Use IPTables to Block Some Open Relay Scanners from Mail Server

Inspired by a question from @wlanboy on VPSBoard, I want to quickly share with you the IPTables rules I used to block some open relay scanners (or spammers) from mail servers. These IPTables rules are by no means complete or accurate. USE AT YOUR OWN RISK. Note: May not work on an OpenVZ VPS.

If you've seen these from your mail logs:

RCPT TO: <therichsheickc@yahoo.com>
RCPT TO: <therichsheick1@yahoo.com>
RCPT TO: <therichsheick9@yahoo.com>

This particular scanner always greet with "EHLO 192.168.2.33". Use these rules to stop them:

iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "192.168.2.33" --algo bm -m recent --set --name SBOT
iptables -I INPUT -i eth+ -p tcp --dports 25 -m recent --rcheck --name SBOT -j REJECT --reject-with tcp-reset

And that's it! Once recognized by IPTables, the scanner's TCP connection will be reset on the spot and unable to do harm to your servers. And eventually, these scanner's IPs will all be blacklisted on your server (until a reboot) and you will see no more of these.

Some other open relay scanners I've seen can be blocked with these additional rules:

iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "<buzzq77@msn.com>" --algo bm -m recent --set --name SBOT
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "<marslikeuknow@kimo.com>" --algo bm -m recent --set --name SBOT
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "<titrkuy@gmail.com>" --algo bm -m recent --set --name SBOT
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "<fastseller@yahoo.com>" --algo bm -m recent --set --name SBOT
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "<z2007tw@yahoo.com.tw>" --algo bm -m recent --set --name SBOT

Optionally, you can raise the IPTables recent module's limits. By default, each "recent" list will hold 100 IPs, while at most 20 packets from each IP will be remembered. In other words, older IPs will be removed once a list reaches 100 IPs, and we cannot set the "--hitcount" parameter to values higher than 20. To remove this restriction, create a file at "/etc/modprobe.d/xt_recent.conf" with a line such as the following, and reboot your server.

options xt_recent ip_pkt_list_tot=100 ip_list_tot=2000

Questions or comments are welcome.