Blocking bots from the Cutwail botnet

Recently I’ve seen an increase in mail spambots identifying with the EHLO string EHLO ylmf-pc. These belong to (or at least stem from) the Cutwail botnet, originally observed as early as 2007.

The following table shows the number of attempts over the last two weeks. The numbers are not overwhelming for a private mail server, but enough to be found annoying.

Jan 11: 1794
Jan 12:  444
Jan 13:  150
Jan 14:  621
Jan 15:  391
Jan 16:  183
Jan 17:  388
Jan 18:  681
Jan 19:  296
Jan 20:  625
Jan 21:  165
Jan 22: 1242
Jan 23: 2534
Jan 24:  148
Jan 25: 1702

 

Running Postfix, I have of course already established a HELO check that will reject these attempts:

File: /etc/postfix/helo_access

ylmf-pc REJECT

 

The corresponding postconf setting (in italics):

smtpd_helo_restrictions =
 permit_mynetworks
 check_helo_access hash:/etc/postfix/helo_access
 permit

 

However, I’ve also configured postscreen in my Postfix instance. Most of the spambots are rejected by postscreen and thus never reach the mail server. Still, since every spambot will easily make 10 to 15 attempts, and every attempt creates quite a bit of log noise. I’d like to reject them quickly so they’re not polluting my logs, and this is where fail2ban becomes a useful ally. Since there was no available fail2ban filter for postscreen, I wrote one myself, along with the corresponding config/activation file – both suffixed .local so as not to interfere with future upgrades.

File: /etc/fail2ban/filter.d/postscreen.local

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/postscreen
failregex = ^%(__prefix_line)sPREGREET \d+ after \d+\.\d+ from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n
ignoreregex =

 

File: /etc/fail2ban/jail.local

[postscreen]
port = smtp,465,submission
logpath = %(postfix_log)s
enabled = true
maxretry = 1

 

After restarting fail2ban, the combination of the above files will block every spambot identifying with the characteristic EHLO greeting the first time it makes an attempt.