Keeping sendmail pest at bay

Discussion in 'Linux Networking' started by Clark Smith, Jun 26, 2013.

  1. Clark Smith

    Clark Smith Guest

    Some clown is connecting to my sendmail server every few minutes,
    eliciting the following traces in my /var/log/maillog file:

    Jun 26 09:54:37 my_box sm-mta[18410]: r5PIcehn018410: [xxx.xxx.xxx.xxx]
    did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    I have tried to drop packets from the offending IP address
    (represented as xxx.xxx.xxx.xxx here) with

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 25
    -j DROP

    in succession, but none of these rules are achieving anything - i.e. the
    diagnostic above keeps appearing in my /var/log/maillog.

    Any ideas on how to proceed?
     
    Clark Smith, Jun 26, 2013
    #1
    1. Advertisements

  2. I’m not sure why you feel the need to mask the address...
    Obvious question: is the packet filter on the same box as the SMTP
    listener?
     
    Richard Kettlewell, Jun 27, 2013
    #2
    1. Advertisements

  3. Clark Smith

    Clark Smith Guest

    Yes.
     
    Clark Smith, Jun 27, 2013
    #3
  4. The first command puts the rule at the beginning of the INPUT rules,
    but you didn't specify -p tcp, so I'm not sure it was effective.
    The next two puts the rule at the end of the INPUT rules. Is there
    an earlier rule which would accept the attempt? Is there another
    chain which accepts input requests?

    I suggest that you try it again with the third rule format but
    changed to -I, then look at all of your rules to see if there is
    an early rule or another chain which accepts.

    # iptables -nvL --line-numbers

    Use this command before and after the addition to see where it is.

    Also watch the counts. If the added rule is not being used,
    the count on that rule will remain at zero.
     
    Dale Dellutri, Jun 27, 2013
    #4
  5. “all†is supposed to be the default.
     
    Richard Kettlewell, Jun 27, 2013
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.