I am using Zimbra Collaboration Open Source 8.8.10 & I need to find a way to immediately drop a connection from a BotNet that keeps trying to exploit my server for SPAM. I get these admin reports daily:
I'm currently using Fail2Ban - and it works - AFTER the connection is aborted by the offending server. I need to find a way to IMMEDIATELY sever the connection (DROP the ESTABLISHED connection) after, say the 3rd, bad account guess. The IP address gets banned using fail2ban and ufw (or iptables) but continues to guess usernames until it gives up. Is there a Zimbra command that I can enable the KILLS the connection if they guess 3 bad recipient addresses??message reject detail
---------------------
RCPT
Recipient address rejected: domainname.net (total: 60)
3 avoid@domainname.net
3 complaint@domainname.net
3 consequence@domainname.net
3 drag@domainname.net
3 explain@domainname.net
3 extensive@domainname.net
3 half@domainname.net
3 hungry@domainname.net
3 initially@domainname.net
3 insist@domainname.net
3 logical@domainname.net
3 nephew@domainname.net
3 outdoors@domainname.net
3 programme@domainname.net
3 replace@domainname.net
3 salary@domainname.net
3 station@domainname.net
3 them@domainname.net
3 varied@domainname.net
3 wallet@domainname.net