• Keeping sendmail pest at bay

    From Clark Smith@110:110/2002 to All on Wed Jun 26 16:03:54 2013

    Some clown is connecting to my sendmail server every few minutes, eliciting the following traces in my /var/log/maillog file:

    Jun 26 09:54:37 my_box sm-mta[18410]: r5PIcehn018410: [xxx.xxx.xxx.xxx]
    did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    I have tried to drop packets from the offending IP address (represented as xxx.xxx.xxx.xxx here) with

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 25
    -j DROP

    in succession, but none of these rules are achieving anything - i.e. the diagnostic above keeps appearing in my /var/log/maillog.

    Any ideas on how to proceed?


    --- MBSE BBS v1.0.0 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Richard Kettlewell@110:110/2002 to All on Thu Jun 27 12:29:48 2013

    Clark Smith <noaddress@nowhere.net> writes:

    Some clown is connecting to my sendmail server every few minutes, eliciting the following traces in my /var/log/maillog file:

    Jun 26 09:54:37 my_box sm-mta[18410]: r5PIcehn018410: [xxx.xxx.xxx.xxx]
    did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    I have tried to drop packets from the offending IP address (represented as xxx.xxx.xxx.xxx here) with

    I’m not sure why you feel the need to mask the address...

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 25
    -j DROP

    in succession, but none of these rules are achieving anything - i.e. the diagnostic above keeps appearing in my /var/log/maillog.

    Any ideas on how to proceed?

    Obvious question: is the packet filter on the same box as the SMTP
    listener?

    --
    http://www.greenend.org.uk/rjk/

    --- MBSE BBS v1.0.0 (GNU/Linux-i386)
    * Origin: Anjou (110:110/2002@linuxnet)
  • From Clark Smith@110:110/2002 to All on Thu Jun 27 13:26:18 2013

    On Thu, 27 Jun 2013 13:29:49 +0100, Richard Kettlewell wrote:

    Clark Smith <noaddress@nowhere.net> writes:

    Some clown is connecting to my sendmail server every few minutes,
    eliciting the following traces in my /var/log/maillog file:

    Jun 26 09:54:37 my_box sm-mta[18410]: r5PIcehn018410: [xxx.xxx.xxx.xxx]
    did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    I have tried to drop packets from the offending IP address
    (represented as xxx.xxx.xxx.xxx here) with

    I’m not sure why you feel the need to mask the address...

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP iptables -A INPUT -s
    xxx.xxx.xxx.xxx -j DROP iptables -A INPUT -s xxx.xxx.xxx.xxx -p
    tcp
    --destination-port 25
    -j DROP

    in succession, but none of these rules are achieving anything - i.e.
    the diagnostic above keeps appearing in my /var/log/maillog.

    Any ideas on how to proceed?

    Obvious question: is the packet filter on the same box as the SMTP
    listener?

    Yes.

    --- MBSE BBS v1.0.0 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Dale Dellutri@110:110/2002 to All on Thu Jun 27 14:33:56 2013

    On Wed, 26 Jun 2013 12:03:55, Clark Smith <noaddress@nowhere.net> wrote:
    Some clown is connecting to my sendmail server every few minutes, eliciting the following traces in my /var/log/maillog file:

    Jun 26 09:54:37 my_box sm-mta[18410]: r5PIcehn018410: [xxx.xxx.xxx.xxx]
    did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    I have tried to drop packets from the offending IP address (represented as xxx.xxx.xxx.xxx here) with

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 25
    -j DROP

    in succession, but none of these rules are achieving anything - i.e. the diagnostic above keeps appearing in my /var/log/maillog.

    Any ideas on how to proceed?

    The first command puts the rule at the beginning of the INPUT rules,
    but you didn't specify -p tcp, so I'm not sure it was effective.
    The next two puts the rule at the end of the INPUT rules. Is there
    an earlier rule which would accept the attempt? Is there another
    chain which accepts input requests?

    I suggest that you try it again with the third rule format but
    changed to -I, then look at all of your rules to see if there is
    an early rule or another chain which accepts.

    # iptables -nvL --line-numbers

    Use this command before and after the addition to see where it is.

    Also watch the counts. If the added rule is not being used,
    the count on that rule will remain at zero.

    --
    Dale Dellutri <ddelQQQlutr@panQQQix.com> (lose the Q's)

    --- MBSE BBS v1.0.0 (GNU/Linux-i386)
    * Origin: PANIX Public Access Internet and UNIX, NYC (110:110/2002@linuxnet)
  • From Richard Kettlewell@110:110/2002 to All on Thu Jun 27 14:40:42 2013

    Dale Dellutri <ddelQQQlutr@panQQQix.com> writes:

    On Wed, 26 Jun 2013 12:03:55, Clark Smith <noaddress@nowhere.net> wrote:
    Some clown is connecting to my sendmail server every few minutes, >> eliciting the following traces in my /var/log/maillog file:

    Jun 26 09:54:37 my_box sm-mta[18410]: r5PIcehn018410: [xxx.xxx.xxx.xxx]
    did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    I have tried to drop packets from the offending IP address
    (represented as xxx.xxx.xxx.xxx here) with

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
    iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 25 >> -j DROP

    in succession, but none of these rules are achieving anything - i.e. the
    diagnostic above keeps appearing in my /var/log/maillog.

    Any ideas on how to proceed?

    The first command puts the rule at the beginning of the INPUT rules,
    but you didn't specify -p tcp, so I'm not sure it was effective.

    “all” is supposed to be the default.

    --
    http://www.greenend.org.uk/rjk/

    --- MBSE BBS v1.0.0 (GNU/Linux-i386)
    * Origin: Anjou (110:110/2002@linuxnet)