0

I has been search here, BUT no topic about my question (they just ask for their email was rejcted, but this time, not my email was been reject), it seem someone try to send spam out via my server, however this one is very annoying, it start to try over 1000 times like this:

2022-10-02 08:15:01 H=(DESKTOP-K89KQBI) [212.191.80.243] F=postmaster@network.org rejected RCPT test@stunningsolutions.in: relay not permitted, authentication required

Yes, I can block this ip, but he try new ip everyday....

how can I block this kind of attack? any csf rule? thank you

simonlo
  • 1
  • 1
  • The "rejected" indicates the unauthorized attempt *was* stopped. What else do you want? – anx Oct 09 '22 at 06:16
  • 1
    "how can I block this kind of attack?" This is not an attack. You already "block" "attack". **You cant force remotes to do or dont do something. Any host can send you whatevere it wants.** You can only ignore something that already reach your host on your side at different stages and levels – gapsf Oct 09 '22 at 07:57
  • thank you all, I want to block them when this start, they have over 1000 times try, so I want to block their ip when they start try "attack", thanks – simonlo Oct 09 '22 at 13:46
  • It mostly ineffective because ips may change contstantly and you need analyze exim logs to dynamically update iptables/ipset rules. If server performance doesnt suffer from this connections - just ignore it – gapsf Oct 09 '22 at 14:42
  • Or you may use ip white list if you know from what ips you want recieve mail. Also check exim use spf checks – gapsf Oct 09 '22 at 14:47
  • Thanks you gapsf, is there any solution can only let ip in whitelist send email out, the other can't send via my server(exim allow only the ip in list to send mail) ? thank you so much – simonlo Oct 10 '22 at 04:01
  • thank you gapsf, I have try to add a csf rule for block it, hope this will work – simonlo Oct 10 '22 at 04:48

1 Answers1

2

You can install a package called Fail2ban, it's a software that checks your logs in real time and through regex filters it detects logs you want to take in account to ban ips during a specific period. Check out Fail2ban.org for more info.

Rodrigo Celestino
  • 21
  • 2