[Oisf-users] Block Spammer

David lists at edeca.net
Sun Sep 17 18:04:51 UTC 2017

On 17/09/2017 16:51, Mesra.net CEO wrote:
> Dear All,
> To block spammer by mail subject or contents, i’m using below rules:
> drop tcp any any -> any [25,143,465,587,993] (msg:"***** SPAMMER *****";
> dsize:>0; content:"Sample Greeting"; sid:10000; rev:1;)
> And i found on my mail server the email send by spammer similar with
> content:"Sample Greeting"; are not reach the receipent, But on mail
> server log i still found the attacker IP are still get connected to SMTP
> services and that make my SMTP services are going high, so how can i
> make the attacker are didnt reach at all to SMTP services ?

An IPS isn't the best way to achieve this.  By the time your rule above
has triggered the SMTP server has already accepted a connection and
started to process the session.  At best you can hope your IPS
terminates the connection and the mail server immediately frees up any
resources associated with the session.  At worst your SMTP server might
hang around until some internal timeout.

Blocking at the SMTP layer is more sensible.  You can block:

 * before a connection is even accepted, by using normal iptables rules
(perhaps in conjunction with something like fail2ban).
 * at the beginning of the session once you receive the EHLO message.
 * at the beginning of the session with RBLs.
 * during the DATA portion of the session with anti virus or
spamassassin / dspam.

An even better solution is to assign points for various bad indicators
and reject a message once you reach a threshold.  Over time you can
build up your own internal sending IP reputation and use that to predict
whether mail will be junk.

Using an IPS to solve this problem is like using a sledgehammer to crack
a nut.


More information about the Oisf-users mailing list