Dealing with SMTP invalid command attack

Question

One of our semi-busy mail servers (sendmail) has had a lot of inbound connections over the past few days from hosts that are issuing garbage commands.

In the past two days:

• incoming smtp connections with invalid commands from 39,000 unique IPs
• the IPs come from various ranges all over the world, not just a few networks that I can block
• the mail server serves users throughout north america, so I can't just block connections from unknown IPs
• sample bad commands: http://pastebin.com/4QUsaTXT

I am not sure what someone is trying to accomplish with this attack, besides annoy me.

any ideas what this is about, or how to effectively deal with it?

Answer 1

Here is at least one option for tarpitting these connections after they start spitting out errors. Valid and well-behaved clients shouldn't ever fall into this tarpit.

dnl # New option in v8.14.0
dnl # Override default limit (of 20) NOOPs (invalid or unsupported SMTP
dnl #   commands) before daemon will throttle connection by slowing
dnl #   error message replies (similar to "confBAD_RCPT_THROTTLE")
define(`MaxNOOPCommands', `5')dnl

You can also use the GreetPause feature, which will reject these clients because they are unlikely to respect the pause. You can read more about it here: http://www.deer-run.com/~hal/sysadmin/greet_pause.html

dnl # New feature in v8.13.1 (not listed in Companion)
dnl # Set time in milliseconds before sendmail will present its banner
dnl #   to a remote host (spammers won't wait and will already be
dnl #   transmitting before pause expires, and sendmail will
dnl #   refuse based on pre-greeting traffic) 5000=5 seconds
dnl # NOTE: Requires use of FEATURE(`access_db') and "GreetPause" entries
dnl #       in access table
FEATURE(`greet_pause',`5000')dnl

Answer 2

I would install fail2ban and block at he first invalid command.