How to stop bad guys from scanning server for users via smtp?

jonas · January 31, 2025, 6:45pm

Hi all smart Domino gurus!

Today I have seen a new way to try to find users/email addresses through smtp. Well it is new for me.

This morning someone started to bombard a clients domino server with smtp connections with random email addresses. Every time it is around 50 different addresses, all within 1 second, before they disconnect and rest for about 5 minutes. Then they come back with 50 new addresses within a second but this time from a completely different smtp server. And so it have been all day.
I have seen this behaviour before but then it is usually a couple of emails and most of the time from the same server so that it is possible to block in different ways.

The server is properly configured, at least from what I can see, so this isn't really a problem, except that the log get stuffed, but I wonder if there is a way to stop connecting servers from doing this?

It should be possible as we (I mean the server) can see that one connecting server try to deliver a lot of mails to recipients that obviously don't exist on the server so it would be possible to catch this event and mitigate it somehow.

OK, I am in deep water now since I don't have enough knowledge to really be able to say that IS possible but the information is there. Maybe a setting on the server where you define how many addresses is allowed before the server drop the session. In my dreams that is.

How do you handle this? Do you even bother because of more urgent things or have you come up with a smart solution?

The environment is Domino 14 FP3 running on CentOS Stream 9. And yes I have set up Fail2Ban but that doesn't help in this case since I only can catch the IP when the server connects and disconnects and next time it is from a completely different server/ip.

Thanks

/Jonas

Sweden

anon-2683 · January 31, 2025, 10:30pm

Hi Jonas,

receiving SMTP email directly by Domino is a task I stopped doing long time ago. I still consider sometimes the possibility of going back to doing it, but I know it will be hard. For the time being, I use a spam filter on the perimeter.

Before answering your question, I will briefly describe the phases that any SMTP server goes before validating recipient emails.

1 - Helo

in this phase the SMTP client (the bad guy) presents itself. For example, it might say Helo smtp.acme.org . Your server will then reply to this. It can do some checks before replying. There are DNS blacklists you can setup on the server config document. You could also check the hostname presented exists in DNS (Domino can do this check). If this check is enabled, Domino will also check the PTR record (Verify connecting hostname in DNS set as enabled implies PTR check).

2 - Mail From

in this phase, the sender email is given. The receiving server (your server) can do some checks like SPF. The connecting server might try to say the sender is <> (the empty sender). This is legitimate for Non Delivery Receipts. SPF checks can be enabled on the config document.

3 - Rcpt To

in this phase you get the attack (test for 50 random emails).

In conclusion, before the session gets to the Rcpt to phase ( 3 ), you can do a number of checks (hostname indicated in Helo is in DNS and PTR check, ip in DNS blacklists, SPF.

These checks can be found on the server config document

Router/SMTP -> Restrictions and controls -> SMTP Inbound controls

Implementing these checks is easy ... but they could potentially stop legitimate email, so be prepared. You will need to tell users you are going to try to stop spam more aggressively, so they can report to you when some email they were expecting fails to come thru. In this case, you will need to set exceptions and whitelist some sending servers.

I would also disable Pipelining since spamming servers generally do not wait for the answers to Helo, Mail From commands. This might cut out spamming servers that are in a hurry. Disabling pipelining does not have a bad impact on the server.

Let me know if you need more details or information.

Michelangelo

anon-2195 · February 1, 2025, 8:54am

I don't think there is a way that doesn't imply SMTP disruptions: you could close port 25 when a certain number of connections is exceeded in a predetermined period of time. It is clear that in this way you would not receive legitimate mail.
Greater capillarity in the configuration requires the use of an SMTP Gateway, even self-built in Postfix.

anon-1995 · February 4, 2025, 11:42am

I would echo Michelangelo's comment and recommend using third party spam/virus scanning solution. Your Domino server would then be setup only to accept connections from the spam/antivirus provider. It saves your time, server resources and should be a lot more secure.

jonas · February 12, 2025, 2:27pm

Thank you for your replies and for sharing your expertice. We will look into some sort of anti-spam solution. But I still think that it would be possible to add some more settings in the Domino server to take care of more like this.

Thanks again.

/J

stwissel · September 29, 2025, 4:05pm

The bare minimus: install Fail2Ban for Domino:

jonas · October 18, 2025, 10:50am

Hi

Thank you for your advice. I have been using Fail2Ban for quite some time now and it seems to work great. It took some time to tweak but once set up it is great.

Thanks and have a great weekend.

/ J