USG310 Block incoming request of SMTP flood

weite
weite Posts: 22  Freshman Member
First Comment Seventh Anniversary
edited April 2021 in Security

Hello community!

I've following constellation. A USG310 with three WAN ports. All WAN IP's are listed in the DNS for the MX record. The SMTP port is forwarded to a Mailserver/ SPAM filter.

Now my Problem. Since last week I've many request from a botnet. At first I've blocked over the GEO IP but now I've many request from germany and I can't block all this IPs manually. How can I setup a automatic blocking of IPs that have many requests?

A little push in the right direction would help me! Thanks!

All Replies

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Really there is no way to block unwanted traffic from wanted traffic.

    Do you know if its a port scan or full connect to the server?

    If the bot net is doing a port scan per number of ports from one IP and there is no ACK after they send a SYN and you send a SYN, ACK you can use the ADP with scan detection set block period to 3600 for portscan TCP.

  • weite
    weite Posts: 22  Freshman Member
    First Comment Seventh Anniversary

    It is a full connect to the Server but will discarded from the DNSBL. A lot of connections per second from different ip addresses.

    When it's not possible to block this than it's so.The DNSBL works.

    Thanks for your answer!

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    AFAIK, the only way to "limit" connections can be set on NAT Sessions, but no parameters can be set except the default number of the sessions or a custom one for a single host.

    Also, due to SMTP way to connect, the goal is to have the whole internet to connect to your mailserver, not a whitelist one. So USG IMVHO can not be a good way to manage connections.

    Your MTA should have capabilities to discard unwanted connections, and deferring (not refusing) connections when resources of the system or the connection are limited.eMail were never intended as real-time communication, nor is it today.

Security Highlight