Forum Discussion
SPAMMING THROUGH FLOATING IP
We noticed we are getting SPAM mails , when we checked it was noticed that the sender IP is our System floating IP of F5.
Required now is to get the real IP relaying the SPAM email
Hi,
Are you using the BIG-IP as a reverse proxy for your SMTP traffic?
Cheers,
Kees- FAJUMOCirrus
full proxy
SMTP doesn't support the option to insert the original client ip.
But you could use the irule in this DC answer to log it to a remote log server https://community.f5.com/t5/technical-forum/logging-smtp-traffic-info-via-hsl-to-remote-log-server/td-p/220880
Cheers,
Kees
- FAJUMOCirrus
Hello Kees,
I am new to irule.
saw this irule from your link. but do not know where to add the SMTP IPS here as they are 3 10.161.18.21-23
Hello,
There is no need to add those SMTP addresses.
- FAJUMOCirrus
Hello Kees,
Thanks for much.
The mail issue is tat we do not know the VS relaying the SPAM ail through. W are just seeing the floating IP as the initiator.
How do i assign this Irule since the Virtual server is not knowm
You have to login to the BIG-IP web Gui, goto local traffic -> Virtual servers and look for the virtual server with port 25.
- FAJUMOCirrus
Hello Kess,
I have seen the VS,and need to apply this irule to it
Advice if this irule is okay
when RULE_INIT {
set static::smtp_debug 1
set static::route_domain_id 1
}
when CLIENT_ACCEPTED {
if {[class match [getfield [IP::client_addr] % 1] equals internal_IP]} {
} else {
drop
return
}
STREAM::expression {@[hH][eE][lL][oO] .*[[:cntrl:]][[:cntrl:]]@@ @[eE][hH][lL][oO] .*[[:cntrl:]][[:cntrl:]]@@ @[.][[:cntrl:]][[:cntrl:]]@@ @354 End data with @@ @250 2.0.0 Ok: queued as @@}
STREAM::enable
set disable_matching 0
}
when STREAM_MATCHED {
switch -glob [STREAM::match] {
"354 End data with " {
incr disable_matching
STREAM::replace
return
}
"250 2.0.0 Ok: queued as " {
STREAM::replace
return
}
default {
set mstring_hex ""
set mstring_hex_trimmed ""
set mstring_ascii ""
set c_initiation_string_hex_trimmed ""
set detected_c_initiation_string ""
binary scan [STREAM::match] H* mstring_hex
set mstring_hex_trimmed [string range $mstring_hex 0 end-4]
set mstring_ascii [binary format H* $mstring_hex_trimmed]
if { $mstring_ascii eq "\." } {
set disable_matching 0
STREAM::replace
return
}
if { $disable_matching > 0 } {
STREAM::replace
return
}
if { ( [string tolower $mstring_ascii] starts_with "helo " ) or ( [string tolower $mstring_ascii] starts_with "ehlo " ) } {
set c_declared_id [string range $mstring_ascii 5 end]
}
if { $c_declared_id contains "\[" } {
set c_declared_id [ string map [ list \[ "" \] "" ] $c_declared_id ]
}
set a null
set b null
set c null
set d null
scan $c_declared_id {%d.%d.%d.%d} a b d c
if { !($a == "null") && !($b == "null") && !($c == "null") && !($d == "null") } {
if { (0 <= $a) && ($a <= 255) &&
(0 <= $b) && ($b <= 255) &&
(0 <= $c) && ($c <= 255) &&
(0 <= $d) && ($d <= 255) } {
if { $static::route_domain_id != 0 } {
append c_declared_id "%" $static::route_domain_id
}
if { not ( $c_declared_id equals [IP::client_addr] ) } {
drop
return
}
}
} else {
if { ! ( $c_declared_id contains "\." ) } {
drop
return
}
if { $static::route_domain_id != 0 } {
set resolved_addrs [RESOLV::lookup @172.18.240.210%$static::route_domain_id -a $c_declared_id]
} else {
set resolved_addrs [RESOLV::lookup @172.18.240.210 -a $c_declared_id]
}
if { not ( $resolved_addrs equals "" ) } {
set addr_matched 0
foreach resolved_addr $resolved_addrs {
if { $static::route_domain_id != 0 } {
append resolved_addr "%" $static::route_domain_id
}
if { $resolved_addr equals [IP::client_addr] } {
incr addr_matched
break
}
}
if { $addr_matched < 1 } {
drop
return
}
} else {
drop
return
}
}
STREAM::replace
return
}
}
}
when SERVER_CONNECTED {
STREAM::expression {@354 End data with @@ @250 2.0.0 Ok: queued as @@}
STREAM::enable
}
Yes it is. Before applying it to the virtual server you have to attach a stream profile to the virtual server.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com