Mail server getting crawled constantly!

Posted on 2012-08-20
Last Modified: 2012-10-05

Our Imail server is getting hit constantly on port 25 with failed login attempts from spammers. We seem to get an extremely high volume of spam attempts and the like. Is this normal for all mail servers? Is there something we can do to mitigate these attacks. The machine is just getting SLAMMED with bad IPs (nigeria, russia, china, and the like). We've run virus and maleware scans. Is this just normal for mail servers? Can you make any recommendations.

Thank you experts!
Question by:coldfirenj
    LVL 8

    Expert Comment

    Its not normal!!! FIrst you can use the abuse email records from the providers that trying to hack in your mail server. Second if possible try to change your ipadress and your mx entry in dns. Third check if you have a second mx record and if its the same on your second mail server. You can not prohebite directly who is trying to access on your server. For some extra fun you can rewrite your smtp message for an error login to send to the bad guys some news like you give these to fbi or similar. Does not help but fun.
    LVL 18

    Accepted Solution

    Well, this is quite normal if your domain is quite popular. You best go with some mail proxy or gateway to filter out spammers and attacks before they reach your network.
    For example, these guys are excellent and despite they do not have page in English, they will like to talk to you and answer all kinds of questions

    Another option of course is to install some Antispam and Antivirus measures (additional ones) to your mail server, like Cloudmark or GFI Antispam or F-Secure spam gateway, but this would mean you will process spam within your facilities and spammers will see your network.
    At least but not last, the first mentioned solution is at least 50% cheaper than your own solution.
    LVL 18

    Expert Comment

    by:Andrej Pirman
    And I forgot one thing:
    on your FIREWALL it is a good practice to restrict also OUTGOING traffic, especially on port 25. Let only your local MAIL server be allowed to send mail out to ANY destination IP to port 25, while all other computers should be blocked to reach any destination to port 25.
    Doing so, you will get rid of locally infected computers, trying to spam out.

    Also, at least employ GREYLISTING on your server (if you do not go with my first mentioned solution). It will refuse all first connections to your server for few minutes, getting rid of a lot of spam.
    Also, use RBL and DNSBL checks on your MTA.
    LVL 25

    Expert Comment

    If you are using linux mail system, I would try Fail2ban; it is typically used for blocking users that are doing bad things (eg: brute-forcing, trying to relay through mail server, etc).  It does this by watching log files that admin specify, and keeping track of how many times an IP shows up with a specific error message.  Once that becomes too many, it creates an IP-tables rule (or performs some other blocking action).  Then (optionally) removes the block after a period of time.

    Author Comment

    I appreciate all of your help. Our spam situation, however, has gotten out of control. We manage about 20 domains and around 250 email accounts. Overnight (somehow) a spammer gets access to our mail server and sends out thousands of spam messages. Our senior IT guy thought he identified a compromised account, which he changed the PW for and deleted. However, after a day or two of calm, the spam explosion started up again (now a different domain). The spammer is sending mails from fake aliases in our domain to thousands of recipients. Any thoughts at all on how we can nail down the cause of the spam?

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now