Blocking SMTP Connections

This morning we are starting to get hammered with SMTP connections that are spam. 99% seem to be destined for one user. In about 4 hours there were 2100 rejects by the cbl.abuseat.org RBL. To cut down on the number of connections, I implemented a basic swatch setup.

Given the following log format in mail.info:
Aug  9 13:19:47 spamfilter postfix/smtpd[24249]: NOQUEUE: reject: RCPT from 189-015-176-022.xd-dynamic.ctbcnetsuper.com.br[189.15.176.22]: 554 5.7.1 Service unavailable; Client host [189.15.176.22] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=189.15.176.22; from=<aubree_jackson757@cibullgroup.com> to=<localuser@domain.com> proto=ESMTP helo=<189-015-176-022.xd-dynamic.ctbcnetsuper.com.br>

The following will block IP addresses that were rejected by the RBL using iptables.

Create a bash script at /usr/local/sbin/blockip.sh and make it executable:

#!/bin/bash
IP=`echo ${10} | cut -d[ -f2 | cut -d] -f1`
# check to see if the address was just added to the iptables list
COUNT=`/sbin/iptables-save | grep -c -m 1 $IP`
if [ ! "$COUNT" = "1" ]; then
 /sbin/iptables -I INPUT -s $IP -j DROP
fi

Create a /etc/swatch.conf config file:
watchfor=/cbl\.abuseat\.org/
    exec "/usr/local/sbin/ipblock.sh $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15"

Start your swatch process:
/usr/bin/swatch -c /etc/swatch.conf --awk-field-syntax -t /var/log/mail.info --tail-args '--follow=name -n 0' --daemon

And put the swatch startup in whatever your rc.local or equivalent file is.