Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

SPAMMING THROUGH FLOATING IP

FAJUMO
Cirrus
Cirrus

We  noticed we are getting SPAM mails , when we checked it was noticed that the sender IP is our System floating IP of F5.

Required now is to get the real IP relaying the SPAM email

9 REPLIES 9

Hi,

Are you using the BIG-IP as a reverse proxy for your SMTP traffic?

Cheers,

Kees

full proxy

SMTP doesn't support the option to insert the original client ip.

But you could use the irule in this DC answer to log it to a remote log server https://community.f5.com/t5/technical-forum/logging-smtp-traffic-info-via-hsl-to-remote-log-server/t... 

Cheers,

Kees

Hello Kees,

I am new to irule.

saw this irule from your link. but do not know where to add the SMTP IPS here as they are 3 10.161.18.21-23

Hello,

There is no need to add those SMTP addresses. 

Hello Kees,

Thanks for much.

The mail issue is tat we do not know the VS relaying the SPAM ail through. W are just seeing the floating IP as the initiator.

How do i assign this Irule since the Virtual server is not knowm

 

FAJUMO_0-1654679589568.png

 

 

 

You have to login to the BIG-IP web Gui, goto local traffic -> Virtual servers and look for the virtual server with port 25.

Hello Kess,

I have seen the VS,and need to apply this irule to it

Advice if this irule is okay

when RULE_INIT {

set static::smtp_debug 1

set static::route_domain_id 1

}

when CLIENT_ACCEPTED {

if {[class match [getfield [IP::client_addr] % 1] equals internal_IP]} {

} else {

drop

return

}

STREAM::expression {@[hH][eE][lL][oO] .*[[:cntrl:]][[:cntrl:]]@@ @[eE][hH][lL][oO] .*[[:cntrl:]][[:cntrl:]]@@ @[.][[:cntrl:]][[:cntrl:]]@@ @354 End data with @@ @250 2.0.0 Ok: queued as @@}

STREAM::enable

set disable_matching 0

}

when STREAM_MATCHED {

switch -glob [STREAM::match] {

"354 End data with " {

incr disable_matching

STREAM::replace

return

}

"250 2.0.0 Ok: queued as " {

STREAM::replace

return

}

default {

set mstring_hex ""

set mstring_hex_trimmed ""

set mstring_ascii ""

set c_initiation_string_hex_trimmed ""

set detected_c_initiation_string ""

binary scan [STREAM::match] H* mstring_hex

set mstring_hex_trimmed [string range $mstring_hex 0 end-4]

set mstring_ascii [binary format H* $mstring_hex_trimmed]

 

if { $mstring_ascii eq "\." } {

set disable_matching 0

STREAM::replace

return

}

if { $disable_matching > 0 } {

STREAM::replace

return

}

if { ( [string tolower $mstring_ascii] starts_with "helo " ) or ( [string tolower $mstring_ascii] starts_with "ehlo " ) } {

set c_declared_id [string range $mstring_ascii 5 end]

}

if { $c_declared_id contains "\[" } {

set c_declared_id [ string map [ list \[ "" \] "" ] $c_declared_id ]

}

set a null

set b null

set c null

set d null

scan $c_declared_id {%d.%d.%d.%d} a b d c

if { !($a == "null") && !($b == "null") && !($c == "null") && !($d == "null") } {

if { (0 <= $a) && ($a <= 255) &&

(0 <= $b) && ($b <= 255) &&

(0 <= $c) && ($c <= 255) &&

(0 <= $d) && ($d <= 255) } {

if { $static::route_domain_id != 0 } {

append c_declared_id "%" $static::route_domain_id

}

if { not ( $c_declared_id equals [IP::client_addr] ) } {

drop

return

}

}

} else {

if { ! ( $c_declared_id contains "\." ) } {

drop

return

}

if { $static::route_domain_id != 0 } {

set resolved_addrs [RESOLV::lookup @172.18.240.210%$static::route_domain_id -a $c_declared_id]

} else {

set resolved_addrs [RESOLV::lookup @172.18.240.210 -a $c_declared_id]

}

if { not ( $resolved_addrs equals "" ) } {

set addr_matched 0

foreach resolved_addr $resolved_addrs {

if { $static::route_domain_id != 0 } {

append resolved_addr "%" $static::route_domain_id

}

if { $resolved_addr equals [IP::client_addr] } {

incr addr_matched

break

}

}

if { $addr_matched < 1 } {

drop

return

}

} else {

drop

return

}

}

STREAM::replace

return

}

}

}

 

when SERVER_CONNECTED {

STREAM::expression {@354 End data with @@ @250 2.0.0 Ok: queued as @@}

STREAM::enable

}

Yes it is. Before applying it to the virtual server you have to attach a stream profile to the virtual server.