Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 499
  • Last Modified:

Mail server getting crawled constantly!


Our Imail server is getting hit constantly on port 25 with failed login attempts from spammers. We seem to get an extremely high volume of spam attempts and the like. Is this normal for all mail servers? Is there something we can do to mitigate these attacks. The machine is just getting SLAMMED with bad IPs (nigeria, russia, china, and the like). We've run virus and maleware scans. Is this just normal for mail servers? Can you make any recommendations.

Thank you experts!
1 Solution
Its not normal!!! FIrst you can use the abuse email records from the providers that trying to hack in your mail server. Second if possible try to change your ipadress and your mx entry in dns. Third check if you have a second mx record and if its the same on your second mail server. You can not prohebite directly who is trying to access on your server. For some extra fun you can rewrite your smtp message for an error login to send to the bad guys some news like you give these to fbi or similar. Does not help but fun.
Andrej PirmanCommented:
Well, this is quite normal if your domain is quite popular. You best go with some mail proxy or gateway to filter out spammers and attacks before they reach your network.
For example, these guys are excellent and despite they do not have page in English, they will like to talk to you and answer all kinds of questions http://sgh.si/storitve/anti-spam-proxy 

Another option of course is to install some Antispam and Antivirus measures (additional ones) to your mail server, like Cloudmark or GFI Antispam or F-Secure spam gateway, but this would mean you will process spam within your facilities and spammers will see your network.
At least but not last, the first mentioned solution is at least 50% cheaper than your own solution.
Andrej PirmanCommented:
And I forgot one thing:
on your FIREWALL it is a good practice to restrict also OUTGOING traffic, especially on port 25. Let only your local MAIL server be allowed to send mail out to ANY destination IP to port 25, while all other computers should be blocked to reach any destination to port 25.
Doing so, you will get rid of locally infected computers, trying to spam out.

Also, at least employ GREYLISTING on your server (if you do not go with my first mentioned solution). It will refuse all first connections to your server for few minutes, getting rid of a lot of spam.
Also, use RBL and DNSBL checks on your MTA.
madunixChief Information Security Officer Commented:
If you are using linux mail system, I would try Fail2ban; it is typically used for blocking users that are doing bad things (eg: brute-forcing, trying to relay through mail server, etc).  It does this by watching log files that admin specify, and keeping track of how many times an IP shows up with a specific error message.  Once that becomes too many, it creates an IP-tables rule (or performs some other blocking action).  Then (optionally) removes the block after a period of time.
coldfirenjAuthor Commented:
I appreciate all of your help. Our spam situation, however, has gotten out of control. We manage about 20 domains and around 250 email accounts. Overnight (somehow) a spammer gets access to our mail server and sends out thousands of spam messages. Our senior IT guy thought he identified a compromised account, which he changed the PW for and deleted. However, after a day or two of calm, the spam explosion started up again (now a different domain). The spammer is sending mails from fake aliases in our domain to thousands of recipients. Any thoughts at all on how we can nail down the cause of the spam?

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now