1

0 down vote favorite

A few days ago I figured out that someone was trying to get access to my mailserver, obviously to send spam emails through.

After some research I found out that the sender uses a domain, refering to my server. Like you bind your domain to a static ip-adress, so this person did.

What I want to know is: Is there any way to block any traffic (IN/OUT) from that specific domain only? I really can't block my own ip, that's clear. I tried a few examples obtained from google where some people blocked whole domains by their names. Unfortunately (and even after cleaning my browsers cache) I still will be redirected to my own server.

Any suggestions?

Thanks in advance

Thyrador
  • 13
  • 2
  • Your question is a bit unclear. What does "try to get access" mean? What has your browser got to do with anything? Do they fake the reverse name server entry to pretend they're part of your network, or do the just send your name in the SMTP HELO/EHLO message? – Matthias Urlichs Jan 24 '14 at 09:38
  • They use a own domain which is reversed to my IP. Like google.com and www.google.com refers to the same IP. They try to crack my mailservers passwords to get access. They even try to send spam mails, even if they have no access to my mailserver. Because I'm bored of that behaviour, I simply want to block it from everything relating to my server. – Thyrador Jan 24 '14 at 10:03
  • Domains don't get reversed to IP addresses, they point to it. IP addresses get reversed to domains. – Matthias Urlichs Jan 24 '14 at 10:28
  • Well, yeah, thats what I mean. I just want to block it from pointing to my servers adress. Any way to do that? – Thyrador Jan 24 '14 at 10:30
  • No. Their DNS records, they can add whatever they like. – Matthias Urlichs Jan 24 '14 at 10:59

1 Answers1

0

You can't block TCP/IP traffic from (or to) domains. Traffic doesn't come from domains, it comes from specific IP addresses.

You can block the IP address the sender uses to talk to you.

    iptables -I INPUT -s ADDRESS.OF.THE.SENDER -j REJECT --reject-with icmp-admin-prohibited

See the iptables manpage for further ideas.

Matthias Urlichs
  • 425
  • 2
  • 9
  • I can't, because it's refering to MY IP. I just want to block that domain totally so that it can't be used to try to send mails or anything else via my IP – Thyrador Jan 24 '14 at 09:59
  • Of course the traffic is going to your IP, but it's coming from somewhere. You can block that. (Fixed the answer, my "ADDRESS.OF.THE.SERVER" was stupid, sorry abotu that) – Matthias Urlichs Jan 24 '14 at 10:29
  • I tried that. I'm still able to "connect/reach" my server/domain via that "fake domain" :/ – Thyrador Jan 24 '14 at 10:52
  • *You* can of course reach your server – your own IP traffic comes from your machine, not from the Bad Guy you just blocked. Similarly, the DNS lookup for the face domain isn't affected. – Matthias Urlichs Jan 24 '14 at 10:55
  • I see. So I just can block that domain from my mailserver itself, by rejecting everything that comes with that domain, but not truly reject everything that's pointing to my server from that domain, right? – Thyrador Jan 24 '14 at 11:00
  • Sure. That would be a mailserver configuration issue. Search for your email server and "tarpit" if you also want to annoy these guys. ;-) – Matthias Urlichs Jan 24 '14 at 11:03
  • Thanks for your help. Unfortunately I'm on Kerio, so I can't find any tarpit for it (or maybe I'm blind). – Thyrador Jan 27 '14 at 09:42