Blocking bots from the Cutwail botnet
Recently I’ve seen an increase in mail spambots identifying with the EHLO string EHLO ylmf-pc. These belong to (or at least stem from) the Cutwail botnet, originally observed as early as 2007.
The following table shows the number of attempts over the last two weeks. The numbers are not overwhelming for a private mail server, but enough to be found annoying.
Jan 11: 1794 Jan 12: 444 Jan 13: 150 Jan 14: 621 Jan 15: 391 Jan 16: 183 Jan 17: 388 Jan 18: 681 Jan 19: 296 Jan 20: 625 Jan 21: 165 Jan 22: 1242 Jan 23: 2534 Jan 24: 148 Jan 25: 1702
Running Postfix, I have of course already established a HELO check that will reject these attempts:
File: /etc/postfix/helo_access
ylmf-pc REJECT
The corresponding postconf setting (in italics):
smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo_access permit
However, I’ve also configured postscreen in my Postfix instance. Most of the spambots are rejected by postscreen and thus never reach the mail server. Still, since every spambot will easily make 10 to 15 attempts, and every attempt creates quite a bit of log noise. I’d like to reject them quickly so they’re not polluting my logs, and this is where fail2ban becomes a useful ally. Since there was no available fail2ban filter for postscreen, I wrote one myself, along with the corresponding config/activation file – both suffixed .local so as not to interfere with future upgrades.
File: /etc/fail2ban/filter.d/postscreen.local
[INCLUDES] before = common.conf [Definition] _daemon = postfix/postscreen failregex = ^%(__prefix_line)sPREGREET \d+ after \d+\.\d+ from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n ignoreregex =
File: /etc/fail2ban/jail.local
[postscreen] port = smtp,465,submission logpath = %(postfix_log)s enabled = true maxretry = 1
After restarting fail2ban, the combination of the above files will block every spambot identifying with the characteristic EHLO greeting the first time it makes an attempt.