this syn are not droped?

Regards

Peter



This thread was automatically locked due to age.
Parents
  • 0

    Hi Peter,

    maybe your rule to drop that traffic don’t work properly. Did you validate that? Maybe show how you designed that.

    Btw I think depending on the size of the attack you need support of a provider at backbone level or CDN.

    Best regards 

    Alex 

  • 0 in reply to Alexander Busch

    Hi Alex

    Thanks for the answer

    I use UTM Firmware version 9.700-5

    The fw-rule:

    Sources: the Network
    Services: Any
    Destinations: Any
    Action: Drop
    Time Period: Always

    In the fw-log i can see all drops from this network to syn on ports like 80/443/22
    I dont see any drops of syn to smtp tcp-ports (25/465/587)
    And the LAN Connections screen has a lot of SYN_RECV from this network with smtp tcp-port 25/465/587

    At the moment, the attack has stopped

    Regards

    Peter

Reply
  • 0 in reply to Alexander Busch

    Hi Alex

    Thanks for the answer

    I use UTM Firmware version 9.700-5

    The fw-rule:

    Sources: the Network
    Services: Any
    Destinations: Any
    Action: Drop
    Time Period: Always

    In the fw-log i can see all drops from this network to syn on ports like 80/443/22
    I dont see any drops of syn to smtp tcp-ports (25/465/587)
    And the LAN Connections screen has a lot of SYN_RECV from this network with smtp tcp-port 25/465/587

    At the moment, the attack has stopped

    Regards

    Peter

Children