We have the following setup:
Redhat kernel 2.4.16
Sendmail 8.11.6
This is a very old, ~7 years, cobalt RaQ server and is not easily
upgradeable. Currently, we are being hit by multiple IP addresses from
Latin America, Russia, Pakistan and others that open SMTP connections to
our mail server and attempt to send emails from malformed addresses.
Always missing the top level domain and similar in format to:
- losingm7@mysterious
- kingleirr5@pc
- etc
Our sendmail responds with:
sendmail[6973]: n8JABr406973: ruleset=check_mail, arg1=<evangelinaii2@mysterious>, relay=wtl.worldcall.net.pk [115.186.114.184] (may be forged), reject=553 5.1.8 <evangelinaii2@mysterious>... Domain of sender address evangelinaii2@mysterious does not exist
At this point, the attacker sends a RSET command and trys another
similar but different email address. We are getting ~2 attempts every
second from each IP address. The reason I think this may be a DOS
attack is that as soon as I kill a connection, within seconds a new IP
address starts up another attack from a completely new geography. For
example, I kill a connection from Chile and another connection from
Columbia starts 1 second later.
Obviously, this is causing
unnecessary load on our mail server and I would like to stop these
connections at the gateway if possible. Does anyone have ideas on how
to fix this? I realize our mail server is badly in need of replacement,
and that is in the works, but not complete yet. What I am looking for
is a band-aid on this issue.
Thanks.