Forum Discussion

jhanington_1353's avatar
jhanington_1353
Icon for Nimbostratus rankNimbostratus
May 20, 2014

Need help blocking SMTP connections based off EHLO name

I keep getting attacked from this stupid spam bot script kiddie.   The script is going to our SMTP server and is trying to guess a bunch of typical email addresses but it also somehow got a hold o...
application delivery
devops
iRules
LTM
  • Cory_50405's avatar
    Cory_50405
    May 20, 2014

    Sorry, big oversight on my part. Try this one:

    when CLIENT_ACCEPTED {
 TCP::respond "220\r\n"
 TCP::collect
 }

when CLIENT_DATA {
 set clientpayload [string tolower[TCP::payload]]
 if { $clientpayload contains "ehlo abcd-pc" } {
  reject
 }
}
Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent

Is the attacker always sourcing from a single IP address? If so, you could just drop his connection based on IP address:

when CLIENT_ACCEPTED {
 if { [IP::client_addr] equals "1.1.1.1" } {
  reject
 }

Or if you really want to do it by EHLO command:

when CLIENT_ACCEPTED {
 TCP::collect
 }

when CLIENT_DATA {
 set clientpayload [string tolower[TCP::payload]]
 if { $clientpayload contains "EHLO ABCD-PC" } {
  reject
 }
}

Strongly recommend doing the blocking by IP address if possible as it is less resource intensive.

jhanington_1353's avatar
jhanington_1353
Icon for Nimbostratus rankNimbostratus
May 20, 2014
Thanks for the response. I wish it was done by the same IP because then I could block it through my firewall but sadly it is coming from new addresses every day. I ran your iRule from above and tried to telnet to my VIP over port 25 but I was not getting a 220 message like usual. I removed the TCP:collect line and I was able to get the 220 message but the connection did not reject after I entered "EHLO ABCD-PC". Any ideas? How