Block Changing IPs on SMTP Port 25

G5 Cyber Security

2 months ago

TL;DR

Preventing spammers from using your mail server by blocking rapidly changing IP addresses on port 25 (SMTP). This guide covers firewall rules and greylisting techniques.

Solution Guide

Understand the Problem

Spammers often use dynamic IP addresses, frequently switching them to avoid being blocked. Blocking individual IPs is ineffective as they change quickly. We need a solution that targets this behaviour.

Firewall Rules (iptables/ufw)

Configure your firewall to limit the rate of new connections on port 25. This won’t block legitimate users but will significantly hinder spammers attempting many connections from different IPs.

Using iptables: (Linux systems using iptables)

sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --set --name SMTP --rsource

sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --update seconds 60 --hitcount 4 --name SMTP --rsource -j DROP

Explanation: The first rule sets a marker for each new connection source IP. The second rule drops connections from IPs that have made more than 3 new connections in the last 60 seconds.

Using ufw: (Ubuntu/Debian systems using ufw)

sudo ufw limit 25

Explanation: This limits incoming connections on port 25 to a rate defined in the /etc/default/ufw file. Adjust this setting as needed.

Greylisting

Greylisting temporarily rejects emails from unknown senders. Legitimate mail servers will retry, while many spammers won’t. This significantly reduces spam volume.

Install greylisting software: (e.g., spamassassin with the greylist plugin)

sudo apt update && sudo apt install spamassassin

Configure SpamAssassin to use the greylist plugin according to its documentation.

Alternative: Use a dedicated greylisting service like spamhaus-greylisting.

DNSBLs (DNS Blacklists)

Use DNS blacklists (DNSBLs) to check incoming IP addresses against known spam sources. This is a proactive measure.

Configure your mail server: Most mail servers (Postfix, Sendmail, Exim) have options to integrate with DNSBLs.

Common DNSBLs include Spamhaus ZEN and Barracuda Reputation Block List (BRBL). Add these to your mail server configuration.

Rate Limiting per IP Address

Implement rate limiting based on the number of emails sent from a single IP address within a specific timeframe. This can be done using tools like fail2ban or your mail server’s configuration.

Using fail2ban: Create a filter to detect excessive email sending and ban offending IPs.

Monitor Logs

Regularly check your mail server logs for blocked connections, greylisted emails, and DNSBL hits. This helps you fine-tune your rules and identify potential issues.