Getting pounded .. sigh

Julian Field MailScanner at ecs.soton.ac.uk
Mon May 22 19:22:08 IST 2006


Two things: In the UK wanadoo is a big ISP. They are actually French, 
but have a very big UK presence. I would expect quite a lot of traffic 
from them, they have a lot of customers, but I also wouldn't be too 
surprised if one of their main SMTP servers got compromised :-(

As there are various magic commands to do this stuff in different 
operating systems, could someone (Jeff?) please add an article to the 
Wiki on how to block mail traffic from a particular host or site, not 
only at the OS level with firewalling but also at the MTA level for 
those who prefer to work at that level. Not everyone has Linux with 
iptables switched on and completely configured. For those people  
(including me) knowing how to do it at the MTA level is more useful than 
pretty iptables or ipfilter commands.

Could someone do that for me please?

Thanks!

Jeff A. Earickson wrote:
> Or if you are a Solaris user with ipfilter installed, try:
>
> block in quick on ce0 proto tcp from 193.252.22.0/24 to any port = 25
>
> in your ipf.conf file.  Substitute your appropriate network interface
> for "ce0".
>
> Jeff Earickson
> Colby College
>
> On Mon, 22 May 2006, Dave Strydom wrote:
>
>> Date: Mon, 22 May 2006 19:11:11 +0200
>> From: Dave Strydom <strydom.dave at gmail.com>
>> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> Subject: Re: Getting pounded .. sigh
>>
>> iptables -A INPUT -s 193.252.22.157 -j DROP
>> iptables -A INPUT -s 193.252.22.158 -j DROP
>>
>> problem solved.
>>
>> Regards
>> Dave
>>
>> On 5/22/06, Rob Poe <rpoe at plattesheriff.org> wrote:
>>> My mail server is getting POUNDED from
>>> 193.252.22.157
>>> 193.252.22.158
>>>
>>> Which is smtp1.wanadoo.co.uk  and smtp2.wanadoo.co.uk
>>>
>>> I blacklisted the whole 193.252.22.x
>>>
>>> They're targeting my list server, and SpamAssassin is grabbing them
>>> (along with the fact that the list server is membership only!!)
>>>
>>> but I'm getting one every 5-10 seconds!!
>>>
>>> grep 193.252.22 /var/log/maillog | wc
>>>    1863   62955  710320
>>>
>>> May 22 11:49:02 mail sendmail[30768]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:07 mail sendmail[30769]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:13 mail sendmail[30770]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:27 mail sendmail[30774]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:29 mail sendmail[30775]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>> May 22 11:49:41 mail sendmail[30777]: ruleset=check_relay,
>>> arg1=smtp2.wanadoo.co.uk, arg2=193.252.22.157, 
>>> relay=smtp2.wanadoo.co.uk
>>> [193.252.22.157], reject=583 5.0.0 Get lost..
>>>
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.



More information about the MailScanner mailing list