SMTP Attack

hcl-bot · February 15, 2010, 1:59pm

Hi to everybodyI have some issues with my Lotus Domino Server, we have more than a week with many smtp incoming traffic from outside, we block more than 5000 Ip addresses in our firewall but our Domino server is still receiving smtp traffic from some host, so we start blocking some domains and also enable the option VERIFY CONNECTING HOST IN DNS, now the server looks like this

**********This is when the server not resolve the name in the DNS ********

02/15/2010 12:48:07 PM SMTP Server [1218:0020-0924] Connection from [89.17.31.212] rejected for policy reasons. IP address of connecting host not found in reverse DNS lookup.

02/15/2010 12:48:07 PM SMTP Server: 89.17.31.212 connected

02/15/2010 12:48:09 PM SMTP Server: 89.17.31.212 disconnected. 0 message[s] received

**********This is when the domain is blocked in our server configuration **********

02/15/2010 12:58:05 PM SMTP Server [1218:001C-02CC] Connection from 190-97-204-226.ert.com.co rejected for policy reasons. Connecting host is denied in your configuration.

02/15/2010 12:58:05 PM SMTP Server: 190-97-204-226.ert.com.co (190.97.204.226) connected

02/15/2010 12:58:06 PM SMTP Server: 190-97-204-226.ert.com.co (190.97.204.226) disconnected. 0 message[s] received

Our problem here is that we are still receiving a lot of traffic, the external servers are connecting to our server but they dont deliver a message (0 message [s] received), but is supposed that they are not allowed to connect to our server

How we could stop this?

How we can prevent the connections and the intense traffic.

Regards

hcl-bot · February 17, 2010, 9:27am

Subject: Use a hosted service like Posini.

Then the network traffic goes to them, they filter the emails and you get only connections from the postini server.

There are other alternatives to Postini also.

hcl-bot · February 17, 2010, 1:58pm

Subject: relaying and public blacklists

Be sure you aren’t relaying. The configuration document in the Domino Directory has a section for SMTP Inbound Controls. Enter your own domains & IP addresses/ranges in the “Allow messages only from the following internet hosts to be sent to external internet domains:” field.2. Use public blacklists. Also on the SMTP Inbound Controls page Currently recommending:

DNS Blacklist filters: Enabled

DNS Blacklist sites: bl.spamcop.net

zen.spamhaus.org

Desired action when a connecting host is found in a DNS Blacklist: Log and reject message

Custom SMTP error response for rejected messages: Message rejected. Your mail server at %s was found in the DNS Blacklist at %s. Please visit their site for removal instructions.

I would also recommend using a antivirus/antispam third party tool of some kind. BUT it should be IN ADDITION to the above. You don’t want to accept known bad messages and use up cycles filtering them, when you could just reject the connection to begin with.

Be sure to restart the router after making any of the above changes.