Forum Discussion

jhanington_1353's avatar
jhanington_1353
Icon for Nimbostratus rankNimbostratus
May 20, 2014

Need help blocking SMTP connections based off EHLO name

I keep getting attacked from this stupid spam bot script kiddie.

 

The script is going to our SMTP server and is trying to guess a bunch of typical email addresses but it also somehow got a hold of a couple of real email accounts on our system and it keeps going through and guessing typical passwords until that account is locked out.

 

I need help writing an iRule for my SMTP virtual server that will look for a packet with the message "EHLO ABCD-PC" and then drops or kills the connection.

 

application delivery
devops
iRules
LTM
  • Cory_50405's avatar
    Cory_50405
    May 20, 2014

    Sorry, big oversight on my part. Try this one:

    when CLIENT_ACCEPTED {
 TCP::respond "220\r\n"
 TCP::collect
 }

when CLIENT_DATA {
 set clientpayload [string tolower[TCP::payload]]
 if { $clientpayload contains "ehlo abcd-pc" } {
  reject
 }
}
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 20, 2014

    Is the attacker always sourcing from a single IP address? If so, you could just drop his connection based on IP address:

    when CLIENT_ACCEPTED {
 if { [IP::client_addr] equals "1.1.1.1" } {
  reject
 }

    Or if you really want to do it by EHLO command:

    when CLIENT_ACCEPTED {
 TCP::collect
 }

when CLIENT_DATA {
 set clientpayload [string tolower[TCP::payload]]
 if { $clientpayload contains "EHLO ABCD-PC" } {
  reject
 }
}

    Strongly recommend doing the blocking by IP address if possible as it is less resource intensive.

    • jhanington_1353's avatar
      jhanington_1353
      Icon for Nimbostratus rankNimbostratus
      May 20, 2014
      Thanks for the response. I wish it was done by the same IP because then I could block it through my firewall but sadly it is coming from new addresses every day. I ran your iRule from above and tried to telnet to my VIP over port 25 but I was not getting a 220 message like usual. I removed the TCP:collect line and I was able to get the 220 message but the connection did not reject after I entered "EHLO ABCD-PC". Any ideas? How
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 20, 2014

    Sorry, big oversight on my part. Try this one:

    when CLIENT_ACCEPTED {
 TCP::respond "220\r\n"
 TCP::collect
 }

when CLIENT_DATA {
 set clientpayload [string tolower[TCP::payload]]
 if { $clientpayload contains "ehlo abcd-pc" } {
  reject
 }
}
    • jhanington_1353's avatar
      jhanington_1353
      Icon for Nimbostratus rankNimbostratus
      May 20, 2014
      Perfect. Now I just have to figure out how to get devices that don't say "ehlo abcd-pc" to connect. Would I just write this.... ~~~ when CLIENT_DATA { set clientpayload [string tolower[TCP::payload]] if { $clientpayload contains "ehlo abcd-pc" } { reject } else { TCP::release } } ~~~
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    May 22, 2014

    Does your SMTP server support the "vrfy" and "expand" commands?