[Oisf-users] Mail Attack Rules

Mesra.net CEO admin at mesra.my
Wed Mar 8 18:59:48 UTC 2017

Dear All,

Since few days ago my server has been attack and the attacker are sending thousands of emails to invalid email username and its only effected to 1 domain name, currently i  have to block more then 10k IPs per day for the issue, with suricata i make the rules like below but that will totally block the access for valid emails, is theres any tips i can make the rules for more flexible for example the suricata only block any access to invalid email from out of the list, for example i will list down all the valid receipent emails and the others will automatically block:

reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail ATTACK *****"; dsize:>0; content:"@abcde.com"; sid:51; rev:1;)

Please help, TQ

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170309/41c9efad/attachment.html>

More information about the Oisf-users mailing list