On 2024-04-18 06:01, Sebastian Arcus via mailop wrote:
In that case I think I am back to square one. If an infected device
connecting to 587/465 to various servers on the internet, from our
network, to try and guess passwords/break into accounts wouldn't have
used the FQDN of our public IP as HELO - then that's not what is going
on. The Spamhaus info mentions the HELO being our public IP FQDN.
That is indeed the sign of 'bot' traffic.. Many Marai type bots use a
form of 'whatismyip' to set the EHLO in their SMTP attacks..
Which suggests that you might want to look at the CPE equipment for
compromises.. many types of CPE equipment had open back doors..
You can't of course block port 587/465 on egress, but you CAN set alerts
on your routers at egress to send an alert if too many TCP Syn attempts
come from a single IP address.
Most common bots use well defined EHLO patterns for their attacks.
EHLO ADMIN
EHLO random short host
EHLO long random host
EHLO external_ip
EHLO destination email address domain
EHLO WIN- (very specific hostnames)
You can of course use various SSL signatures to compliment these checks..
Random EHLO host is the toughest of course, without collatoral damage,
but you can monitor your traffic for specific patterns..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
