Dealing with SMTP invalid command attack

security linux sendmail smtp

Solution 1:

Here is at least one option for tarpitting these connections after they start spitting out errors. Valid and well-behaved clients shouldn't ever fall into this tarpit.

dnl # New option in v8.14.0
dnl # Override default limit (of 20) NOOPs (invalid or unsupported SMTP
dnl #   commands) before daemon will throttle connection by slowing
dnl #   error message replies (similar to "confBAD_RCPT_THROTTLE")
define(`MaxNOOPCommands', `5')dnl

You can also use the GreetPause feature, which will reject these clients because they are unlikely to respect the pause. You can read more about it here: http://www.deer-run.com/~hal/sysadmin/greet_pause.html

dnl # New feature in v8.13.1 (not listed in Companion)
dnl # Set time in milliseconds before sendmail will present its banner
dnl #   to a remote host (spammers won't wait and will already be
dnl #   transmitting before pause expires, and sendmail will
dnl #   refuse based on pre-greeting traffic) 5000=5 seconds
dnl # NOTE: Requires use of FEATURE(`access_db') and "GreetPause" entries
dnl #       in access table
FEATURE(`greet_pause',`5000')dnl

Solution 2:

I would install fail2ban and block at he first invalid command.

Related

no default value for required attribute
How do you measure the memory footprint of a set of forked processes?
virtual disk image - file or partition
How to set only specific nginx server block into maintenance mode programmatically
How can I move s3 objects >5gb from one bucket to another?
Checking yum connectivity from a script?
How do I lock down nginx on debian wheezy (running systemd)?
How to avoid specifying full path in sudoers file?
Serial Over Lan doesn't redirect OS terminal
Putty: Incoming Packet was garbled on decryption
Software VPN connection to Amazon AWS VPC private instance [closed]
To zero pad hostnames or not?