When you see this in /var/log/mail.log, you know the chinese are out to get you:
Aug 10 14:15:05 manstein postfix/smtpd: connect from static-186-155-242-140.static.etb.net.co[126.96.36.199] Aug 10 14:15:08 manstein postfix/smtpd: warning: static-186-155-242-140.static.etb.net.co[188.8.131.52]: SASL LOGIN authentication failed: authentication failure Aug 10 14:15:08 manstein postfix/smtpd: lost connection after AUTH from static-186-155-242-140.static.etb.net.co[184.108.40.206] Aug 10 14:15:08 manstein postfix/smtpd: disconnect from static-186-155-242-140.static.etb.net.co[220.127.116.11]
If, like me your first instinct is to block the entire IP range/AS in the firewall range and then secondly you remember that you have a TODO about tinkering with the Mikrotik, adding a dynamic address list of spammers (and SSH bots etc.), you get tired in a hurry.
Luckily, if the bandwidth consumed is small, you can “just” null-route the bastards:
sudo route add 18.104.22.168 gw 127.0.0.1 lo
or if you’re really annoyed:
~$ whois 22.214.171.124 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '126.96.36.199 - 188.8.131.52' inetnum: 184.108.40.206 - 220.127.116.11 ..... % Information related to '18.104.22.168/15 AS37963'
sudo route add -net 22.214.171.124/15 gw 127.0.0.1 lo
Boom – the entire AS is gone, and hopefully the emails about your AliExpress purchases are originating in another net…